about summary refs log tree commit diff
path: root/src/tools/miri/tests
AgeCommit message (Collapse)AuthorLines
2024-08-02Auto merge of #3769 - primoly:miri-start, r=RalfJungbors-2/+65
Add `miri_start` support This PR uses a function with the exported symbol `miri_start` as a drop-in alternative to `#[start]`. So the signature stays the same as suggested in [this comment](https://github.com/rust-lang/miri/issues/3498#issuecomment-2088560526). <del>I’ve also removed Miri’s restriction to only work on bin crates as I don’t think this is necessary anymore.</del> Closes #3758
2024-08-02Add `miri_start` supportprimoly-2/+65
2024-08-02Merge from rustcThe Miri Cronjob Bot-51/+37
2024-08-02Rollup merge of #128453 - RalfJung:raw_eq, r=saethlinMatthias Krüger-25/+0
raw_eq: using it on bytes with provenance is not UB (outside const-eval) The current behavior of raw_eq violates provenance monotonicity. See https://github.com/rust-lang/rust/pull/124921 for an explanation of provenance monotonicity. It is violated in raw_eq because comparing bytes without provenance is well-defined, but adding provenance makes the operation UB. So remove the no-provenance requirement from raw_eq. However, the requirement stays in-place for compile-time invocations of raw_eq, that indeed cannot deal with provenance. Cc `@rust-lang/opsem`
2024-08-01bless miri testsjoboet-4/+4
2024-08-01interpret: simplify pointer arithmetic logicRalf Jung-36/+22
2024-08-01on a signed deref check, mention the right pointer in the errorRalf Jung-15/+15
2024-08-01flock: a bit of cleanupRalf Jung-1/+0
2024-07-31raw_eq: using it on bytes with provenance is not UB (outside const-eval)Ralf Jung-25/+0
2024-07-30Auto merge of #3759 - newpavlov:flock, r=oli-obkbors-0/+71
Add `flock` shim
2024-07-29Rollup merge of #128333 - RalfJung:miri-sync, r=RalfJungMatthias Krüger-74/+441
Miri subtree update r? `@ghost`
2024-07-27improve dangling/oob errors and make them more uniformRalf Jung-84/+86
2024-07-27miri: fix offset_from behavior on wildcard pointersRalf Jung-6/+16
2024-07-26Add `flock` shimАртём Павлов [Artyom Pavlov]-0/+71
2024-07-26Auto merge of #3766 - RalfJung:tree-borrows-int2ptr, r=RalfJungbors-65/+120
better diagnostics for Tree Borrows + int2ptr casts - Entirely reject `-Zmiri-permissive-provenance -Zmiri-tree-borrows` since that combination just doesn't work - In the int2ptr cast warning, when Tree Borrows is enabled, do not recommend `-Zmiri-permissive-provenance`, instead note that Tree Borrows does not support int2ptr casts Fixes https://github.com/rust-lang/miri/issues/3764
2024-07-26better diagnostics for Tree Borrows + int2ptr castsRalf Jung-65/+120
2024-07-26Merge from rustcThe Miri Cronjob Bot-1/+14
2024-07-26Rollup merge of #128150 - BoxyUwU:std_only_sized_const_params, r=workingjubileeMatthias Krüger-1/+14
Stop using `unsized_const_parameters` in core/std `feature(unsized_const_parameters)` is an incomplete feature and should not be used by core/std as it makes it can make it significantly harder to evolve the feature. It also just generally opens the possibility of introducing bugs on stable through std's backdoor. The only usage of this feature in std is the `simd_shuffle_intrinsic` added in #119213. It doesn't seem to be used anywhere as far as I can tell so it is removed in this PR. All tests and codegen logic etc have been kept however. r? `@workingjubilee`
2024-07-25Stop using `unsized_const_parameters` in core/stdBoxy-1/+14
2024-07-25Merge from rustcThe Miri Cronjob Bot-3/+3
2024-07-24show warning when Stacked Borrows skips a reborrow due to 'extern type'Ralf Jung-21/+43
2024-07-24Rollup merge of #127733 - GrigorenkoPV:don't-forget, r=AmanieuMatthias Krüger-3/+3
Replace some `mem::forget`'s with `ManuallyDrop` > but I would like to see a larger effort to replace all uses of `mem::forget`. _Originally posted by `@saethlin` in https://github.com/rust-lang/rust/issues/127584#issuecomment-2226087767_ So, r? `@saethlin` Sorry, I have finished writing all of this before I got your response.
