Refactor miri pointer checks #62081
Merged
Refactor miri pointer checks #62081
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
… one function: memory.check_ptr_access That function also takes care of converting a Scalar to a Pointer, should that be needed. Not all accesses need that though: if the access has size 0, None is returned. Everyone accessing memory based on a Scalar should use this method to get the Pointer they need. All operations on the Allocation work on Pointer inputs and expect all the checks to have happened (and will ICE if the bounds are violated). The operations on Memory work on Scalar inputs and do the checks themselves. The only other public method to check pointers is memory.ptr_may_be_null, which is needed in a few places. With this, we can make all the other methods (tests for a pointer being in-bounds and checking alignment) private helper methods, used to implement the two public methods. That maks the public API surface much easier to use and harder to mis-use. While I am at it, this also removes the assumption that the vtable part of a `dyn Trait`-fat-pointer is a `Pointer` (as opposed to a pointer cast to an integer, stored as raw bits).
…eck for fn allocations
rust-highfive
added
the
S-waiting-on-review
|
The Miri side of this is at rust-lang/miri#787. |
RalfJung
commented
Jun 24, 2019
| // The biggest power of two through which `offset` is divisible. | ||
| let offset_pow2 = 1 << offset.trailing_zeros(); | ||
| err!(AlignmentCheckFailed { | ||
| has: Align::from_bytes(offset_pow2).unwrap(), |
There was a problem hiding this comment.
The old code used offset % align.bytes() as has, but I think that's just wrong. In fact it's not even always a power of 2, so there could be ICEs there.
There was a problem hiding this comment.
Ah yes, here is the ICE (run that in Miri): https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=ff9f736de49ff1a905ba8e512e258904
RalfJung
commented
Jun 24, 2019
oli-obk
approved these changes
Jun 24, 2019
|
r=me with typo nit (multiple occurrences) fixed or not |
|
@bors r=oli-obk |
|
📌 Commit 7e83028 has been approved by |
bors
added
S-waiting-on-bors
bors
added a commit
that referenced
this pull request
Jun 24, 2019
Refactor miri pointer checks Centralize bounds, alignment and NULL checking for memory accesses in one function: `memory.check_ptr_access`. That function also takes care of converting a `Scalar` to a `Pointer`, should that be needed. Not all accesses need that though: if the access has size 0, `None` is returned. Everyone accessing memory based on a `Scalar` should use this method to get the `Pointer` they need. All operations on the `Allocation` work on `Pointer` inputs and expect all the checks to have happened (and will ICE if the bounds are violated). The operations on `Memory` work on `Scalar` inputs and do the checks themselves. The only other public method to check pointers is `memory.ptr_may_be_null`, which is needed in a few places. No need for `check_align` or similar methods. That makes the public API surface much easier to use and harder to mis-use. This should be largely no-functional-change, except that ZST accesses to a "true" pointer that is dangling or out-of-bounds are now considered UB. This is to be conservative wrt. whatever LLVM might be doing. While I am at it, this also removes the assumption that the vtable part of a `dyn Trait`-fat-pointer is a `Pointer` (as opposed to a pointer cast to an integer, stored as raw bits). r? @oli-obk
|
☀️ Test successful - checks-travis, status-appveyor |
rust-highfive
added a commit
to rust-lang-nursery/rust-toolstate
that referenced
this pull request
Jun 24, 2019
Tested on commit rust-lang/rust@7e08576. Direct link to PR: <rust-lang/rust#62081> 💔 miri on windows: test-pass → build-fail (cc @oli-obk @RalfJung @eddyb, @rust-lang/infra). 💔 miri on linux: test-pass → build-fail (cc @oli-obk @RalfJung @eddyb, @rust-lang/infra).
bors
added a commit
to rust-lang/miri
that referenced
this pull request
Jun 24, 2019
adjust for refactored memory pointer checks The Miri side of rust-lang/rust#62081.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Centralize bounds, alignment and NULL checking for memory accesses in one function:
memory.check_ptr_access. That function also takes care of converting aScalarto aPointer, should that be needed. Not all accesses need that though: if the access has size 0,Noneis returned. Everyone accessing memory based on aScalarshould use this method to get thePointerthey need.All operations on the
Allocationwork onPointerinputs and expect all the checks to have happened (and will ICE if the bounds are violated). The operations onMemorywork onScalarinputs and do the checks themselves.The only other public method to check pointers is
memory.ptr_may_be_null, which is needed in a few places. No need forcheck_alignor similar methods. That makes the public API surface much easier to use and harder to mis-use.This should be largely no-functional-change, except that ZST accesses to a "true" pointer that is dangling or out-of-bounds are now considered UB. This is to be conservative wrt. whatever LLVM might be doing.
While I am at it, this also removes the assumption that the vtable part of a
dyn Trait-fat-pointer is aPointer(as opposed to a pointer cast to an integer, stored as raw bits).r? @oli-obk