-
Notifications
You must be signed in to change notification settings - Fork 341
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add option to allow exploiting intprcast alignment #1074
Comments
As that test shows, we currently do not do this by design. I understand that this seems strange. See rust-lang/rust#62420 for why I think this is a good idea. However, I am open to also offer the other mode you are asking for in Miri. What I am not sure about is the default (I lean towards being conservative and keeping the current behavior the default). If we want to change the default, IMO it is a hard requirement that we, by default, at least warn when code exploits alignment and thus could "spuriously pass". (Cc #797) |
A correctly aligned memory access which is under aligned with respect to the I have repeatedly seen prompts for a code review, where person asking had If the code in question does in fact miss an alignment check, the bug can be Furthermore, the suggested workaround using |
Could you go into a bit more detail about how this is common when dealing with binary data? I would think then you rarely control the actual alignment of the buffer nor the offset of the data, so you have to use unaligned accesses? (I also think you are biased here when you say "relatively common", because that seems to be the kind of code you are dealing with, but the vast majority of code is not like that.) That said...
... this is a good argument. Miri also has found a few actual alignment errors in the past; I am not sure how many of them we would have missed if full alignment was taken into account. Anyway, the first step is to implement full alignment checks as an option, keeping the current behavior as a default. I was never opposed to that, it has just not been implemented. :)
Does this mean Miri should somehow help with that?
OTOH, I am worried that that currently untested code will often use SIMD as that's a common reason to want higher alignment in the first place; making |
Consider for example D-Bus decoding. It is a binary format where the data impl dbus::Decoder<'d> {
fn from_bytes(buffer: &'d [u8]) -> Self {
...
}
fn decode_array<T: FixedSize>(&mut self) -> dbus::Result<Cow<'d, [T]>> {
...
}
} The implementation would check if data is sufficiently aligned for The The current behaviour of checking alignment against the allocation layout |
Ah, so there is a fallback path. That is the part I was missing. Now it makes sense. :) |
So I propose the next step is to add an option that both exploits full alignment, and makes I won't have time to do that any time soon, but I can provide some guidance if someone else is up for the task. |
for alignment errors, note that there might be false positives Cc @shepmaster ``` error: Undefined Behavior: accessing memory with alignment 1, but alignment 8 is required --> tests/compile-fail/unaligned_pointers/alignment.rs:8:9 | 8 | *y_ptr = 42; | ^^^^^^^^^^^ accessing memory with alignment 1, but alignment 8 is required | = help: this usually indicates that your program performed an invalid operation and caused Undefined Behavior = help: but alignment errors can also be false positives, see #1074 ```
Regarding I guess it would be unfortunate for miri not to work under that circumstance...
Seconding this -- miri's alignment complaints are basically noise since they're so often false positives -- any code that manually aligns pointers, whether correctly or not, sets miri off... |
Using
Enough people spoke up by now that I am indeed convinced we should at the very least offer the option to be less strict about alignment. :) Repeating more arguments along those lines is not going to convince me even more. What remains is finding someone to do the actual work. :D |
miri engine: add option to use force_int for alignment check This is needed for rust-lang/miri#1074. The Miri-side patch is at rust-lang/miri#1513. r? @oli-obk
add option to use force_int for alignment check Fixes #1074. Depends on rust-lang/rust#75592.
add option to use force_int for alignment check Fixes #1074. Depends on rust-lang/rust#75592.
add option to use force_int for alignment check Fixes #1074. Depends on rust-lang/rust#75592.
add option to use force_int for alignment check Fixes #1074. Depends on rust-lang/rust#75592.
add option to use force_int for alignment check Fixes #1074. Depends on rust-lang/rust#75592.
To actually get this fix into the Miri shipped with rustup, we'll need to do a submodule bump in the rustc repo. Also the test changes in PR #1513 demonstrate quite well the problem with alignment checks that this causes -- I had to make most compile-fail alignment test repeat 10 times to make sure they actually fail. But overall that is probably still better than false positives by default. |
enable align_to tests in Miri With rust-lang/miri#1074 resolved, we can enable these tests in Miri. I also tweaked the test sized to get reasonable execution times with decent test coverage.
Currently, we have a test that asserts that code is not allowed to rely on any 'extra' information provided by the intprcast (e.g. a
[u16; 2]
array that happens to have alignment '4').However, this is a perfectly legitimate thing for code to do. I propose that we add a
intprcast-alignment
option which enables the following behavior:When we check the alignment for a memory access, we see if we have a recorded base address for the allocation (i.e. if a pointer within the allocation was ever cast to an integer).
If we do not have a base address, we use the current alignment checking behavior (i.e. check the static alignment of the type). This will catch cases where the code is definitely wrong - if the pointer was never cast to an integer, the code cannot possibly know that it happened to have 'extra' alignment.
If we do have a base address, then we do the alignment check based on the actual base address. This will allow some incorrect code, like:
Depending on what alignment we pick for the base address of
my_addr
, this may or may not work. This means that whether or not this program passes now depends on the random seed.While this isn't ideal, I don't see a way of allowing the intptrcast_alignment_check to pass without also causing 'spurious passes' (code which really should fail, but doesn't).
The text was updated successfully, but these errors were encountered: