[Winpcap-users] adding an outstanding performance optimization tothe JIT filter

Wed May 28 17:49:04 GMT 2008

----- Original Message ----- 
From: "Sebastian Gottschalk" <seppig_relay at gmx.de>
To: <winpcap-users at winpcap.org>
Sent: Sunday, May 25, 2008 12:26 AM
Subject: [Winpcap-users] adding an outstanding performance optimization 
tothe JIT filter

> Hello there.
>
> In the JIT filter source it, it mentions that MOV reg,0 should be replaced
> with XOR reg,reg - so I simply implemented this. I also added the TEST
> instruction, which is much more efficient than CMP if one only wants to
> check for (in)equality, also a TEST against an immediate of zero can be
> replaced by a test against the register itself.
>
> Here's the diff:
>
> --- jitter.h ---
> /// xor dr32,sr32
> #define XORrd(dr32, sr32) \
> emitm(&stream, 0x33, 1); \
> emitm(&stream, 3 << 6 | (dr32 & 0x7) << 3 | (sr32 & 0x7), 1);
>
> /// test dr32, sr32
> #define TESTrd(dr32, sr32) \
>    emitm(&stream, 0x85, 1); \
>    emitm(&stream,  3 << 6 | (dr32 & 0x7) << 3 | sr32 & 0x7, 1);
>
> /// test dr32, i32
>
> #define TESTid(dr32, i32) \
>    if (dr32 == EAX){ \
>    emitm(&stream, 0xa9, 1); \
>    emitm(&stream,  i32, 4);} \
>    else{ \
>    emitm(&stream, 0x85, 1); \
>    emitm(&stream,  0x1c << 3 | (dr32 & 0x7), 1);\
>    emitm(&stream,  i32, 4);}
>
> ------
>
> jitter.c:
>
> @@ -389 +389 @@
> - CMPid(EAX, ins->k)
> + TESTid(EAX, ins->k)
> @@ -421 +421 @@
> - CMPrd(EAX, EDX)
> + TESTrd(EAX, EDX)
> @@ -457 +457 @@
> - CMPid(EDX, 0)
> + TESTid(EDX, EDX)
>
> ------
>
> jitter.c:
>
> s/MOVid\(EAX,0//XORrd(EAX,EAX/g
> s/MOVid\(EDX,0//XORrd(EDX,EDX/g
>
> Could someone verify this for correctness?
>

I will do that in the next weeks. Have you tried it yourself my running the 
modified driver against some known filters and packet sets (e.g. capturing 
with and without a JITted filter and checking that the filtered packets are 
the correct ones)?

>
> I also have a question: Where does the filter execution routine check for
> DIVISION_THROUGH_ZERO exceptions, and how could we possibly help with
> non-conditional backward jumps? After all, a malicious filter program 
> might
> crash the system!
>

DIVISION_THROUGH_ZERO:
in case of BPF_DIV|BPF_X, there is a check (both in the JITted code and in 
the bpf_filter()/bpf_filter_with_2_buffers()) against a 0 divisor.
in case of BPF_DIV|BPF_K, the constant K (which is the divisor) is checked 
to be != 0 when the BPF code is verified, in the bpf_validate() function. If 
K is 0, the filter is rejected.

non-conditional backward jumps:
again, this is verified in bpf_validate().

Have a nice day
GV

>
> Greetings,
> Sebastian Gottschalk
>
> _______________________________________________
> Winpcap-users mailing list
> Winpcap-users at winpcap.org
> https://www.winpcap.org/mailman/listinfo/winpcap-users 