2024-07-24Allow getpid in isolation mode, add gettid supportKonstantinos Andrikopoulos-2/+35
In order to support gettid when isolation is enabled and when it is disabled, and satisfy its requirement that: In a single-threaded process, the thread ID is equal to the process ID (PID, as returned by getpid(2)). we define the thread ID to be getpid() + <miri internal thread id>. Since the internal thread id of the main thread is zero, this will satisfy that requirement. However, getpid for now was only supported when isolation was disabled. To support getpid in isolation mode, we return a hardcoded value (1000) and return that instead of the real PID.
2024-07-24Make unused states of Reserved unrepresentableNeven Villani-46/+46
2024-07-24Merge from rustcThe Miri Cronjob Bot-4/+4
2024-07-23Rollup merge of #125834 - ↵Matthias Krüger-4/+4
workingjubilee:weaken-thir-unsafeck-for-addr-of-static-mut, r=compiler-errors treat `&raw (const|mut) UNSAFE_STATIC` implied deref as safe Fixes rust-lang/rust#125833 As reported in that and related issues, `static mut STATIC_MUT: T` is very often used in embedded code, and is in many ways equivalent to `static STATIC_CELL: SyncUnsafeCell<T>`. The Rust expression of `&raw mut STATIC_MUT` and `SyncUnsafeCell::get(&STATIC_CELL)` are approximately equal, and both evaluate to `*mut T`. The library function is safe because it has *declared itself* to be safe. However, the raw ref operator is unsafe because all uses of `static mut` are considered unsafe, even though the static's value is not used by this expression (unlike, for example, `&STATIC_MUT`). We can fix this unnatural difference by simply adding the proper exclusion for the safety check inside the THIR unsafeck, so that we do not declare it unsafe if it is not. While the primary concern here is `static mut`, this change is made for all instances of an "unsafe static", which includes a static declared inside `extern "abi" {}`. Hypothetically, we could go as far as generalizing this to all instances of `&raw (const|mut) *ptr`, but today we do not, as we have not actually considered the range of possible expressions that use a similar encoding. We do not even extend this to thread-local equivalents, because they have less clear semantics.
2024-07-22miri: fixup for allowing &raw UNSAFE_STATICJubilee Young-4/+4
2024-07-22Auto merge of #3743 - newpavlov:pread_pwrite, r=RalfJungbors-0/+41
Add `pread` and `pwrite` shims Requested in #2057.
2024-07-22Add `pread` and `pwrite` shimsАртём Павлов [Artyom Pavlov]-0/+41
2024-07-22Fix testАртём Павлов [Artyom Pavlov]-1/+1
2024-07-22Add `O_NOFOLLOW` flag supportАртём Павлов [Artyom Pavlov]-0/+29
2024-07-20Merge from rustcThe Miri Cronjob Bot-6/+8
2024-07-19Rollup merge of #127856 - RalfJung:interpret-cast-sanity, r=oli-obkMatthias Krüger-6/+8
interpret: add sanity check in dyn upcast to double-check what codegen does For dyn receiver calls, we already have two codepaths: look up the function to call by indexing into the vtable, or alternatively resolve the DefId given the dynamic type of the receiver. With debug assertions enabled, the interpreter does both and compares the results. (Without debug assertions we always use the vtable as it is simpler.) This PR does the same for dyn trait upcasts. However, for casts *not* using the vtable is the easier thing to do, so now the vtable path is the debug-assertion-only path. In particular, there are cases where the vtable does not contain a pointer for upcasts but instead reuses the old pointer: when the supertrait vtable is a prefix of the larger vtable. We don't want to expose this optimization and detect UB if people do a transmute assuming this optimization, so we cannot in general use the vtable indexing path. r? ``@oli-obk``
2024-07-18interpret: add sanity check in dyn upcast to double-check what codegen doesRalf Jung-6/+8
2024-07-16Auto merge of #3742 - Vanille-N:master, r=RalfJungbors-4/+191
TB: Reserved + Protected + IM + lazy is a horrible combination that should not exist As discovered by `@JoJoDeveloping,` the result of having both Protector exceptions on lazy locations (protectors only protect initialized bytes) and interior mutability exceptions for protected tags (Reserved IM does not accept foreign writes when protected) leads to some very undesirable results, namely that we cannot do spurious writes even on protected activated locations. We propose that Protected Reserved IM should no longer exist and instead when a type is retagged as part of a `FnEntry` it is assumed to lose interior mutability. In fact, this was already being done implicitly because relevant transitions were guarded by an `if protected`, but the difference is that now it also applies to transitions that occur after the end of the protector.
