-
Notifications
You must be signed in to change notification settings - Fork 1.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
cranelift-jit: should functions that turn raw pointers into symbols be unsafe? #1093
Comments
Good spot! I agree, these should be marked unsafe. |
I dont think it should be unsafe. These pointers are never dereferenced, only written to the jitted code. Calling the jitted code is already unsafe, as the input clif could do memory unsafe things already. |
Agreed with @bjorn3 analysis: if you follow the use tree (they flow into SimpleJitBackend, then are used in lookup_symbol then get_definition) these pointers are embedded within the JIT code, but never written to. That being said, since this is the responsibility of the user to provide a safe pointer here, we could just add an "unsafe" keyword to these two functions: this would let the embedder know they have to be careful here, and if they get a crash in generated code, they can grep for "unsafe" (in their code as well as Cranelift's) and find a reference to this function. |
I agree; it's a good point that The unsafe on JIT code conceptually covers the fact that Cranelift IR contains instructions like Marking |
IMO it should definitely be unsafe. As an aside, I find it surprising that JIT'ing is safe but executing the JIT result is not, I would have expected the opposite. |
(Disregard the second part I confused myself between CLIF and WASM I puts.)
|
|
Is this issue still ongoing ? I don't see SimpleJITBuilder anywhere. I had assume it would have been in here https://github.com/bytecodealliance/wasmtime/tree/main/cranelift/jit |
cranelift-simple-jit was renamed to cranelift-jit. |
The function cranelift_simplejit::SimpleJITBuilder::symbol (as it's close related friend
symbols
, and maybe other funcions) take a*const u8
as parameter.From what I can see, there is no check whatsoever on the value provided before it gets used here.
This function should probably either be marked as unsafe, or take something less permissive than a
*const u8
(maybe a NewType whose builder is marked unsafe?). As of now it is possible to pass it a null pointer or a dangling pointer (droppedVec
, pointer to data from an old stack-frame...), and writing to any of those is definitely Undefined BehaviorThe text was updated successfully, but these errors were encountered: