From a9259fb7c7f9f6138b6b774679295084f18a24a3 Mon Sep 17 00:00:00 2001 From: Mark Rousskov Date: Mon, 2 Mar 2020 19:28:18 -0500 Subject: [PATCH] Try to ensure usize marker does not get merged --- src/libcore/fmt/mod.rs | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/src/libcore/fmt/mod.rs b/src/libcore/fmt/mod.rs index 993b1073493e9..a9dd098ab0f53 100644 --- a/src/libcore/fmt/mod.rs +++ b/src/libcore/fmt/mod.rs @@ -264,8 +264,18 @@ pub struct ArgumentV1<'a> { // could have been miscompiled. In practice, we never call as_usize on non-usize // containing data (as a matter of static generation of the formatting // arguments), so this is merely an additional check. +// +// We primarily want to ensure that the function pointer at `USIZE_MARKER` has +// an address corresponding *only* to functions that also take `&usize` as their +// first argument. The read_volatile here ensures that we can safely ready out a +// usize from the passed reference and that this address does not point at a +// non-usize taking function. #[unstable(feature = "fmt_internals", reason = "internal to format_args!", issue = "none")] -static USIZE_MARKER: fn(&usize, &mut Formatter<'_>) -> Result = |_, _| loop {}; +static USIZE_MARKER: fn(&usize, &mut Formatter<'_>) -> Result = |ptr, _| { + // SAFETY: ptr is a reference + let _v: usize = unsafe { crate::ptr::read_volatile(ptr) }; + loop {} +}; impl<'a> ArgumentV1<'a> { #[doc(hidden)]