about summary refs log tree commit diff
path: root/src/tools/miri
AgeCommit message (Collapse)AuthorLines
2024-07-26diagnostics: add a macro to make things a bit easier to readRalf Jung-76/+59
2024-07-26better diagnostics for Tree Borrows + int2ptr castsRalf Jung-70/+150
2024-07-26Merge from rustcThe Miri Cronjob Bot-1/+14
2024-07-26Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-26Rollup merge of #128150 - BoxyUwU:std_only_sized_const_params, r=workingjubileeMatthias Krüger-1/+14
Stop using `unsized_const_parameters` in core/std `feature(unsized_const_parameters)` is an incomplete feature and should not be used by core/std as it makes it can make it significantly harder to evolve the feature. It also just generally opens the possibility of introducing bugs on stable through std's backdoor. The only usage of this feature in std is the `simd_shuffle_intrinsic` added in #119213. It doesn't seem to be used anywhere as far as I can tell so it is removed in this PR. All tests and codegen logic etc have been kept however. r? `@workingjubilee`
2024-07-25Stop using `unsized_const_parameters` in core/stdBoxy-1/+14
2024-07-25Merge from rustcThe Miri Cronjob Bot-3/+3
2024-07-25Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-24show warning when Stacked Borrows skips a reborrow due to 'extern type'Ralf Jung-27/+83
2024-07-24Rollup merge of #127733 - GrigorenkoPV:don't-forget, r=AmanieuMatthias Krüger-3/+3
Replace some `mem::forget`'s with `ManuallyDrop` > but I would like to see a larger effort to replace all uses of `mem::forget`. _Originally posted by `@saethlin` in https://github.com/rust-lang/rust/issues/127584#issuecomment-2226087767_ So, r? `@saethlin` Sorry, I have finished writing all of this before I got your response.
2024-07-24Allow getpid in isolation mode, add gettid supportKonstantinos Andrikopoulos-7/+60
In order to support gettid when isolation is enabled and when it is disabled, and satisfy its requirement that: In a single-threaded process, the thread ID is equal to the process ID (PID, as returned by getpid(2)). we define the thread ID to be getpid() + <miri internal thread id>. Since the internal thread id of the main thread is zero, this will satisfy that requirement. However, getpid for now was only supported when isolation was disabled. To support getpid in isolation mode, we return a hardcoded value (1000) and return that instead of the real PID.
2024-07-24Make unused states of Reserved unrepresentableNeven Villani-134/+200
2024-07-24Merge from rustcThe Miri Cronjob Bot-4/+4
2024-07-24Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-23Rollup merge of #125834 - ↵Matthias Krüger-4/+4
workingjubilee:weaken-thir-unsafeck-for-addr-of-static-mut, r=compiler-errors treat `&raw (const|mut) UNSAFE_STATIC` implied deref as safe Fixes rust-lang/rust#125833 As reported in that and related issues, `static mut STATIC_MUT: T` is very often used in embedded code, and is in many ways equivalent to `static STATIC_CELL: SyncUnsafeCell<T>`. The Rust expression of `&raw mut STATIC_MUT` and `SyncUnsafeCell::get(&STATIC_CELL)` are approximately equal, and both evaluate to `*mut T`. The library function is safe because it has *declared itself* to be safe. However, the raw ref operator is unsafe because all uses of `static mut` are considered unsafe, even though the static's value is not used by this expression (unlike, for example, `&STATIC_MUT`). We can fix this unnatural difference by simply adding the proper exclusion for the safety check inside the THIR unsafeck, so that we do not declare it unsafe if it is not. While the primary concern here is `static mut`, this change is made for all instances of an "unsafe static", which includes a static declared inside `extern "abi" {}`. Hypothetically, we could go as far as generalizing this to all instances of `&raw (const|mut) *ptr`, but today we do not, as we have not actually considered the range of possible expressions that use a similar encoding. We do not even extend this to thread-local equivalents, because they have less clear semantics.
