fix SIFA logic #4600
fix SIFA logic #4600
Conversation
|
Thank you for contributing to Miri! |
|
I think this is the actual assertion we needed before I added the // Accessed nodes have the SIFA fixed up as part of the access. For everything else,
// let's ensure default_strongest_idempotent has the minimum SIFA so the fixup
// below does the right thing.
if !perm.accessed {
assert!(default_strongest_idempotent <= perm.idempotent_foreign_access);
}This assertion also passes. The thing we checked instead ( |
| for (Range { start, end }, &perm) in | ||
| inside_perms.iter(Size::from_bytes(0), inside_perms.size()) | ||
| { | ||
| assert!(perm.permission.is_initial()); |
There was a problem hiding this comment.
can we add an assert here that perm.idempotent_foreign_access == perm.permission.strongest_idempotent_foreign_access(protected)? I do not fully recall what sets perm.idempotent_foreign_access initially and since it's "far away" from this function it might be easy to miss that this is used here.
There was a problem hiding this comment.
The constructor sets it and it's a private field so nobody outside this files can mess with it, but sure.
|
Good catch! |
RalfJung
force-pushed
the
sifa
branch
4 times, most recently
from
df00dee to
60b9bc1
Compare
At least I think the old logic was wrong? Cc @JoJoDeveloping
The old logic was based on this comment:
This should have said "must be at least as strong as", right? The invariant is that "the SIFA at each child must be stronger than that at the parent", so having stronger things in the new node should always be fine.
We should definitely have a test for this, if possible (but it may be that this doesn't actually lead to any bugs due to the implicit read fixing things up).