Join GitHub today
GitHub is home to over 31 million developers working together to host and review code, manage projects, and build software together.
Sign upSafe uninitialized byte arrays. #1222
Conversation
This comment has been minimized.
This comment has been minimized.
|
Using uninitialized memory is undefined behavior in terms of the optimization passes in LLVM. For example: pub fn byte() -> u8 {
unsafe {
let mut v = Vec::<u8>::with_capacity(100);
v.set_len(100);
v[10]
}
} Will generate this IR: define i8 @_ZN4byte20hcb9dde8b210369c6eaaE() unnamed_addr #0 {
"_ZN31collections..vec..Vec$LT$u8$GT$9drop.115617hdcd6a559cef13decE.exit3":
ret i8 undef
}This I think it's possible to get around this by forcing LLVM to consider the memory initialized, but it's unfortunately not as simple as "just making it safe" |
eddyb
reviewed
Jul 21, 2015
|
|
||
| Every addressable byte in allocated memory is a valid u8 (byte) by definition. | ||
| On Linux at least, one can read `/proc/self/mem` into a buffer so the following | ||
| two functions are (virtually) indistinguishable at runtime (on Linux): |
This comment has been minimized.
This comment has been minimized.
eddyb
Jul 21, 2015
Member
Except for the fact that /proc is not necessarily mounted, e.g. a strict chroot might opt out of it.
This comment has been minimized.
This comment has been minimized.
Stebalien
Jul 21, 2015
Author
Contributor
Good point. But my point was that uninitialized bytes are still bytes.
This comment has been minimized.
This comment has been minimized.
|
I don't understand the "fast IO code" argument. In what cases do you have to expose uninitialized memory for efficiency? |
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@eddyb, also, there's been a few discussion threads about it recently, e.g. https://users.rust-lang.org/t/reading-from-stdin-performance/2025 (and maybe some on reddit too). |
This comment has been minimized.
This comment has been minimized.
|
@alexcrichton I updated the RFC to introduce an intrinsic for asking LLVM to treat some memory as initialized. Unfortunately, I can't find LLVM documentation explaining how to do this. |
This comment has been minimized.
This comment has been minimized.
|
Oh, I see, the |
This comment has been minimized.
This comment has been minimized.
|
@Stebalien You don't need an intrinsic, the inline assembly in |
This comment has been minimized.
This comment has been minimized.
|
@eddyb, yes but I think the one we want is |
This comment has been minimized.
This comment has been minimized.
|
IIRC the I/O design discussion featured this problem as a security issue: if you don't zero bytes, then you can leak arbitrary things like private keys that were previously allocated. As such, even if this intrinsic was introduced, it's not clear to me that the standard library would be able to leverage it. |
This comment has been minimized.
This comment has been minimized.
|
@Stebalien no, that's for lifetimes of |
This comment has been minimized.
This comment has been minimized.
@Gankro, I see. I remember seeing some security argument but I thought it was about reading one's own uninitialized memory (which didn't make sense), not accidentally leaking it. I agree, that's a very good reason not to allow this. |
Stebalien commentedJul 21, 2015
Rendered