Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[ptr] Fix soundness hole in "at least" invariants #909

Merged
merged 1 commit into from
Feb 18, 2024

Conversation

joshlf
Copy link
Member

@joshlf joshlf commented Feb 18, 2024

Previously, we spuriously implemented at_least::Initialized for the Valid invariant, which is unsound. This was introduced because, prior to the introduction of the Initialized invariant, all invariants were monotonic - when defined in the proper order, every invariant was at least as strict as all preceding invariants. Thus, the define_system! macro we use to define a system of invariants automatically emitted the appropriate impls based on this monotonicity assumption. Initialized broke this assumption, but we didn't update the macro to match.

This commit changes the define_system! macro to require the caller to explicitly define the "at least" relation. It also adds a test to prevent regressions.

As a consequence of making the "at least" relation explicit, we remove the at_least::Initialized trait, since this trait would have no non-trivial implementations.

Previously, we spuriously implemented `at_least::Initialized` for the
`Valid` invariant, which is unsound. This was introduced because, prior
to the introduction of the `Initialized` invariant, all invariants were
monotonic - when defined in the proper order, every invariant was at
least as strict as all preceding invariants. Thus, the `define_system!`
macro we use to define a system of invariants automatically emitted the
appropriate impls based on this monotonicity assumption. `Initialized`
broke this assumption, but we didn't update the macro to match.

This commit changes the `define_system!` macro to require the caller to
explicitly define the "at least" relation. It also adds a test to
prevent regressions.

As a consequence of making the "at least" relation explicit, we remove
the `at_least::Initialized` trait, since this trait would have no
non-trivial implementations.
@joshlf joshlf requested a review from jswrenn February 18, 2024 18:34
@joshlf joshlf enabled auto-merge February 18, 2024 18:34
@joshlf joshlf mentioned this pull request Feb 18, 2024
87 tasks
@joshlf joshlf added this pull request to the merge queue Feb 18, 2024
Merged via the queue into main with commit 449eaff Feb 18, 2024
209 checks passed
@joshlf joshlf deleted the pointer-at-least-soundness branch February 18, 2024 18:50
dorryspears pushed a commit to dorryspears/zerocopy that referenced this pull request Feb 20, 2024
Previously, we spuriously implemented `at_least::Initialized` for the
`Valid` invariant, which is unsound. This was introduced because, prior
to the introduction of the `Initialized` invariant, all invariants were
monotonic - when defined in the proper order, every invariant was at
least as strict as all preceding invariants. Thus, the `define_system!`
macro we use to define a system of invariants automatically emitted the
appropriate impls based on this monotonicity assumption. `Initialized`
broke this assumption, but we didn't update the macro to match.

This commit changes the `define_system!` macro to require the caller to
explicitly define the "at least" relation. It also adds a test to
prevent regressions.

As a consequence of making the "at least" relation explicit, we remove
the `at_least::Initialized` trait, since this trait would have no
non-trivial implementations.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants