CFI: Handle dyn with no principal #123003
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
PG-exploit-mitigations
| @@ -290,7 +290,7 @@ impl<'tcx> ty::List<ty::PolyExistentialPredicate<'tcx>> { | |||
| /// have a "trivial" vtable consisting of just the size, alignment, | |||
| /// and destructor. | |||
| pub fn principal(&self) -> Option<ty::Binder<'tcx, ExistentialTraitRef<'tcx>>> { | |||
| self[0] | |||
| self.get(0)? | |||
There was a problem hiding this comment.
I don't like changing this invariant in rustc_middle just because CFI makes bad types 😞
There was a problem hiding this comment.
No other place in the compiler expects or constructs dyn types with no predicates.
There was a problem hiding this comment.
Since later on in the type encoding process, this type will be examined under normalization, I can't just guard against calling principal in the calling code. Given your comment, that probably means I need to avoid constructing 0-predicate dyn
Do you have suggestions for predicates or representations that would make sense here? The case in question is that I have a dyn Send and dyn Sync - they share a vtable. This vtable has one method, drop_in_place. For purposes of checking the alias set, do you have opinions on what it should be encoded as? The only thing I will know about this object at the method site is that it is a dyn with no principal.
Three possible encodings that come to mind:
dyn Drop- I don't like this because these types may not implementDrop, and methods which requirefn dropshouldn't go here, but it is descriptive.dyn Sized- I'm considering this specifically because you can't normally have adyn Sizedobject, and so it can't accidentally match anything else.- Contract the entire receiver to
*mut ()- this technically discards the alias set restriction that someone made adynout of this type at some point in the program, but should otherwise be fine. Note - switching from*dyn to*` is safe in this particular situation because this is only being used to encode vtable calls, which are already using thin-dyn pointers.
I'm currently adjusting my code to use the *mut () approach, but figured I'd lay out my thoughts and see if you have a different opinion.
There was a problem hiding this comment.
You could perhaps use dyn Destruct, which every type currently implements (and approximately matches the fact that all we know is that it has a drop_in_place)?
*mut () also works I guess.
| @@ -760,7 +760,11 @@ fn transform_predicates<'tcx>( | |||
| ty::ExistentialPredicate::AutoTrait(..) => Some(predicate), | |||
| }) | |||
| .collect(); | |||
| tcx.mk_poly_existential_predicates(&predicates) | |||
| if predicates.len() == 0 { | |||
There was a problem hiding this comment.
Above comment is in conflict w/ this hack, for example.
There was a problem hiding this comment.
Map it to dyn Drop or something if you need a dummy principal trait to put in there.
|
I'd like to review this and the other CFI PR you put up since they're actually kind of related to the type system r? compiler-errors |
|
I indeed should not be the primary reviewer on anything that is basically just rustc_middle action. I specifically gazed into the ABIss. |
In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in a `dyn` type which are relevant to its alias set. Fixes rust-lang#122998
compiler-errors
approved these changes
Mar 24, 2024
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Mar 24, 2024
CFI: Handle dyn with no principal In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in a `dyn` type which are relevant to its alias set. Fixes rust-lang#122998 r? workingjubilee
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 24, 2024
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#120557 (Add rust-lldb pretty printing for Path and PathBuf) - rust-lang#121051 (Introduce infrastructure for generating target docs) - rust-lang#122892 (fix(bootstrap/dist): use versioned dirs when vendoring) - rust-lang#122896 (Update stdarch submodule) - rust-lang#122923 (In `pretty_print_type()`, print `async fn` futures' paths instead of spans.) - rust-lang#122970 (Use `chunk_by` when building `ReverseSccGraph`) - rust-lang#123003 (CFI: Handle dyn with no principal) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#120557 (Add rust-lldb pretty printing for Path and PathBuf) - rust-lang#121051 (Introduce infrastructure for generating target docs) - rust-lang#122892 (fix(bootstrap/dist): use versioned dirs when vendoring) - rust-lang#122896 (Update stdarch submodule) - rust-lang#122923 (In `pretty_print_type()`, print `async fn` futures' paths instead of spans.) - rust-lang#122970 (Use `chunk_by` when building `ReverseSccGraph`) - rust-lang#123003 (CFI: Handle dyn with no principal) r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Mar 25, 2024
CFI: Handle dyn with no principal In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in a `dyn` type which are relevant to its alias set. Fixes rust-lang#122998 r? workingjubilee
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#122802 (Provide structured suggestion for unconstrained generic constant) - rust-lang#122858 (Tweak `parse_dot_suffix_expr`) - rust-lang#122923 (In `pretty_print_type()`, print `async fn` futures' paths instead of spans.) - rust-lang#122990 (Clarify transmute example) - rust-lang#122995 (Clean up unnecessary headers/flags in coverage mir-opt tests) - rust-lang#123003 (CFI: Handle dyn with no principal) - rust-lang#123005 (CFI: Support complex receivers) - rust-lang#123020 (Temporarily remove nnethercote from the review rotation.) r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Mar 25, 2024
CFI: Handle dyn with no principal In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in a `dyn` type which are relevant to its alias set. Fixes rust-lang#122998 r? workingjubilee
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#120557 (Add rust-lldb pretty printing for Path and PathBuf) - rust-lang#122802 (Provide structured suggestion for unconstrained generic constant) - rust-lang#122858 (Tweak `parse_dot_suffix_expr`) - rust-lang#122990 (Clarify transmute example) - rust-lang#122995 (Clean up unnecessary headers/flags in coverage mir-opt tests) - rust-lang#123003 (CFI: Handle dyn with no principal) - rust-lang#123005 (CFI: Support complex receivers) - rust-lang#123020 (Temporarily remove nnethercote from the review rotation.) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#120557 (Add rust-lldb pretty printing for Path and PathBuf) - rust-lang#122802 (Provide structured suggestion for unconstrained generic constant) - rust-lang#122858 (Tweak `parse_dot_suffix_expr`) - rust-lang#122990 (Clarify transmute example) - rust-lang#122995 (Clean up unnecessary headers/flags in coverage mir-opt tests) - rust-lang#123003 (CFI: Handle dyn with no principal) - rust-lang#123005 (CFI: Support complex receivers) - rust-lang#123020 (Temporarily remove nnethercote from the review rotation.) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#122858 (Tweak `parse_dot_suffix_expr`) - rust-lang#122982 (Add more comments to the bootstrap code that handles `tests/coverage`) - rust-lang#122990 (Clarify transmute example) - rust-lang#122995 (Clean up unnecessary headers/flags in coverage mir-opt tests) - rust-lang#123003 (CFI: Handle dyn with no principal) - rust-lang#123005 (CFI: Support complex receivers) - rust-lang#123020 (Temporarily remove nnethercote from the review rotation.) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 25, 2024
Rollup merge of rust-lang#123003 - maurer:dyn-empty, r=compiler-errors CFI: Handle dyn with no principal In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in a `dyn` type which are relevant to its alias set. Fixes rust-lang#122998 r? workingjubilee
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
In user-facing Rust,
dynalways has at least one predicate following it. Unfortunately, because we filter out marker traits from receivers at callsites anddyn Syncis, for example, legal, this results in us havingdyntypes with no predicates on occasion in our alias set encoding. This patch handles cases where there are no predicates in adyntype which are relevant to its alias set.Fixes #122998
r? workingjubilee