Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Explain typos in asm! can be unsound #1344

Merged
merged 2 commits into from
Apr 9, 2023
Merged

Explain typos in asm! can be unsound #1344

Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0a89373
Explain typos in `asm!` can be unsound
workingjubilee Mar 27, 2023
aba56b9
Move Correctness and Validity section
workingjubilee Apr 8, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
24 changes: 23 additions & 1 deletion src/inline-assembly.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,6 @@ asm := "asm!(" format_string *("," format_string) *("," operand) [","] ")"
global_asm := "global_asm!(" format_string *("," format_string) *("," operand) [","] ")"
```


## Scope

Inline assembly can be used in one of two ways.
Expand Down Expand Up @@ -485,6 +484,29 @@ To avoid undefined behavior, these rules must be followed when using function-sc

> **Note**: As a general rule, the flags covered by `preserves_flags` are those which are *not* preserved when performing a function call.

### Correctness and Validity

In addition to all of the previous rules, the string argument to `asm!` must ultimately become—
after all other arguments are evaluated, formatting is performed, and operands are translated—
assembly that is both syntactically correct and semantically valid for the target architecture.
The formatting rules allow the compiler to generate assembly with correct syntax.
Rules concerning operands permit valid translation of Rust operands into and out of `asm!`.
Adherence to these rules is necessary, but not sufficient, for the final expanded assembly to be
both correct and valid. For instance:

- arguments may be placed in positions which are syntactically incorrect after formatting
- an instruction may be correctly written, but given architecturally invalid operands
- an architecturally unspecified instruction may be assembled into unspecified code
- a set of instructions, each correct and valid, may cause undefined behavior if placed in immediate succession

As a result, these rules are _non-exhaustive_. The compiler is not required to check the
correctness and validity of the initial string nor the final assembly that is generated.
The assembler may check for correctness and validity but is not required to do so.
When using `asm!`, a typographical error may be sufficient to make a program unsound,
and the rules for assembly may include thousands of pages of architectural reference manuals.
Programmers should exercise appropriate care, as invoking this `unsafe` capability comes with
assuming the responsibility of not violating rules of both the compiler or the architecture.

### Directives Support

Inline assembly supports a subset of the directives supported by both GNU AS and LLVM's internal assembler, given as follows.
Expand Down