tcpdump mailing list archives

Previous By Date Next
Previous By Thread Next

Bug in libpcap filter optimizator (optimize.c)

From: "Gianluca Varenni" <gianluca.varenni () cacetech com>
Date: Tue, 12 Jun 2007 11:57:59 -0700
Guys,
it looks like the optimizer for the BPF compiler has a bug and removes some needed LD instructions. This happens on the HEAD and 0.9.x branch (I tested it with optimize.c 1.87 and 1.85.2.1 as well as older versions). 

Details
Linktype: DLT_802_11_RADIO (802.11 + radiotap) or DLT_802_11
Filter: "wlan src addr 1:2:3:4:5:6"
The following BPF dumps are generated with DLT_802_11, in the radiotap case the difference is that instead of being immediate loads from the packets (LD[0]), the index register X is used (LD[x+0]). 

Un-optimized code

(000) ldb      [0]
(001) jset     #0x4             jt 31   jf 2
(002) ldb      [0]
(003) jset     #0x8             jt 8    jf 4
(004) ld       [12]
(005) jeq      #0x3040506       jt 6    jf 8
(006) ldh      [10]
(007) jeq      #0x102           jt 30   jf 8
(008) ldb      [1]
(009) jset     #0x8             jt 10   jf 31
(010) ldb      [1]
(011) jset     #0x2             jt 16   jf 12
(012) ld       [12]
(013) jeq      #0x3040506       jt 14   jf 16
(014) ldh      [10]
(015) jeq      #0x102           jt 30   jf 16
(016) ldb      [1]
(017) jset     #0x2             jt 18   jf 31
(018) ldb      [1]
(019) jset     #0x1             jt 24   jf 20
(020) ld       [18]
(021) jeq      #0x3040506       jt 22   jf 24
(022) ldh      [16]
(023) jeq      #0x102           jt 30   jf 24
(024) ldb      [1]
(025) jset     #0x1             jt 26   jf 31
(026) ld       [26]
(027) jeq      #0x3040506       jt 28   jf 31
(028) ldh      [24]
(029) jeq      #0x102           jt 30   jf 31
(030) ret      #96
(031) ret      #0

Optimized code
(000) ldb      [0]
(001) jset     #0x4             jt 23   jf 2
(002) jset     #0x8             jt 7    jf 3
(003) ld       [12]
(004) jeq      #0x3040506       jt 5    jf 7
(005) ldh      [10]
(006) jeq      #0x102           jt 22   jf 7
(007) jset     #0x8             jt 8    jf 23  <-- WRONG
(008) jset     #0x2             jt 9    jf 18  <-- WRONG
(009) jset     #0x1             jt 10   jf 14
(010) ld       [26]
(011) jeq      #0x3040506       jt 12   jf 23
(012) ldh      [24]
(013) jeq      #0x102           jt 22   jf 23
(014) ld       [18]
(015) jeq      #0x3040506       jt 16   jf 23
(016) ldh      [16]
(017) jeq      #0x102           jt 22   jf 23
(018) ld       [12]
(019) jeq      #0x3040506       jt 20   jf 23
(020) ldh      [10]
(021) jeq      #0x102           jt 22   jf 23
(022) ret      #96
(023) ret      #0
If instruction (007) is reached from instruction (006), the accumulator contains the value read in (005), that is packet[10] (2bytes). The optimizer is clearly removing a "ldb[1]" before the jset at (007). In the un-optimized code the ldb[1] instruction is (008) and it's repeated at (010), (016), (018). 

I have no idea where this optimization takes place :-(.

Anyone willing to help?

Have a nice day
GV


-
This is the tcpdump-workers list.
Visit https://cod.sandelman.ca/ to unsubscribe.
Previous By Date Next
Previous By Thread Next

Current thread: