Skip to content

Commit

Permalink
Try to turn on validation in CTFE for unsafe code
Browse files Browse the repository at this point in the history 
Instead of only validating values which actually get stored to a const,
this PR attempts to turn on full validation in the presence of unsafe
code, as detected by walking HIR when available.
  • Loading branch information
@saethlin
saethlin committed May 21, 2022
1 parent 5f33adc commit d6bcb8b
Show file tree
Hide file tree
Showing 75 changed files with 887 additions and 1,639 deletions.
121 changes: 113 additions & 8 deletions compiler/rustc_const_eval/src/const_eval/machine.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,14 +2,17 @@ use rustc_hir::def::DefKind;
use rustc_middle::mir;
use rustc_middle::ty::{self, Ty, TyCtxt};
use std::borrow::Borrow;
use std::cell::RefCell;
use std::collections::hash_map::Entry;
use std::hash::Hash;

use rustc_data_structures::fx::FxHashMap;
use std::fmt;

use rustc_ast::Mutability;
use rustc_hir::def_id::DefId;
use rustc_hir::def_id::{DefId, LocalDefId};
use rustc_hir::intravisit::Visitor;
use rustc_hir::Node;
use rustc_middle::mir::AssertMessage;
use rustc_session::Limit;
use rustc_span::symbol::{sym, Symbol};
Expand All @@ -18,7 +21,7 @@ use rustc_target::spec::abi::Abi;

use crate::interpret::{
self, compile_time_machine, AllocId, ConstAllocation, Frame, ImmTy, InterpCx, InterpResult,
OpTy, PlaceTy, Pointer, Scalar, StackPopUnwind,
Machine, OpTy, PlaceTy, Pointer, Scalar, StackPopUnwind,
};

use super::error::*;
Expand Down Expand Up @@ -101,6 +104,8 @@ pub struct CompileTimeInterpreter<'mir, 'tcx> {
/// * Pointers to allocations inside of statics can never leak outside, to a non-static global.
/// This boolean here controls the second part.
pub(super) can_access_statics: bool,

unsafe_detector: RefCell<UnsafeDetector>,
}

impl<'mir, 'tcx> CompileTimeInterpreter<'mir, 'tcx> {
Expand All @@ -109,6 +114,7 @@ impl<'mir, 'tcx> CompileTimeInterpreter<'mir, 'tcx> {
steps_remaining: const_eval_limit.0,
stack: Vec::new(),
can_access_statics,
unsafe_detector: RefCell::new(UnsafeDetector::default()),
}
}
}
Expand Down Expand Up @@ -229,9 +235,102 @@ impl<'mir, 'tcx: 'mir> CompileTimeEvalContext<'mir, 'tcx> {
}
}

struct FindUnsafeVisitor<'tcx> {
tcx: TyCtxt<'tcx>,
found_unsafe: bool,
}

impl<'tcx> Visitor<'tcx> for FindUnsafeVisitor<'tcx> {
type NestedFilter = rustc_middle::hir::nested_filter::All;

fn nested_visit_map(&mut self) -> Self::Map {
self.tcx.hir()
}

fn visit_block(&mut self, block: &'tcx rustc_hir::Block<'tcx>) {
rustc_hir::intravisit::walk_block(self, block);
if let rustc_hir::BlockCheckMode::UnsafeBlock(_) = block.rules {
self.found_unsafe = true;
}
}
}

#[cold]
#[inline(never)]
fn may_contain_unsafe<'mir, 'tcx>(
ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>,
def_id: DefId,
) -> bool {
let hir = ecx.tcx.hir();
if let Some(Node::Item(item)) = hir.get_if_local(def_id) {
let mut visitor = FindUnsafeVisitor { tcx: *ecx.tcx, found_unsafe: false };
visitor.visit_item(&item);
visitor.found_unsafe
} else {
true
}
}