2024-07-22miri: fixup for allowing &raw UNSAFE_STATICJubilee Young-4/+4
2024-07-22Auto merge of #3743 - newpavlov:pread_pwrite, r=RalfJungbors-21/+205
Add `pread` and `pwrite` shims Requested in #2057.
2024-07-22Add `pread` and `pwrite` shimsАртём Павлов [Artyom Pavlov]-21/+205
2024-07-22Fix testАртём Павлов [Artyom Pavlov]-1/+1
2024-07-22Add `O_NOFOLLOW` flag supportАртём Павлов [Artyom Pavlov]-3/+55
2024-07-20Merge from rustcThe Miri Cronjob Bot-6/+8
2024-07-20Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-19Rollup merge of #127856 - RalfJung:interpret-cast-sanity, r=oli-obkMatthias Krüger-6/+8
interpret: add sanity check in dyn upcast to double-check what codegen does For dyn receiver calls, we already have two codepaths: look up the function to call by indexing into the vtable, or alternatively resolve the DefId given the dynamic type of the receiver. With debug assertions enabled, the interpreter does both and compares the results. (Without debug assertions we always use the vtable as it is simpler.) This PR does the same for dyn trait upcasts. However, for casts *not* using the vtable is the easier thing to do, so now the vtable path is the debug-assertion-only path. In particular, there are cases where the vtable does not contain a pointer for upcasts but instead reuses the old pointer: when the supertrait vtable is a prefix of the larger vtable. We don't want to expose this optimization and detect UB if people do a transmute assuming this optimization, so we cannot in general use the vtable indexing path. r? ``@oli-obk``
2024-07-18interpret: add sanity check in dyn upcast to double-check what codegen doesRalf Jung-6/+8
2024-07-16Auto merge of #3742 - Vanille-N:master, r=RalfJungbors-6/+211
TB: Reserved + Protected + IM + lazy is a horrible combination that should not exist As discovered by `@JoJoDeveloping,` the result of having both Protector exceptions on lazy locations (protectors only protect initialized bytes) and interior mutability exceptions for protected tags (Reserved IM does not accept foreign writes when protected) leads to some very undesirable results, namely that we cannot do spurious writes even on protected activated locations. We propose that Protected Reserved IM should no longer exist and instead when a type is retagged as part of a `FnEntry` it is assumed to lose interior mutability. In fact, this was already being done implicitly because relevant transitions were guarded by an `if protected`, but the difference is that now it also applies to transitions that occur after the end of the protector.
2024-07-16Merge from rustcThe Miri Cronjob Bot-4/+1
2024-07-16Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-15Rollup merge of #124921 - RalfJung:offset-from-same-addr, r=oli-obkMatthias Krüger-3/+0
offset_from: always allow pointers to point to the same address This PR implements the last remaining part of the t-opsem consensus in https://github.com/rust-lang/unsafe-code-guidelines/issues/472: always permits offset_from when both pointers have the same address, no matter how they are computed. This is required to achieve *provenance monotonicity*. Tracking issue: https://github.com/rust-lang/rust/issues/117945 ### What is provenance monotonicity and why does it matter? Provenance monotonicity is the property that adding arbitrary provenance to any no-provenance pointer must never make the program UB. More specifically, in the program state, data in memory is stored as a sequence of [abstract bytes](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#abstract-byte), where each byte can optionally carry provenance. When a pointer is stored in memory, all of the bytes it is stored in carry that provenance. Provenance monotonicity means: if we take some byte that does not have provenance, and give it some arbitrary provenance, then that cannot change program behavior or introduce UB into a UB-free program. We care about provenance monotonicity because we want to allow the optimizer to remove provenance-stripping operations. Removing a provenance-stripping operation effectively means the program after the