-
Notifications
You must be signed in to change notification settings - Fork 349
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Leak checker misses pointers cast to integer #1318
Comments
For the Windows For crossbeam, it turns out the pointer is not just cast to an integer, it also has its last bits repurposed to store some flags. So, even if we do the above, we are still going to lose the provenance. I would say trying to preserve provenance across these bitwise operations is conceptually just not the kind of semantics that Miri should give to Rust. It's also a game of whack-a-mole to get ever more effective at preserving provenance -- a game that the proper support for ptr-int-casts that we have now is supposed to just end, so I do not have a big interest in re-opening that game. Another option might be to expect libraries that pull such tricks (storing the pointers that keep an allocation live without provenance) to give us some extra hints, via some Miri-specific instrumentation/intrinsics or so. (I recall @oli-obk proposed such operations a while ago for a different purpose and I found the idea quite disgusting. ;) However, the code doing the casting might not even be aware that it is working on data stored in a global static, so it is unclear how such an API could even look like. Cc @jonhoo |
I think if there were annotations libraries like crossbeam could give to miri to get tracking to work in these situations, they would be happy to add those :) At least I would be! |
…until stabilization
* Hello transactional memory * Lever version update * Seems like rust-lang/miri#1318 is not ready yet. Disable leak checks until stabilization * disable leak checks for all of the tests
Some time later, I don't think we have a proposal on the table that is better than asking the library for help. I am imagining an intrinsic like What I am not sure about is if the intrinsic should require the pointer to point to the beginning of the allocation -- I think for now I'd like to be as restrictive as possible and make this requirement. |
We don't even need to burden rustc with an intrinsic. We can just use an #[cfg(miri)]
extern "C" { fn miri_ignore_leak_root(ptr: usize); }
#[cfg(miri)]
unsafe { miri_ignore_leak_root(some_ptr as usize); }
I agree, we can emit a nice error stating the offset required to obtain a root pointer in order to help users quickly adjust their code to work without having to figure out an earlier site for obtaining the pointer. If we feel really fancy we can make the leak checker emit a note at the first ptr2intcast site |
Oh wow.^^ Now I wonder if we should have used that for I'd make the type a pointer type though, not |
#1485 provides a solution to this: programs can call the @jonhoo if you could experiment with using that in crossbeam, that would be amazing. :) |
@RalfJung That's exciting! Unfortunately I'm pretty swamped these days, but I posted a comment over in crossbeam-rs/crossbeam#464 (comment) to see if I could pique some interest. |
Miri: use extern fn to expose interpreter operations to program; fix leak checker on Windows This PR realizes an idea that @oli-obk has been suggesting for a while: to use Miri-specific `extern` functions to provide some extra capabilities to the program. Initially, we have two of these methods, which libstd itself needs: * `miri_start_panic`, which replaces the intrinsic of the same name (mostly for consistency, to avoid having multiple mechanisms for Miri-specific functionality). * `miri_static_root`, which adds an allocation to a list of static "roots" that Miri considers as not having leaked (including all memory reachable through them). This is needed for rust-lang/miri#1302. We use `extern` functions instead of intrinsics for this so that user code can more easily call these Miri hoolks -- e.g. `miri_static_root` should be useful for rust-lang/miri#1318. The Miri side of this is at rust-lang/miri#1485. r? @oli-obk
Miri: use extern fn to expose interpreter operations to program; fix leak checker on Windows This PR realizes an idea that @oli-obk has been suggesting for a while: to use Miri-specific `extern` functions to provide some extra capabilities to the program. Initially, we have two of these methods, which libstd itself needs: * `miri_start_panic`, which replaces the intrinsic of the same name (mostly for consistency, to avoid having multiple mechanisms for Miri-specific functionality). * `miri_static_root`, which adds an allocation to a list of static "roots" that Miri considers as not having leaked (including all memory reachable through them). This is needed for rust-lang/miri#1302. We use `extern` functions instead of intrinsics for this so that user code can more easily call these Miri hoolks -- e.g. `miri_static_root` should be useful for rust-lang/miri#1318. The Miri side of this is at rust-lang/miri#1485. r? @oli-obk
I'm working on triaging errors running crossbeam's test suite in Miri. For a typical leak report when using crossbeam-epoch, the only leaking allocations are for two different kinds of linked lists held by the global garbage collection context. Both of these data structures use If I understand correctly, calling My other ideas, to avoid false negatives:
|
Correct.
Such a mechanism already exists (at least per-thread) since Miri implements TLS dtors run on thread exit. |
The leak checker considers allocations live when they can still be reached from a
static
. However, this scan can only consider pointers that are still stored as pointer values (with provenance), not pointers cast to an integer (where provenance is lost).This causes false positives, at least, for
Mutex
(Enable leak checker on Windows #1302)AtomicPtr
The text was updated successfully, but these errors were encountered: