Merge pull request #477 from RalfJung/miri-validate

Validate more things

Author: oli-obk

src/lib.rs

@@ -255,9 +255,26 @@ impl<'a, 'mir, 'tcx> Machine<'a, 'mir, 'tcx> for Evaluator<'tcx> {
 
     const STATIC_KIND: Option<MiriMemoryKind> = Some(MiriMemoryKind::MutStatic);
 
-    #[inline(always)]
     fn enforce_validity(ecx: &EvalContext<'a, 'mir, 'tcx, Self>) -> bool {
-        ecx.machine.validate
+        if !ecx.machine.validate {
+            return false;
+        }
+
+        // Some functions are whitelisted until we figure out how to fix them.
+        // We walk up the stack a few frames to also cover their callees.
+        const WHITELIST: &[&str] = &[
+            // Uses mem::uninitialized
+            "std::ptr::read",
+        ];
+        for frame in ecx.stack().iter()
+            .rev().take(3)
+        {
+            let name = frame.instance.to_string();
+            if WHITELIST.iter().any(|white| name.starts_with(white)) {
+                return false;
+            }
+        }
+        true
     }
 
     /// Returns Ok() when the function was handled, fail otherwise

tests/compile-fail/cast_box_int_to_fn_ptr.rs

@@ -1,5 +1,5 @@
 // Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 fn main() {
     let b = Box::new(42);

tests/compile-fail/cast_int_to_fn_ptr.rs

@@ -1,5 +1,5 @@
 // Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 fn main() {
     let g = unsafe {

tests/compile-fail/execute_memory.rs

@@ -1,5 +1,5 @@
 // Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 #![feature(box_syntax)]
 

tests/compile-fail/fn_ptr_offset.rs

@@ -1,5 +1,5 @@
 // Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 use std::mem;
 

tests/compile-fail/invalid_bool.rs

@@ -1,9 +1,3 @@
-//ignore-test FIXME: do some basic validation of invariants for all values in flight
-//This does currently not get caught becuase it compiles to SwitchInt, which
-//has no knowledge about data invariants.
-
 fn main() {
-    let b = unsafe { std::mem::transmute::<u8, bool>(2) };
-    if b { unreachable!() } else { unreachable!() } //~ ERROR constant evaluation error
-    //~^ NOTE invalid boolean value read
+    let _b = unsafe { std::mem::transmute::<u8, bool>(2) }; //~ ERROR encountered 2, but expected something in the range 0..=1
 }

tests/compile-fail/invalid_bool2.rs

@@ -1,3 +1,6 @@
+// Validation makes this fail in the wrong place
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
+
 fn main() {
     let b = unsafe { std::mem::transmute::<u8, bool>(2) };
     let _x = b == true; //~ ERROR invalid boolean value read

tests/compile-fail/invalid_char.rs

@@ -0,0 +1,8 @@
+fn main() {
+    assert!(std::char::from_u32(-1_i32 as u32).is_none());
+    let _ = match unsafe { std::mem::transmute::<i32, char>(-1) } { //~ ERROR encountered 4294967295, but expected something in the range 0..=1114111
+        'a' => {true},
+        'b' => {false},
+        _ => {true},
+    };
+}

tests/compile-fail/match_char2.rs renamed to tests/compile-fail/invalid_char2.rs

@@ -1,3 +1,6 @@
+// Validation makes this fail in the wrong place
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
+
 fn main() {
     assert!(std::char::from_u32(-1_i32 as u32).is_none());
     let c = unsafe { std::mem::transmute::<i32, char>(-1) };

tests/compile-fail/invalid_enum_discriminant.rs

@@ -1,17 +1,8 @@
-// Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
-
 #[repr(C)]
 pub enum Foo {
     A, B, C, D
 }
 
 fn main() {
-    let f = unsafe { std::mem::transmute::<i32, Foo>(42) };
-    match f {
-        Foo::A => {}, //~ ERROR invalid enum discriminant
-        Foo::B => {},
-        Foo::C => {},
-        Foo::D => {},
-    }
+    let _f = unsafe { std::mem::transmute::<i32, Foo>(42) }; //~ ERROR encountered invalid enum discriminant 42
 }

tests/compile-fail/invalid_enum_discriminant2.rs

@@ -1,5 +1,5 @@
 // Validation makes this fail in the wrong place
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 // error-pattern: invalid enum discriminant
 

tests/compile-fail/match_char.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 #![feature(never_type)]
 #![allow(unreachable_code)]

tests/compile-fail/never_say_never.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 #![feature(never_type)]
 #![allow(unreachable_code)]

tests/compile-fail/never_transmute_humans.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 #![feature(never_type)]
 #![allow(unreachable_code)]

tests/compile-fail/never_transmute_void.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation
-// compile-flags: -Zmir-emit-validate=0
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
 
 #![allow(dead_code, unused_variables)]
 

tests/compile-fail/reference_to_packed.rs

@@ -1,3 +1,6 @@
+// This should fail even without validation
+// compile-flags: -Zmir-emit-validate=0 -Zmiri-disable-validation
+
 static mut LEAK: usize = 0;
 
 fn fill(v: &mut i32) {

tests/compile-fail/storage_dead_dangling.rs

@@ -0,0 +1,10 @@
+fn main() {
+    // Cast a function pointer such that on a call, the argument gets transmuted
+    // from raw ptr to reference.  This is ABI-compatible, so it's not the call that
+    // should fail, but validation should.
+    fn f(_x: &i32) { }
+
+    let g: fn(*const i32) = unsafe { std::mem::transmute(f as fn(&i32)) };
+
+    g(0usize as *const i32) //~ ERROR encountered 0, but expected something greater or equal to 1
+}

tests/compile-fail/validation_cast_fn_ptr1.rs

@@ -0,0 +1,10 @@
+fn main() {
+    // Cast a function pointer such that when returning, the return value gets transmuted
+    // from raw ptr to reference.  This is ABI-compatible, so it's not the call that
+    // should fail, but validation should.
+    fn f() -> *const i32 { 0usize as *const i32 }
+
+    let g: fn() -> &'static i32 = unsafe { std::mem::transmute(f as fn() -> *const i32) };
+
+    let _x = g(); //~ ERROR encountered 0, but expected something greater or equal to 1
+}

tests/compile-fail/validation_cast_fn_ptr2.rs

@@ -64,7 +64,6 @@ fn compile_fail(sysroot: &Path, path: &str, target: &str, host: &str, need_fullm
     flags.push("-Dwarnings -Dunused".to_owned()); // overwrite the -Aunused in compiletest-rs
     config.src_base = PathBuf::from(path.to_string());
     flags.push("-Zmir-emit-validate=1".to_owned());
-    flags.push("-Zmiri-disable-validation".to_owned());
     config.target_rustcflags = Some(flags.join(" "));
     config.target = target.to_owned();
     config.host = host.to_owned();
@@ -103,8 +102,6 @@ fn miri_pass(sysroot: &Path, path: &str, target: &str, host: &str, need_fullmir:
     flags.push("-Dwarnings -Dunused".to_owned()); // overwrite the -Aunused in compiletest-rs
     if have_fullmir() {
         flags.push("-Zmiri-start-fn".to_owned());
-        // start-fn uses ptr::read, and so fails validation
-        flags.push("-Zmiri-disable-validation".to_owned());
     }
     if opt {
         flags.push("-Zmir-opt-level=3".to_owned());

tests/compiletest.rs

@@ -1,6 +1,3 @@
-// FIXME validation disabled because ptr::read uses mem::uninitialized
-// compile-flags: -Zmiri-disable-validation
-
 struct Bar;
 
 static mut DROP_COUNT: usize = 0;

tests/run-pass/call_drop_through_owned_slice.rs

@@ -8,9 +8,6 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
-// FIXME validation disabled because ptr::read uses mem::uninitialized
-// compile-flags: -Zmiri-disable-validation
-
 // zip!(a1,a2,a3,a4) is equivalent to:
 //  a1.zip(a2).zip(a3).zip(a4).map(|(((x1,x2),x3),x4)| (x1,x2,x3,x4))
 macro_rules! zip {

tests/run-pass/issue-29746.rs

@@ -8,9 +8,6 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
-// FIXME validation disabled because ptr::read uses mem::uninitialized
-// compile-flags: -Zmiri-disable-validation
-
 // Test that a class with only sendable fields can be sent
 
 use std::sync::mpsc::channel;

tests/run-pass/sendable-class.rs

@@ -8,9 +8,6 @@
 // option. This file may not be copied, modified, or distributed
 // except according to those terms.
 
-// FIXME validation disabled because ptr::read uses mem::uninitialized
-// compile-flags: -Zmiri-disable-validation
-
 #![feature(box_syntax)]
 
 use std::sync::mpsc::channel;