Safe Transmute: Require that source referent is smaller than destination #122438
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
jswrenn
commented
Mar 13, 2024
Comment on lines
269
to
273
| } else if dst_ref.size() > src_ref.size() { | ||
| Answer::No(Reason::DstRefIsTooBig { | ||
| src: src_ref, | ||
| dst: src_ref, | ||
| }) |
There was a problem hiding this comment.
(This is the critical change of the PR.)
compiler-errors
requested changes
Mar 13, 2024
| @@ -81,6 +92,16 @@ pub mod rustc { | |||
| } | |||
| impl<'tcx> Ref<'tcx> {} | |||
|
|
|||
| impl<'tcx> fmt::Display for Ref<'tcx> { | |||
| fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result { | |||
| f.write_char('&')?; | |||
There was a problem hiding this comment.
Not printing the region here too?
There was a problem hiding this comment.
We could, but it's not relevant to the error message this Display routine is currently used in, and I don't anticipate it will be relevant to other transmute error messages, since regions do not impact layout.
| let src_size = src.size; | ||
| let dst_size = dst.size; | ||
| format!( | ||
| "The referent size of `{src}` ({src_size} bytes) is smaller than that of `{dst}` ({dst_size} bytes" |
There was a problem hiding this comment.
Suggested change
| "The referent size of `{src}` ({src_size} bytes) is smaller than that of `{dst}` ({dst_size} bytes" | |
| "The referent size of `{src}` ({src_size} bytes) is smaller than that of `{dst}` ({dst_size} bytes)" |
rustbot
added
S-waiting-on-author
jswrenn
force-pushed
the
check-referent-size
branch
from
b949a37
to
107a473
Compare
compiler-errors
requested changes
Mar 13, 2024
| --> $DIR/unit-to-u8.rs:22:52 | ||
| | | ||
| LL | assert::is_maybe_transmutable::<&'static Unit, &'static u8>(); | ||
| | ^^^^^^^^^^^ The size of `Unit` is smaller than the size of `u8` | ||
| | ^^^^^^^^^^^ The referent size of `&Unit` (0 bytes) is smaller than that of `&Unit` (0) bytes |
There was a problem hiding this comment.
This still doesn't look right 😆
Suggested change
| | ^^^^^^^^^^^ The referent size of `&Unit` (0 bytes) is smaller than that of `&Unit` (0) bytes | |
| | ^^^^^^^^^^^ The referent size of `&Unit` (0 bytes) is smaller than that of `&Unit` (0 bytes) |
There was a problem hiding this comment.
Oof, I need to sleep more.
jswrenn
force-pushed
the
check-referent-size
branch
from
107a473
to
422fb2e
Compare
compiler-errors
requested changes
Mar 13, 2024
| } else if dst_ref.size() > src_ref.size() { | ||
| Answer::No(Reason::DstRefIsTooBig { | ||
| src: src_ref, | ||
| dst: src_ref, |
There was a problem hiding this comment.
Suggested change
| dst: src_ref, | |
| dst: dst_ref, |
The source referent absolutely must be smaller than the destination referent of a ref-to-ref transmute; the excess bytes referenced cannot arise from thin air, even if those bytes are uninitialized.
jswrenn
force-pushed
the
check-referent-size
branch
from
422fb2e
to
216df4a
Compare
jswrenn
commented
Mar 13, 2024
| error[E0277]: `&Packed<Two>` cannot be safely transmuted into `&Packed<Four>` | ||
| --> $DIR/reject_extension.rs:48:37 | ||
| | | ||
| LL | assert::is_transmutable::<&Src, &Dst>(); |
There was a problem hiding this comment.
I don't like that only the second parameter is ^^^^, but that's a general issue with all of our error messages that I'll file a follow-up PR for.
Otherwise, this error message LGTM.
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 13, 2024
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#122422 (compiletest: Allow `only-unix` in test headers) - rust-lang#122424 (fix: typos) - rust-lang#122425 (Increase timeout for new bors bot) - rust-lang#122426 (Fix StableMIR `WrappingRange::is_full` computation) - rust-lang#122429 (Add Exploit Mitigations PG to triagebot.toml) - rust-lang#122430 (Generate link to `Local` in `hir::Let` documentation) - rust-lang#122434 (pattern analysis: rename a few types) - rust-lang#122437 (pattern analysis: remove `MaybeInfiniteInt::JustAfterMax`) - rust-lang#122438 (Safe Transmute: Require that source referent is smaller than destination) - rust-lang#122442 (extend docs of -Zprint-mono-items) - rust-lang#122449 (Delay a bug for stranded opaques) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 14, 2024
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#122422 (compiletest: Allow `only-unix` in test headers) - rust-lang#122424 (fix: typos) - rust-lang#122425 (Increase timeout for new bors bot) - rust-lang#122426 (Fix StableMIR `WrappingRange::is_full` computation) - rust-lang#122429 (Add Exploit Mitigations PG to triagebot.toml) - rust-lang#122430 (Generate link to `Local` in `hir::Let` documentation) - rust-lang#122434 (pattern analysis: rename a few types) - rust-lang#122437 (pattern analysis: remove `MaybeInfiniteInt::JustAfterMax`) - rust-lang#122438 (Safe Transmute: Require that source referent is smaller than destination) - rust-lang#122442 (extend docs of -Zprint-mono-items) - rust-lang#122449 (Delay a bug for stranded opaques) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 14, 2024
Rollup merge of rust-lang#122438 - jswrenn:check-referent-size, r=compiler-errors Safe Transmute: Require that source referent is smaller than destination `BikeshedIntrinsicFrom` currently models transmute-via-union; i.e., it attempts to provide a `where` bound for this function: ```rust pub unsafe fn transmute_via_union<Src, Dst>(src: Src) -> Dst { use core::mem::*; #[repr(C)] union Transmute<T, U> { src: ManuallyDrop<T>, dst: ManuallyDrop<U>, } let transmute = Transmute { src: ManuallyDrop::new(src) }; // SAFETY: The caller must guarantee that the transmutation is safe. let dst = transmute.dst; ManuallyDrop::into_inner(dst) } ``` A quirk of this model is that it admits padding extensions in value-to-value transmutation: The destination type can be bigger than the source type, so long as the excess consists of uninitialized bytes. However, this isn't permissible for reference-to-reference transmutations (introduced in rust-lang#110662) — extra referent bytes cannot come from thin air. This PR patches our analysis for reference-to-reference transmutations to require that the destination referent is no larger than the source referent. r? `@compiler-errors`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
BikeshedIntrinsicFromcurrently models transmute-via-union; i.e., it attempts to provide awherebound for this function:A quirk of this model is that it admits padding extensions in value-to-value transmutation: The destination type can be bigger than the source type, so long as the excess consists of uninitialized bytes. However, this isn't permissible for reference-to-reference transmutations (introduced in #110662) — extra referent bytes cannot come from thin air.
This PR patches our analysis for reference-to-reference transmutations to require that the destination referent is no larger than the source referent.
r? @compiler-errors