-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add overlap check when copying op #97639
Conversation
Some changes occured to the CTFE / Miri engine cc @rust-lang/miri |
r? @jackh726 (rust-highfive has picked a reviewer for you, use r? to override) |
@bors r+ rollup |
📌 Commit 2668b2a has been approved by |
@bors r- |
{ | ||
let size = src_val.layout.size; | ||
if Self::check_ptr_overlap(src_id, src_offset, dest_id, dest_offset, size) { | ||
throw_ub_format!("copy_nonoverlapping called on overlapping ranges") |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is not the copy_nonoverlapping intrinsic, this is the assignment operator.
Also, that condition up there is enormously complicated and looks like it just unwraps all abstractions to get out some deep implementation detail. What is actually conceptually happening here, at a high level?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the right way to fix this FIXME is what we are discussing in #68364: by using retagging and aliasing restrictions. I don't think digging through all abstractions here is a good way to guarantee anything, since it is basically impossible to figure out what is being guaranteed. It is way too easy for any of these conditions to not be met, and then we gain nothing.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So, I think we shouldn't do this part of the PR. Sorry for the misleading FIXME. Generally many of the FIXME in the code are old and our thinking might have changed since the comment was written -- so it is a good idea to ask people what their current thoughts on this are before working on a FIXME.
Here, I think the comment should just be changed to explicitly reference #68364.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
That's all right. Thanks!
dest_offset: Size, | ||
size: Size, | ||
) -> bool { | ||
let overlaps = |a, b| a <= b && b < a + size; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What happens if the addition here overflows?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks! I think we can use b - a
to avoid overflows since a <= b
@@ -1216,7 +1216,7 @@ impl<'mir, 'tcx: 'mir, M: Machine<'mir, 'tcx>> InterpCx<'mir, 'tcx, M> { | |||
dest_offset: Size, | |||
size: Size, | |||
) -> bool { | |||
let overlaps = |a, b| a <= b && b < a + size; | |||
let overlaps = |a, b| a <= b && b - a < size; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please add a comment explaining why the subtraction cannot overflow.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
we could rewrite this as a.checked_sub(b).map_or(false, |s| s < size)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not sure if that makes it any clearer; why is false
the right default?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok, I think we can just comment that since `a <= b`, `b - a` will not overflows
@RalfJung I just made some correct to the conditon statements. If this is still unsatisfactory, we can close this PR |
FWIW I am not entirely sure if we even want the However, the change in Cc @JakobDegen since this affects assignment semantics. |
Also see #97663 |
This PR fixes the FIXME about adding overlap check when copying imm in const eval