#[derive(Default)]
struct UnsafeDetector {
loaded_mir_with_unsafe: Option<bool>,
known_safe_defs: FxHashMap<LocalDefId, bool>,
}

impl UnsafeDetector {
#[cold]
#[inline(never)]
fn analyze_def<'mir, 'tcx>(
&mut self,
ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>,
def_id: DefId,
) {
if let Some(local_id) = def_id.as_local() {
let found_unsafe = *self
.known_safe_defs
.entry(local_id)
.or_insert_with(|| may_contain_unsafe(ecx, def_id));
self.loaded_mir_with_unsafe = Some(found_unsafe);
} else {
self.loaded_mir_with_unsafe = Some(true);
}
}

#[cold]
#[inline(never)]
fn analyze_stack<'mir, 'tcx>(ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>) {
let mut this = ecx.machine.unsafe_detector.borrow_mut();
let stack = CompileTimeInterpreter::stack(ecx);
if stack.len() == 1 {
let frame = stack.last().unwrap();
this.analyze_def(ecx, frame.instance.def_id());
} else {
this.loaded_mir_with_unsafe = Some(true);
}
}

#[inline]
fn is_init(&self) -> bool {
self.loaded_mir_with_unsafe.is_some()
}

#[inline]
fn mir_needs_validation(&self) -> bool {
self.loaded_mir_with_unsafe == Some(true)
}
}

impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir, 'tcx> {
compile_time_machine!(<'mir, 'tcx>);

fn enforce_validity(ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
let unsafe_detector = ecx.machine.unsafe_detector.get_mut();
if !unsafe_detector.is_init() {
UnsafeDetector::analyze_stack(ecx);
}
ecx.machine.unsafe_detector.get_mut().mir_needs_validation()
}

type MemoryKind = MemoryKind;

const PANIC_ON_ALLOC_FAIL: bool = false; // will be raised as a proper error
Expand All @@ -240,10 +339,12 @@ impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir,
ecx: &InterpCx<'mir, 'tcx, Self>,
instance: ty::InstanceDef<'tcx>,
) -> InterpResult<'tcx, &'tcx mir::Body<'tcx>> {
match instance {
ecx.machine.unsafe_detector.borrow_mut().analyze_def(ecx, instance.def_id());

let mir = match instance {
ty::InstanceDef::Item(def) => {
if ecx.tcx.is_ctfe_mir_available(def.did) {
Ok(ecx.tcx.mir_for_ctfe_opt_const_arg(def))
ecx.tcx.mir_for_ctfe_opt_const_arg(def)
} else if ecx.tcx.def_kind(def.did) == DefKind::AssocConst {
let guar = ecx.tcx.sess.delay_span_bug(
rustc_span::DUMMY_SP,
Expand All @@ -252,12 +353,16 @@ impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir,
throw_inval!(AlreadyReported(guar));
} else {
let path = ecx.tcx.def_path_str(def.did);
Err(ConstEvalErrKind::NeedsRfc(format!("calling extern function `{}`", path))
.into())
return Err(ConstEvalErrKind::NeedsRfc(format!(
"calling extern function `{}`",
path
))
.into());
}
}
_ => Ok(ecx.tcx.instance_mir(instance)),
}
_ => ecx.tcx.instance_mir(instance),
};
Ok(mir)
}

fn find_mir_or_eval_fn(
Expand Down
4 changes: 2 additions & 2 deletions compiler/rustc_const_eval/src/interpret/machine.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -131,7 +131,7 @@ pub trait Machine<'mir, 'tcx>: Sized {
fn force_int_for_alignment_check(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;

/// Whether to enforce the validity invariant
fn enforce_validity(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;
fn enforce_validity(ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool;

/// Whether to enforce integers and floats being initialized.
fn enforce_number_init(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;
Expand Down Expand Up @@ -450,7 +450,7 @@ pub macro compile_time_machine(<$mir: lifetime, $tcx: lifetime>) {
}

#[inline(always)]
fn enforce_validity(_ecx: &InterpCx<$mir, $tcx, Self>) -> bool {
fn enforce_validity(_ecx: &mut InterpCx<$mir, $tcx, Self>) -> bool {
false // for now, we don't enforce validity
}

Expand Down
6 changes: 6 additions & 0 deletions compiler/rustc_mir_transform/src/const_prop.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -184,6 +184,12 @@ impl ConstPropMachine<'_, '_> {

impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for ConstPropMachine<'mir, 'tcx> {
compile_time_machine!(<'mir, 'tcx>);

#[inline(always)]
fn enforce_validity(_ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
false
}

const PANIC_ON_ALLOC_FAIL: bool = true; // all allocations are small (see `MAX_ALLOC_LIMIT`)

type MemoryKind = !;
Expand Down
6 changes: 6 additions & 0 deletions compiler/rustc_mir_transform/src/const_prop_lint.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -176,6 +176,12 @@ impl ConstPropMachine<'_, '_> {

impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for ConstPropMachine<'mir, 'tcx> {
compile_time_machine!(<'mir, 'tcx>);

#[inline(always)]
fn enforce_validity(_ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
false
}

const PANIC_ON_ALLOC_FAIL: bool = true; // all allocations are small (see `MAX_ALLOC_LIMIT`)

type MemoryKind = !;
Expand Down
44 changes: 12 additions & 32 deletions src/test/ui/const-generics/min_const_generics/invalid-patterns.32bit.stderr
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,49 +22,29 @@ error[E0308]: mismatched types
LL | get_flag::<42, 0x5ad>();
| ^^^^^ expected `char`, found `u8`

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:38:21
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:38:32
|
LL | get_flag::<false, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 4, align: 4) {
__ __ __ __ │ ░░░░
}
| ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:40:14
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:40:25
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 1, align: 1) {
42 │ B
}
| ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:42:14
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:42:25
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 1, align: 1) {
42 │ B
}
| ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:42:47
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:42:58
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 4, align: 4) {
__ __ __ __ │ ░░░░
}
| ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)

error: aborting due to 8 previous errors

Expand Down
44 changes: 12 additions & 32 deletions src/test/ui/const-generics/min_const_generics/invalid-patterns.64bit.stderr
View file
Original file line number Diff line number Diff line change
Expand Up @@ -22,49 +22,29 @@ error[E0308]: mismatched types
LL | get_flag::<42, 0x5ad>();
| ^^^^^ expected `char`, found `u8`

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:38:21
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:38:32
|
LL | get_flag::<false, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 4, align: 4) {
__ __ __ __ │ ░░░░
}
| ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:40:14
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:40:25
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 1, align: 1) {
42 │ B
}
| ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:42:14
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:42:25
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 1, align: 1) {
42 │ B
}
| ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean

error[E0080]: it is undefined behavior to use this value
--> $DIR/invalid-patterns.rs:42:47
error[E0080]: evaluation of constant value failed
--> $DIR/invalid-patterns.rs:42:58
|
LL | get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 4, align: 4) {
__ __ __ __ │ ░░░░
}
| ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)

error: aborting due to 8 previous errors

Expand Down
8 changes: 4 additions & 4 deletions src/test/ui/const-generics/min_const_generics/invalid-patterns.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -36,10 +36,10 @@ fn main() {


get_flag::<false, { unsafe { char_raw.character } }>();
//~^ ERROR it is undefined behavior
//~^ ERROR evaluation of constant value failed
get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
//~^ ERROR it is undefined behavior
//~^ ERROR evaluation of constant value failed
get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
//~^ ERROR it is undefined behavior
//~| ERROR it is undefined behavior
//~^ ERROR evaluation of constant value failed
//~| ERROR evaluation of constant value failed
}
11 changes: 3 additions & 8 deletions src/test/ui/consts/const-err4.32bit.stderr
View file
Original file line number Diff line number Diff line change
@@ -1,13 +1,8 @@
error[E0080]: it is undefined behavior to use this value
--> $DIR/const-err4.rs:9:11
error[E0080]: evaluation of constant value failed
--> $DIR/const-err4.rs:9:21
|
LL | Boo = [unsafe { Foo { b: () }.a }; 4][3],
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected initialized bytes
|
= note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
= note: the raw bytes of the constant (size: 4, align: 4) {
__ __ __ __ │ ░░░░
}
| ^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected initialized bytes

error: aborting due to previous error

Expand Down
Loading

0 comments on commit d6bcb8b

Please sign in to comment.