miri native_calls: ensure we actually expose *mutable* provenance to the memory FFI can access #138352
+12
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…the memory FFI can access
rustbot
added
S-waiting-on-review
oli-obk
reviewed
Mar 11, 2025
Comment on lines
+985
to
+987
| // Also expose the provenance of the interpreter-level allocation, so it can | ||
| // be read by FFI. The `black_box` is defensive programming as LLVM likes | ||
| // to (incorrectly) optimize away ptr2int casts whose result is unused. |
There was a problem hiding this comment.
should expose_provenance maybe do the black box internally?
There was a problem hiding this comment.
If we do that then as casts should also do the black box... that would probably become a pretty big discussion though.
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Mar 11, 2025
…, r=oli-obk miri native_calls: ensure we actually expose *mutable* provenance to the memory FFI can access In native call mode, the interpreter memory itself is accessed directly by external code via pointers created from integers and passed via libffi, so we have to ensure the provenance in Miri itself (on the meta level) is sufficiently exposed. So far we only exposed the provenance for read-only accesses. This may we enough as that may actually be the same provenance as for mutable accesses, but it's hard to be sure, and anyway there's no reason to do such a gambit -- we have this function, `prepare_for_native_call`, which iterates all memory the call can access. let's just also (re-)expose Miri's own allocations there. We expose the read-only provenance for all of them and the mutable provenance for the mutable allocations. r? `@oli-obk`
This was referenced Mar 11, 2025
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 11, 2025
…iaskrgr Rollup of 10 pull requests Successful merges: - rust-lang#137715 (Allow int literals for pattern types with int base types) - rust-lang#138002 (Disable CFI for weakly linked syscalls) - rust-lang#138051 (Add support for downloading GCC from CI) - rust-lang#138231 (Prevent ICE in autodiff validation by emitting user-friendly errors) - rust-lang#138245 (stabilize `ci_rustc_if_unchanged_logic` test for local environments) - rust-lang#138256 (Do not feed anon const a type that references generics that it does not have) - rust-lang#138284 (Do not write user type annotation for const param value path) - rust-lang#138296 (Remove `AdtFlags::IS_ANONYMOUS` and `Copy`/`Clone` condition for anonymous ADT) - rust-lang#138352 (miri native_calls: ensure we actually expose *mutable* provenance to the memory FFI can access) - rust-lang#138354 (remove redundant `body` arguments) r? `@ghost` `@rustbot` modify labels: rollup
github-actions bot
pushed a commit
to model-checking/verify-rust-std
that referenced
this pull request
Mar 14, 2025
…iaskrgr Rollup of 10 pull requests Successful merges: - rust-lang#137715 (Allow int literals for pattern types with int base types) - rust-lang#138002 (Disable CFI for weakly linked syscalls) - rust-lang#138051 (Add support for downloading GCC from CI) - rust-lang#138231 (Prevent ICE in autodiff validation by emitting user-friendly errors) - rust-lang#138245 (stabilize `ci_rustc_if_unchanged_logic` test for local environments) - rust-lang#138256 (Do not feed anon const a type that references generics that it does not have) - rust-lang#138284 (Do not write user type annotation for const param value path) - rust-lang#138296 (Remove `AdtFlags::IS_ANONYMOUS` and `Copy`/`Clone` condition for anonymous ADT) - rust-lang#138352 (miri native_calls: ensure we actually expose *mutable* provenance to the memory FFI can access) - rust-lang#138354 (remove redundant `body` arguments) r? `@ghost` `@rustbot` modify labels: rollup
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In native call mode, the interpreter memory itself is accessed directly by external code via pointers created from integers and passed via libffi, so we have to ensure the provenance in Miri itself (on the meta level) is sufficiently exposed. So far we only exposed the provenance for read-only accesses. This may we enough as that may actually be the same provenance as for mutable accesses, but it's hard to be sure, and anyway there's no reason to do such a gambit -- we have this function,
prepare_for_native_call, which iterates all memory the call can access. let's just also (re-)expose Miri's own allocations there. We expose the read-only provenance for all of them and the mutable provenance for the mutable allocations.r? @oli-obk