2024-07-15Rollup merge of #124921 - RalfJung:offset-from-same-addr, r=oli-obkMatthias Krüger-3/+0
offset_from: always allow pointers to point to the same address This PR implements the last remaining part of the t-opsem consensus in https://github.com/rust-lang/unsafe-code-guidelines/issues/472: always permits offset_from when both pointers have the same address, no matter how they are computed. This is required to achieve *provenance monotonicity*. Tracking issue: https://github.com/rust-lang/rust/issues/117945 ### What is provenance monotonicity and why does it matter? Provenance monotonicity is the property that adding arbitrary provenance to any no-provenance pointer must never make the program UB. More specifically, in the program state, data in memory is stored as a sequence of [abstract bytes](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#abstract-byte), where each byte can optionally carry provenance. When a pointer is stored in memory, all of the bytes it is stored in carry that provenance. Provenance monotonicity means: if we take some byte that does not have provenance, and give it some arbitrary provenance, then that cannot change program behavior or introduce UB into a UB-free program. We care about provenance monotonicity because we want to allow the optimizer to remove provenance-stripping operations. Removing a provenance-stripping operation effectively means the program after the optimization has provenance where the program before the optimization did not -- since the provenance removal does not happen in the optimized program. IOW, the compiler transformation added provenance to previously provenance-free bytes. This is exactly what provenance monotonicity lets us do. We care about removing provenance-stripping operations because `*ptr = *ptr` is, in general, (likely) a provenance-stripping operation. Specifically, consider `ptr: *mut usize` (or any integer type), and imagine the data at `*ptr` is actually a pointer (i.e., we are type-punning between pointers and integers). Then `*ptr` on the right-hand side evaluates to the data in memory *without* any provenance (because [integers do not have provenance](https://rust-lang.github.io/rfcs/3559-rust-has-provenance.html#integers-do-not-have-provenance)). Storing that back to `*ptr` means that the abstract bytes `ptr` points to are the same as before, except their provenance is now gone. This makes `*ptr = *ptr` a provenance-stripping operation (Here we assume `*ptr` is fully initialized. If it is not initialized, evaluating `*ptr` to a value is UB, so removing `*ptr = *ptr` is trivially correct.) ### What does `offset_from` have to do with provenance monotonicity? With `ptr = without_provenance(N)`, `ptr.offset_from(ptr)` is always well-defined and returns 0. By provenance monotonicity, I can now add provenance to the two arguments of `offset_from` and it must still be well-defined. Crucially, I can add *different* provenance to the two arguments, and it must still be well-defined. In other words, this must always be allowed: `ptr1.with_addr(N).offset_from(ptr2.with_addr(N))` (and it returns 0). But the current spec for `offset_from` says that the two pointers must either both be derived from an integer or both be derived from the same allocation, which is not in general true for arbitrary `ptr1`, `ptr2`. To obtain provenance monotonicity, this PR hence changes the spec for offset_from to say that if both pointers have the same address, the function is always well-defined. ### What further consequences does this have? It means the compiler can no longer transform `end2 = begin.offset(end.offset_from(begin))` into `end2 = end`. However, it can still be transformed into `end2 = begin.with_addr(end.addr())`, which later parts of the backend (when provenance has been erased) can trivially turn into `end2 = end`. The only alternative I am aware of is a fundamentally different handling of zero-sized accesses, where a "no provenance" pointer is not allowed to do zero-sized accesses and instead we have a special provenance that indicates "may be used for zero-sized accesses (and nothing else)". `offset` and `offset_from` would then always be UB on a "no provenance" pointer, and permit zero-sized offsets on a "zero-sized provenance" pointer. This achieves provenance monotonicity. That is, however, a breaking change as it contradicts what we landed in https://github.com/rust-lang/rust/pull/117329. It's also a whole bunch of extra UB, which doesn't seem worth it just to achieve that transformation. ### What about the backend? LLVM currently doesn't have an intrinsic for pointer difference, so we anyway cast to integer and subtract there. That's never UB so it is compatible with any relaxation we may want to apply. If LLVM gets a `ptrsub` in the future, then plausibly it will be consistent with `ptradd` and [consider two equal pointers to be inbounds](https://github.com/rust-lang/rust/pull/124921#issuecomment-2205795829).