optimization has provenance where the program before the optimization did not -- since the provenance removal does not happen in the optimized program. IOW, the compiler transformation added provenance to previously provenance-free bytes. This is exactly what provenance monotonicity lets us do. We care about removing provenance-stripping operations because `*ptr = *ptr` is, in general, (likely) a provenance-stripping operation. Specifically, consider `ptr: *mut usize` (or any integer type), and imagine the data at `*ptr` is actually a pointer (i.e., we are type-punning between pointers and integers). Then `*ptr` on the right-hand side evaluates to the data in memory *without* any provenance (because [integers do not have provenance](https://rust-lang.github.io/rfcs/3559-rust-has-provenance.html#integers-do-not-have-provenance)). Storing that back to `*ptr` means that the abstract bytes `ptr` points to are the same as before, except their provenance is now gone. This makes `*ptr = *ptr` a provenance-stripping operation (Here we assume `*ptr` is fully initialized. If it is not initialized, evaluating `*ptr` to a value is UB, so removing `*ptr = *ptr` is trivially correct.) ### What does `offset_from` have to do with provenance monotonicity? With `ptr = without_provenance(N)`, `ptr.offset_from(ptr)` is always well-defined and returns 0. By provenance monotonicity, I can now add provenance to the two arguments of `offset_from` and it must still be well-defined. Crucially, I can add *different* provenance to the two arguments, and it must still be well-defined. In other words, this must always be allowed: `ptr1.with_addr(N).offset_from(ptr2.with_addr(N))` (and it returns 0). But the current spec for `offset_from` says that the two pointers must either both be derived from an integer or both be derived from the same allocation, which is not in general true for arbitrary `ptr1`, `ptr2`. To obtain provenance monotonicity, this PR hence changes the spec for offset_from to say that if both pointers have the same address, the function is always well-defined. ### What further consequences does this have? It means the compiler can no longer transform `end2 = begin.offset(end.offset_from(begin))` into `end2 = end`. However, it can still be transformed into `end2 = begin.with_addr(end.addr())`, which later parts of the backend (when provenance has been erased) can trivially turn into `end2 = end`. The only alternative I am aware of is a fundamentally different handling of zero-sized accesses, where a "no provenance" pointer is not allowed to do zero-sized accesses and instead we have a special provenance that indicates "may be used for zero-sized accesses (and nothing else)". `offset` and `offset_from` would then always be UB on a "no provenance" pointer, and permit zero-sized offsets on a "zero-sized provenance" pointer. This achieves provenance monotonicity. That is, however, a breaking change as it contradicts what we landed in https://github.com/rust-lang/rust/pull/117329. It's also a whole bunch of extra UB, which doesn't seem worth it just to achieve that transformation. ### What about the backend? LLVM currently doesn't have an intrinsic for pointer difference, so we anyway cast to integer and subtract there. That's never UB so it is compatible with any relaxation we may want to apply. If LLVM gets a `ptrsub` in the future, then plausibly it will be consistent with `ptradd` and [consider two equal pointers to be inbounds](https://github.com/rust-lang/rust/pull/124921#issuecomment-2205795829).
2024-07-15lib: replace some `mem::forget`'s with `ManuallyDrop`Pavel Grigorenko-3/+3
2024-07-15Make normalization regex less exactChris Denton-1/+1
2024-07-14Auto merge of #3745 - joboet:os_unfair_lock, r=RalfJungbors-7/+284
Implement the `os_unfair_lock` functions on macOS These are needed for rust-lang/rust#122408. See the documentation [here](https://developer.apple.com/documentation/os/synchronization?language=objc) and the implementation [here](https://github.com/apple-oss-distributions/libplatform/blob/a00a4cc36da2110578bcf3b8eeeeb93dcc7f4e11/src/os/lock.c#L645).
