Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Check Pin guarantees at runtime #823

Closed
Aaron1011 opened this issue Jul 4, 2019 · 5 comments
Closed

Check Pin guarantees at runtime #823

Aaron1011 opened this issue Jul 4, 2019 · 5 comments
Labels
A-validation Area: This affects enforcing the validity invariant, and related UB checking C-proposal Category: a proposal for something we might want to do, or maybe not; details still being worked out

Comments

@Aaron1011
Copy link
Member

Miri should be able to check that the guarantees of Pin are upheld at runtime. AFAICT, all of the requirements for Pin::new_unchecked and for pin projections boil down to the same thing: ensuring that the pinned memory is never deallocated/invalidated until after Drop is called.

This should be fairly straightforward to implement - we can add a pinned flag to AllocExtra, and add special handling for the Pin type. Fortunately, Pin is a lang item, so this won't require hard-coding a path.

@RalfJung RalfJung changed the title Check Pin guarnatees at runtime Check Pin guarantees at runtime Jul 6, 2019
@RalfJung RalfJung added the C-proposal Category: a proposal for something we might want to do, or maybe not; details still being worked out label Jul 6, 2019
@RalfJung
Copy link
Member

RalfJung commented Jul 6, 2019

I disagree with the statement that this is possible or even straightforward. The pin guarantees are not guarantees of the language, they are guarantees of a library. Miri will detect UB caused by violating Pin guarantees, but operationally, it is not possible to detect violations of the pinning API.

@RalfJung RalfJung added the A-validation Area: This affects enforcing the validity invariant, and related UB checking label Jul 6, 2019
@RalfJung
Copy link
Member

@Aaron1011 could you describe what concretely you think Miri could do operationally to help detect pinning violations?

@bjorn3
Copy link
Member

bjorn3 commented Jul 28, 2019

Maybe add an intrinsic to mark memory as pinned, which is called in the Pin constructor, and then check that a move doesnt have pinned memory as source?

@RalfJung
Copy link
Member

"move" is a type system concept, it is not an operation in Miri. Something like memcpy is, but that can happen even for pinned stuff. E.g., in a pinned generator there might be an i32 field that gets copied around.

@RalfJung
Copy link
Member

Closing this as (a) Miri is meant to be an implementation of the Rust Abstract Machine spec, and that spec does not know about Pin, and (b) I am not sure what it even is that we could be checking here.

bors bot added a commit to taiki-e/pin-project that referenced this issue Oct 4, 2020
288: Run Miri on CI r=taiki-e a=taiki-e

The pin guarantees are guarantees of a library, so Miri does not detect
violations of the pin API. However, if the generated unsafe code causes
UB, Miri may be possible to detect it.

Related: rust-lang/miri#823, rust-lang/unsafe-code-guidelines#232 (comment)


Co-authored-by: Taiki Endo <te316e89@gmail.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-validation Area: This affects enforcing the validity invariant, and related UB checking C-proposal Category: a proposal for something we might want to do, or maybe not; details still being worked out
Projects
None yet
Development

No branches or pull requests

3 participants