https://github.com/rust-lang/rust http://git.dreamy.place/mirrors/rust/atom?h=try 2025-07-20T06:56:05+00:00 2025-07-20T06:56:05+00:00 Matthias Krüger 476013+matthiaskrgr@users.noreply.github.com 2025-07-20T06:56:05+00:00 urn:sha1:6d7d366fd3c1ae6ce722e46d1fecfdf258d02f9d Allow volatile access to non-Rust memory, including address 0 This PR relaxes the `ub_check` in the `read_volatile`/`write_volatile` pointer operations to allow passing null. This is needed to support processors which hard-code peripheral registers on address 0, like the AVR chip ATtiny1626. LLVM understands this as valid and handles it correctly, as tested in my [PR to add a note about it](https://github.com/llvm/llvm-project/pull/139803/commits/6387c82255c56d3035d249eb54110695e76b8030#diff-81bbb96298c32fa901beb82ab3b97add27a410c01d577c1f8c01000ed2055826) (rustc generates the same LLVM IR as expected there when this PR is applied, and consequently the same AVR assembly). Follow-up and implementation of the discussions in: - https://internals.rust-lang.org/t/pre-rfc-conditionally-supported-volatile-access-to-address-0/12881/7 - https://github.com/Rahix/avr-device/pull/185; - [#t-lang > Adding the possibility of volatile access to address 0](https://rust-lang.zulipchat.com/#narrow/channel/213817-t-lang/topic/Adding.20the.20possibility.20of.20volatile.20access.20to.20address.200/with/513303502) - https://discourse.llvm.org/t/rfc-volatile-access-to-non-dereferenceable-memory-may-be-well-defined/86303 r? ````@RalfJung```` Also fixes https://github.com/rust-lang/unsafe-code-guidelines/issues/29 (about as good as it'll get, null will likely never be a "normal" address in Rust) 2025-07-19T16:44:07+00:00 Martin Nordholts martin.nordholts@codetale.se 2025-06-25T05:56:40+00:00 urn:sha1:e1d4f2a0c297690ddfc24815de57539f532f2471 And introduce two new directives for ui tests: * `run-crash` * `run-fail-or-crash` Normally a `run-fail` ui test like tests that panic shall not be terminated by a signal like `SIGABRT`. So begin having that as a hard requirement. Some of our current tests do terminate by a signal/crash however. Introduce and use `run-crash` for those tests. Note that Windows crashes are not handled by signals but by certain high bits set on the process exit code. Example exit code for crash on Windows: `0xc000001d`. Because of this, we define "crash" on all platforms as "not exit with success and not exit with a regular failure code in the range 1..=127". Some tests behave differently on different targets: * Targets without unwind support will abort (crash) instead of exit with failure code 101 after panicking. As a special case, allow crashes for `run-fail` tests for such targets. * Different sanitizer implementations handle detected memory problems differently. Some abort (crash) the process while others exit with failure code 1. Introduce and use `run-fail-or-crash` for such tests. 2025-07-18T16:41:34+00:00 Luigi Sartor Piucco luigipiucco@gmail.com 2025-04-20T21:43:54+00:00 urn:sha1:8a8717e971dbdc6155506a4332e9ce8ef9151caa According to https://discourse.llvm.org/t/rfc-volatile-access-to-non-dereferenceable-memory-may-be-well-defined/86303/4, LLVM allows volatile operations on null and handles it correctly. This should be allowed in Rust as well, because I/O memory may be hard-coded to address 0 in some cases, like the AVR chip ATtiny1626. A test case that ensured a failure when passing null to volatile was removed, since it's now valid. Due to the addition of `maybe_is_aligned` to `ub_checks`, `maybe_is_aligned_and_not_null` was refactored to use it. docs: revise restrictions on volatile operations A distinction between usage on Rust memory vs. non-Rust memory was introduced. Documentation was reworded to explain what that means, and make explicit that: - No trapping can occur from volatile operations; - On Rust memory, all safety rules must be respected; - On Rust memory, the primary difference from regular access is that volatile always involves a memory dereference; - On Rust memory, the only data affected by an operation is the one pointed to in the argument(s) of the function; - On Rust memory, provenance follows the same rules as non-volatile access; - On non-Rust memory, any address known to not contain Rust memory is valid (including 0 and usize::MAX); - On non-Rust memory, no Rust memory may be affected (it is implicit that any other non-Rust memory may be affected, though, even if not referenced by the pointer). This should be relevant when, for example, reading register A causes a flag to change in register B, or writing to A causes B to change in some way. Everything affected mustn't be inside an allocation. - On non-Rust memory, provenance is irrelevant and a pointer with none can be used in a valid way. fix: don't lint null as UB for volatile Also remove a now-unneeded `allow` line. fix: additional wording nits 2025-07-15T07:12:24+00:00 xizheyin xizheyin@smail.nju.edu.cn 2025-07-15T07:10:24+00:00 urn:sha1:a74a28493a00900616d5e52cd85b8b6bae761935 Signed-off-by: xizheyin <xizheyin@smail.nju.edu.cn> 2025-04-12T07:24:25+00:00 Jieyou Xu jieyouxu@outlook.com 2025-04-12T07:24:25+00:00 urn:sha1:db6e3aa91387ea8abe2cc29cd4b8e245074472da 2025-03-30T17:33:15+00:00 Urgau urgau@numericable.fr 2025-03-09T21:23:31+00:00 urn:sha1:aa8848040a160842d47a5a143e04da8ad9f27613 2024-10-19T12:40:12+00:00 clubby789 jamie@hill-daniel.co.uk 2024-10-19T11:11:33+00:00 urn:sha1:d82a21f9adf840a48c5ddee3dbc474259d0bc1d3 2024-10-09T23:34:27+00:00 Ben Kimock kimockb@gmail.com 2024-10-09T22:46:06+00:00 urn:sha1:a3606d7ee3dd9d910578a81b2992e61521b1ce21 2024-10-09T23:34:27+00:00 Ben Kimock kimockb@gmail.com 2024-10-07T23:34:25+00:00 urn:sha1:84dacc18829e24ec5d61087a233de68ef57dfabc 2024-04-11T21:53:27+00:00 Ben Kimock kimockb@gmail.com 2024-04-11T21:53:27+00:00 urn:sha1:5dcd242768d3f03cc01b531944327597cf3901e9