2024-07-14implement the `os_unfair_lock` functions on macOSjoboet-7/+284
2024-07-14add test for intermediate reference in '&(*x).0 as *const i32'Ralf Jung-0/+40
2024-07-13Leave a trace of the current suboptimal status of foreign_writeNeven Villani-0/+6
2024-07-12Clarify comment in tests/fail/tree_borrows/reservedim_spurious_write.rsNeven Villani-2/+3
Co-authored-by: Ralf Jung <post@ralfj.de>
2024-07-10Second byte is not involved in the example; use a Cell<()> insteadNeven Villani-16/+19
2024-07-10Auto merge of #3720 - safinaskar:read, r=RalfJungbors-1/+83
Fix libc::read shim: make it write to a buffer correct amount of bytes. Add tests for new behavior libc::read shim had a bug: if underlying real call libc::read(fd, buf, N) returns M, then libc::read shim writes N bytes to buf instead of M. Remaining N - M bytes are filled with zeros. This commit fixes this bug and adds tests for new behavior
2024-07-09Fix libc::read shim: make it write to a buffer correct amount of bytes. Add ↵Askar Safin-1/+83
tests for the new behavior. libc::read shim had a bug: if underlying real call libc::read(fd, buf, N) returns M, then libc::read shim writes N bytes to buf instead of M. Remaining N - M bytes are filled with zeros. This commit fixes this bug and adds tests for new behavior
2024-07-09Apply suggestionsNeven Villani-18/+52
- split test into two revisions - clarify comments
2024-07-09Implement fix for reservedim_spurious_write: ignore IM on protectedNeven Villani-7/+59
2024-07-09This pattern using lazy protected Reserved IM prevents spurious writesNeven Villani-0/+109
2024-07-09Auto merge of #3739 - joboet:macos_tls_dtors, r=RalfJungbors-30/+87
Implement support for multiple TLS destructors on macOS I want to get rid of [this `#[cfg]` block](https://github.com/rust-lang/rust/blob/98dcbae5c9ac615d5acfbf42d42b19a77cb9ec11/library/std/src/thread/mod.rs#L195-L211) in `std`, but it is currently required for miri, as it does not support multiple macOS TLS destructors. This is not true for the platform itself, however, as can be observed in the [implementation](https://github.com/apple-oss-distributions/dyld/blob/d552c40cd1de105f0ec95008e0e0c0972de43456/dyld/DyldRuntimeState.cpp#L2239).
2024-07-09Merge from rustcThe Miri Cronjob Bot-12/+120
2024-07-09Preparing for merge from rustcThe Miri Cronjob Bot-1/+1
2024-07-08implement support for multiple TLS destructors on macOSjoboet-30/+87
2024-07-08Rollup merge of #127355 - aceArt-GmbH:126475, r=oli-obkMatthias Krüger-8/+8
Mark format! with must_use hint Uses unstable feature https://github.com/rust-lang/rust/issues/94745 Part of #126475 First contribution to rust, please let me know if the blessing of tests is correct Thanks `@bjorn3` for the help
2024-07-08Auto merge of #113128 - WaffleLapkin:become_trully_unuwuable, r=oli-obk,RalfJungbors-4/+112
Support tail calls in mir via `TerminatorKind::TailCall` This is one of the interesting bits in tail call implementation — MIR support. This adds a new `TerminatorKind` which represents a tail call: ```rust TailCall { func: Operand<'tcx>, args: Vec<Operand<'tcx>>, fn_span: Span, }, ``` *Structurally* this is very similar to a normal `Call` but is missing a few fields: - `destination` — tail calls don't write to destination, instead they pass caller's destination to the callee (such that eventual `return` will write to the caller of the function that used tail call) - `target` — similarly to `destination` tail calls pass the caller's return address to the callee, so there is nothing to do - `unwind` — I _think_ this is applicable too, although it's a bit confusing - `call_source` — `become` forbids operators and is not created as a lowering of something else; tail calls always come from HIR (at least for now) It might be helpful to read the interpreter implementation to understand what `TailCall` means exactly, although I've tried documenting it too. ----- There are a few `FIXME`-questions still left, ideally we'd be able to answer them during review ':) ----- r? `@oli-obk` cc `@scottmcm` `@DrMeepster` `@JakobDegen`
2024-07-07Fixup a typo in a comment in a testMaybe Lapkin-1/+1
2024-07-07Fix conflicts after rebaseMaybe Lapkin-2/+2
- r-l/r 126784 - r-l/r 127113 - r-l/miri 3562
2024-07-07make `StackPop` field names less confusingMaybe Waffle-4/+4