Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure SMIR internal function is safe #120120

Closed
wants to merge 1 commit into from
Closed

Ensure SMIR internal function is safe #120120

wants to merge 1 commit into from

Conversation

celinval
Copy link
Contributor

@celinval celinval commented Jan 19, 2024
edited
Loading

The rustc_smir::rustc_internal::internal function was unsound. It could cause UB in rare cases where the user inadvertently stored the returned object in a location that could outlive the TyCtxt.

In order to make it safe, we now take a type context as an argument to the internal function, and we ensure that interned items are lifted using the provided context.

Thus, this change ensures that the compiler can properly enforce that the object does not outlive the type context it was lifted to.

Call-outs

  1. I added a Lift implementation to Layout since it is directly interned, but it didn't have a Lift implementation.
  2. To be on the safe side, I think we will need to make a similar change to the code that stores objects with 'tcx lifetime into tables. In cases where the code is reachable via stable() function call, there is no guarantee that tables won't outlive the object being stored.

r? @oli-obk

@celinval
Ensure internal function is safe
782167e 
The internal function was unsound, it could cause UB in rare cases where
the user inadvertly stored the returned object in a location that could
outlive the TyCtxt.

In order to make it safe, we now take a type context as an argument to
the internal fn, and we ensure that interned items are lifted using the
provided context.

Thus, this change ensures that the compiler can properly enforce
that the object does not outlive the type context it was lifted to.
@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Jan 19, 2024
@celinval
Copy link
Contributor Author

@bjorn3 can you please see if that makes sense? Thanks!

@oli-obk oli-obk mentioned this pull request Jan 19, 2024
Merged
@celinval celinval closed this Jan 21, 2024
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this pull request Jan 21, 2024
@matthiaskrgr
Rollup merge of rust-lang#120128 - oli-obk:smir_internal_lift, r=celi…
3f10dc7 
…nval

Make stable_mir::with_tables sound

See the first commit for the actual soundness fix. The rest is just fallout from that and is entirely safe code. Includes most of rust-lang#120120

The major difference to rust-lang#120120 is that we don't need an unsafe trait, as we can now rely on the type system (the only unsafe part, and the actual source of the unsoundness was in `with_tables`)

r? `@celinval`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this pull request Jan 21, 2024
@matthiaskrgr
Rollup merge of rust-lang#120128 - oli-obk:smir_internal_lift, r=celi…
a72d6c1 
…nval

Make stable_mir::with_tables sound

See the first commit for the actual soundness fix. The rest is just fallout from that and is entirely safe code. Includes most of rust-lang#120120

The major difference to rust-lang#120120 is that we don't need an unsafe trait, as we can now rely on the type system (the only unsafe part, and the actual source of the unsoundness was in `with_tables`)

r? `@celinval`
rust-timer added a commit to rust-lang-ci/rust that referenced this pull request Jan 22, 2024
@rust-timer
Unrolled build for rust-lang#120128
4444a10 
Rollup merge of rust-lang#120128 - oli-obk:smir_internal_lift, r=celinval

Make stable_mir::with_tables sound

See the first commit for the actual soundness fix. The rest is just fallout from that and is entirely safe code. Includes most of rust-lang#120120

The major difference to rust-lang#120120 is that we don't need an unsafe trait, as we can now rely on the type system (the only unsafe part, and the actual source of the unsoundness was in `with_tables`)

r? `@celinval`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@oli-obk oli-obk

Labels
S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@celinval @oli-obk @rustbot