-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validation: check raw wide pointer metadata #63880
Conversation
So https://doc.rust-lang.org/std/ptr/fn.slice_from_raw_parts.html is wrong? It's a safe function allowing the construction of such invalid slices. It can also be done safely on stable:
Did anything change in that regard? |
Looks like @eddyb was the only one who even knew that we require wide raw ptr metadata to be valid.^^ Nobody in #60667 and rust-lang/unsafe-code-guidelines#166 knew. |
For this PR, we could (for now) say the fact that this cast is allowed is a bug, and wait until #63851 / rust-lang/unsafe-code-guidelines#166 are resolved. That would match the UB lists in the Nomicon / Reference. Or we do the slice length check not for raw pointers. That would make the UB documentation more messy. Or we declare the slice length to be just part of the safety invariant of slices so that there is nothing to check, keeping UB simpler. |
ty::Slice(ty) => self.ecx.layout_of(ty)?.size, | ||
_ => bug!("It cannot be another type"), | ||
}; | ||
if elem_size.checked_mul(len, &*self.ecx.tcx).is_none() { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
(offtopic) @oli-obk why doesn't TyCtxtAt
just implement the right traits to not require all of these &*
in miri?
@oli-obk I removed the new slice length check. |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
@bors r+ |
📌 Commit 04580b6 has been approved by |
Hm actually I cannot get it to ICE... use std::slice;
use std::usize;
fn main() { unsafe {
let ptr = Box::into_raw(Box::new(0u8));
let _x = slice::from_raw_parts(ptr, usize::MAX);
} } |
rust/src/librustc_target/abi/mod.rs Lines 341 to 360 in 7e0afda
@eddyb is that deliberate? EDIT: Never mind, that's |
Oh, I will remove the last commit here and make that a new PR. |
@bors r=oli-obk |
📌 Commit 04580b6 has been approved by |
Validation: check raw wide pointer metadata While I was at it, I also added a missing check for slices not to be too big. r? @oli-obk Fixes rust-lang/miri#918
Validation: check raw wide pointer metadata While I was at it, I also added a missing check for slices not to be too big. r? @oli-obk Fixes rust-lang/miri#918
Validation: check raw wide pointer metadata While I was at it, I also added a missing check for slices not to be too big. r? @oli-obk Fixes rust-lang/miri#918
Rollup of 7 pull requests Successful merges: - #63867 (resolve: Block expansion of a derive container until all its derives are resolved) - #63880 (Validation: check raw wide pointer metadata) - #63914 (ty: use Align for ReprOptions pack and align.) - #63941 (rustbuild: allow disabling deny(warnings) for bootstrap) - #63949 (Fix build src/libtest) - #63984 (Update rust-installer to limit memory use) - #63992 (Small improvement for Ord implementation of integers) Failed merges: r? @ghost
☔ The latest upstream changes (presumably #63998) made this pull request unmergeable. Please resolve the merge conflicts. |
test for invalid wide raw ptr This is the Miri side of rust-lang/rust#63880.
@bors r- retry |
While I was at it, I also added a missing check for slices not to be too big.
r? @oli-obk
Fixes rust-lang/miri#918