Added -Z randomize-layout flag #87868
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @eddyb (or someone else) soon. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
|
@rustbot label +A-layout +T-compiler |
rustbot
added
A-layout
Kixiron
force-pushed
the
packing-on-the-pounds
branch
from
0f14145
to
c4a15ed
Compare
|
So this makes structs bigger than the size of the sum of their fields? Particularly, this makes structs with a single field bigger than that one field? |
|
I believe that's the intention of the flag, yes. Yes, this would break code
that is incorrectly relying on the layout of repr(Rust) types.
…On Thu, Aug 26, 2021 at 09:09 Lokathor ***@***.***> wrote:
So this makes structs bigger than the size of the sum of their fields?
Particularly, this makes structs with a single field bigger than that one
field?
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#87868 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGLD262YA5AJJVWQ3YLL2LT6Y4IBANCNFSM5BYVL2PQ>
.
|
|
On the one hand yes, on the other hand this flies against the current best estimation of the UCG. I am aware it isn't RFC'd, but I'm not sure that part of field randomization is a good idea even if there's no RFC. |
|
It could be limited to structs with more than 1 non-zst fields of different types. Of course that depends on what exactly the UCG mean by "homogenous structs", which is still an open question. |
|
Primarily I'm mostly concerned about single field structs. People should be able to, in general, trust their newtypes. Like even if you forget to specifically write down repr(transparent), rust has no legitimate reason to break the layout of a single field struct. Secondarily I'm slightly concerned about situations with multi-field structs where this introduces padding bytes that were not present within the struct previously. Re-ordering fields so that the structure doesn't get bigger and have padding bytes added I'm all for, but if there is a Though ultimately this is a debug sort of flag so it's not the end of the world if turning it on makes things go wild, it's better if turning on the flag doesn't trigger UB and make the entire debug attempt pointless because there's UB in the program. |
|
On Thu, Aug 26, 2021 at 10:38 Lokathor ***@***.***> wrote:
Primarily I'm mostly concerned about single field structs
<https://rust-lang.github.io/unsafe-code-guidelines/layout/structs-and-tuples.html#single-field-structs>.
People should be able to, in general, trust their newtypes. Like even if
you forget to specifically write down repr(transparent), rust has no
legitimate reason to break the layout of a single field struct.
Perhaps, perhaps not. What happens if you had a #[repr(Rust)] struct
Foo(u8); on a platform that only has native 32-bit reads (and has to
emulate smaller ones)? It would be more efficient to add 3 padding bytes to
Foo, but if it becomes guaranteed that Foo is layed out like u8, now there
is a potential layout optimization left on the table.
Secondarily I'm slightly concerned about situations with multi-field
structs where this introduces padding bytes that were not present within
the struct previously. Re-ordering fields so that the structure doesn't get
bigger and have padding bytes added I'm all for, but if there is a
Point(i32,i32) people should be able to look at that and assume no
padding in the structure.
Though ultimately this is a debug sort of flag so it's not the end of the
world if turning it on makes things go wild, it's better if turning on the
flag doesn't trigger UB and make the entire debug attempt pointless because
there's UB in the program.
Well, at that point, transmute would error. You could also run the result
through miri, where the UB will be trapped.
… —
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#87868 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGLD23KJRR7SBYCUHQ3EE3T6ZGVNANCNFSM5BYVL2PQ>
.
|
|
Sure, |
|
bytemuck can't be used with repr(Rust) types, can it? Pod requires the type
be repr(C) or repr(transparent) explicitly.
…On Thu, Aug 26, 2021 at 10:57 Lokathor ***@***.***> wrote:
Sure, transmute itself will error, but other forms of transmutation will
not. For example, the most popular crate for safe transmutation abstraction
(bytemuck) doesn't even use the transmute function at all, because that
function doesn't work with generics.
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
<#87868 (comment)>, or
unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABGLD24AFSVHTDZZTUQYA5LT6ZI4HANCNFSM5BYVL2PQ>
.
|
|
Yes, that is what's documented in Also, that's just one example to show that My general point is that while some field randomization is probably fine we should not do too much of it and give trouble to people who are living in a gray zone. |
|
Well, the idea behind the flag is to find code that relies on something it shouldn't. It's designed to be opt-in, and I'm sure that someone was transmuting things (not via mem::transmute), and used this flag in conjunction with miri, they'd get a very loud error. |
Kixiron
changed the title
|
@eddyb This is ready for review, compiler-team/#457 was accepted |
This comment has been minimized.
This comment has been minimized.
Kixiron
force-pushed
the
packing-on-the-pounds
branch
from
8c4e116
to
b3c3a3b
Compare
This comment has been minimized.
This comment has been minimized.
Kixiron
force-pushed
the
packing-on-the-pounds
branch
from
b3c3a3b
to
0738a5b
Compare
This comment has been minimized.
This comment has been minimized.
Kixiron
force-pushed
the
packing-on-the-pounds
branch
2 times, most recently
from
34d896d
to
b60afed
Compare
This comment has been minimized.
This comment has been minimized.
Kixiron
force-pushed
the
packing-on-the-pounds
branch
from
b60afed
to
8b23a68
Compare
Kixiron
force-pushed
the
packing-on-the-pounds
branch
from
8b23a68
to
09f1542
Compare
|
Under the assumption that the MCP (rust-lang/compiler-team#457) was enough: |
|
📌 Commit 09f1542 has been approved by |
bors
added
S-waiting-on-bors
Added -Z randomize-layout flag An implementation of rust-lang#77316, it currently randomly shuffles the fields of `repr(rust)` types based on their `DefPathHash` r? `@eddyb`
…arth Rollup of 6 pull requests Successful merges: - rust-lang#87868 (Added -Z randomize-layout flag) - rust-lang#88820 (Add `pie` as another `relocation-model` value) - rust-lang#89029 (feat(rustc_parse): recover from pre-RFC-2000 const generics syntax) - rust-lang#89322 (Reapply "Remove optimization_fuel_crate from Session") - rust-lang#89340 (Improve error message for `printf`-style format strings) - rust-lang#89415 (Correct caller/callsite confusion in inliner message) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
An implementation of #77316, it currently randomly shuffles the fields of
repr(rust)types based on theirDefPathHashr? @eddyb