2024-07-15lib: replace some `mem::forget`'s with `ManuallyDrop`Pavel Grigorenko-3/+3
2024-07-15Make normalization regex less exactChris Denton-1/+1
2024-07-14Auto merge of #3745 - joboet:os_unfair_lock, r=RalfJungbors-0/+127
Implement the `os_unfair_lock` functions on macOS These are needed for rust-lang/rust#122408. See the documentation [here](https://developer.apple.com/documentation/os/synchronization?language=objc) and the implementation [here](https://github.com/apple-oss-distributions/libplatform/blob/a00a4cc36da2110578bcf3b8eeeeb93dcc7f4e11/src/os/lock.c#L645).
2024-07-14implement the `os_unfair_lock` functions on macOSjoboet-0/+127
2024-07-14add test for intermediate reference in '&(*x).0 as *const i32'Ralf Jung-0/+40
2024-07-12Clarify comment in tests/fail/tree_borrows/reservedim_spurious_write.rsNeven Villani-2/+3
Co-authored-by: Ralf Jung <post@ralfj.de>
2024-07-10Second byte is not involved in the example; use a Cell<()> insteadNeven Villani-16/+19
2024-07-10Auto merge of #3720 - safinaskar:read, r=RalfJungbors-0/+77
Fix libc::read shim: make it write to a buffer correct amount of bytes. Add tests for new behavior libc::read shim had a bug: if underlying real call libc::read(fd, buf, N) returns M, then libc::read shim writes N bytes to buf instead of M. Remaining N - M bytes are filled with zeros. This commit fixes this bug and adds tests for new behavior
2024-07-09Fix libc::read shim: make it write to a buffer correct amount of bytes. Add ↵Askar Safin-0/+77
tests for the new behavior. libc::read shim had a bug: if underlying real call libc::read(fd, buf, N) returns M, then libc::read shim writes N bytes to buf instead of M. Remaining N - M bytes are filled with zeros. This commit fixes this bug and adds tests for new behavior
2024-07-09Apply suggestionsNeven Villani-17/+50
- split test into two revisions - clarify comments
2024-07-09Implement fix for reservedim_spurious_write: ignore IM on protectedNeven Villani-5/+46
2024-07-09This pattern using lazy protected Reserved IM prevents spurious writesNeven Villani-0/+109
2024-07-09Auto merge of #3739 - joboet:macos_tls_dtors, r=RalfJungbors-0/+50
Implement support for multiple TLS destructors on macOS I want to get rid of [this `#[cfg]` block](https://github.com/rust-lang/rust/blob/98dcbae5c9ac615d5acfbf42d42b19a77cb9ec11/library/std/src/thread/mod.rs#L195-L211) in `std`, but it is currently required for miri, as it does not support multiple macOS TLS destructors. This is not true for the platform itself, however, as can be observed in the [implementation](https://github.com/apple-oss-distributions/dyld/blob/d552c40cd1de105f0ec95008e0e0c0972de43456/dyld/DyldRuntimeState.cpp#L2239).
2024-07-09Merge from rustcThe Miri Cronjob Bot-8/+116