-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Refactor validate_scalar
to take advantage of type information
#53826
Comments
(which is for
Not exactly. First we have to do
Also figure out a way to maybe not do redundant checks... For example, currently I think we have the invariant that the layout only can get more permissive as we descend into fields, right? (@eddyb) |
Can I take this up (Because it has an E-mentor Tab 😄 )? |
sure! As a first step I think it would be prudent to split the function into a As a second step you can then make the outer function do a match on the type instead of the two matches that are now inside the ptr/bits functions. |
I think we should dispatch on the type first, not on the value. We want to validate the value, and hence not use it to decide which codepath to take. |
The refactoring is easier if you have a function to call for specific values instead of having to do both refactorings at once. At some point you'll want to execute the bits checking code or the ptr checking code. And these points will be in separate match arms in the type match. |
Not sure what you mean, but the "specific value" is a This is essentially implementing the validity invariant (and then some more stuff for const safety, but that's most a detail), which is primarily a type-based property. Ideally, the code is readable as almost a definition of validity. Any deviation from an outermost match on the type will make it less readable. I begrudgingly accepted However, for bits vs. pointers, I just see no good reason to deviate even further from what I see as the ideal structure. What do we get for this loss in readability? All the types that require bits just call |
I'm afraid I already did this as part of an upcoming PR, because I needed to change validation somewhat anyway... sorry @shivanth :/ |
Prepare miri engine for enforcing validity invariant during execution In particular, make recursive checking of references optional, and add a `const_mode` parameter that says whether `usize` is allowed to contain a pointer. Also refactor validation a bit to be type-driven at the "leafs" (primitive types), and separately validate scalar layout to catch `NonNull` violations (which it did not properly validate before). Fixes #53826 Also fixes #54751 r? @oli-obk
Prepare miri engine for enforcing validity invariant during execution In particular, make recursive checking of references optional, and add a `const_mode` parameter that says whether `usize` is allowed to contain a pointer. Also refactor validation a bit to be type-driven at the "leafs" (primitive types), and separately validate scalar layout to catch `NonNull` violations (which it did not properly validate before). Fixes #53826 Also fixes #54751 r? @oli-obk
Currently we have no way of detecting that
is UB (an integer is not a valid safe address at compile-time as you can safely dereference it in another constant and then you'd get an error and UB if done at runtime.
The basic idea is to take the function at
rust/src/librustc_mir/interpret/validity.rs
Line 99 in 0e98621
validate_scalar_by_type
which first matches on the scalar's type and then decides how to operate on itty::Ref
can just useto_ptr()
on the value and convert the error into avalidation_failure!
error (see how this is done elsewhere in the same file)validate_scalar_by_layout
which pretty much does everything else that the currentvalidate_scalar
does, minus the type checks and pointer recursion.validate_scalar_by_layout
on every scalar (maybe here?), and not just on leaf fields. This is necessary to catchconst FOO: NonZeroU8 = unsafe { NonZeroU8::new_unchecked(0) };
because right now we're just checking the field ofNonZeroU8
, which isu8
and thus fine to be0
.cc @RalfJung
The text was updated successfully, but these errors were encountered: