cfi: Store type erasure witness for Argument #115954
Open
+46
−3
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
CFI/KCFI work by enforcing that indirect function calls are always called at the type they were defined at. The type erasure in Argument works by casting the reference to the value to be formatted to an Opaque and also casting the function to format it to take an Opaque reference. While this is *ABI* safe, which is why we get away with it normally, it does transform the type that the function is called at. This means that at the call-site, CFI expects the type of the function to be `fn(&Opaque, ` even though it is really `fn(&T, ` for some particular `T`. This patch avoids this by adding `cast_stub`, a witness to the type erasure that will cast the `&Opaque` and `fn(&Opaque` back to their original types before invoking the function. This change is guarded by the enablement of CFI as it will require an additional pointer-sized value per `Argument`, and an additional jump during formatting, and we'd prefer not to pay that if we don't need the types to be correct at the indirect call invocation.
|
r? @m-ou-se (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
Dylan-DPC
added
S-blocked
|
☔ The latest upstream changes (presumably #123819) made this pull request unmergeable. Please resolve the merge conflicts. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a WIP that won't work until @rcvalle has fixed address-taken trait functions #115953 but I understand he has a fix for that on the way.
Once that's out of the way, this addresses #115199 point 2.
CFI/KCFI work by enforcing that indirect function calls are always called at the type they were defined at. The type erasure in Argument works by casting the reference to the value to be formatted to an Opaque and also casting the function to format it to take an Opaque reference.
While this is ABI safe, which is why we get away with it normally, it does transform the type that the function is called at. This means that at the call-site, CFI expects the type of the function to be
fn(&Opaque,even though it is reallyfn(&T,for some particularT.This patch avoids this by adding
cast_stub, a witness to the type erasure that will cast the&Opaqueandfn(&Opaqueback to their original types before invoking the function.This change is guarded by the enablement of CFI as it will require an additional pointer-sized value per
Argument, and an additional jump during formatting, and we'd prefer not to pay that if we don't need the types to be correct at the indirect call invocation.