Initial work on Miri permissive-exposed-provenance

Author: carbotaniuman

src/helpers.rs

@@ -750,9 +750,14 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
 
     /// Mark a machine allocation that was just created as immutable.
     fn mark_immutable(&mut self, mplace: &MemPlace<Tag>) {
-        let this = self.eval_context_mut();
-        this.alloc_mark_immutable(mplace.ptr.into_pointer_or_addr().unwrap().provenance.alloc_id)
-            .unwrap();
+        if let machine::AllocType::Concrete(alloc_id) =
+            mplace.ptr.into_pointer_or_addr().unwrap().provenance.alloc_id
+        {
+            let this = self.eval_context_mut();
+            this.alloc_mark_immutable(alloc_id).unwrap();
+        } else {
+            bug!("Machine allocation that was just created have concrete provenance");
+        }
     }
 }
 

src/intptrcast.rs

@@ -4,7 +4,7 @@ use std::collections::hash_map::Entry;
 use log::trace;
 use rand::Rng;
 
-use rustc_data_structures::fx::FxHashMap;
+use rustc_data_structures::fx::{FxHashMap, FxHashSet};
 use rustc_target::abi::{HasDataLayout, Size};
 
 use crate::*;
@@ -21,6 +21,9 @@ pub struct GlobalStateInner {
     /// they do not have an `AllocExtra`.
     /// This is the inverse of `int_to_ptr_map`.
     base_addr: FxHashMap<AllocId, u64>,
+    /// Whether an allocation has been exposed or not. This cannot be put
+    /// into `AllocExtra` for the same reason as `base_addr`.
+    exposed: FxHashSet<AllocId>,
     /// This is used as a memory address when a new pointer is casted to an integer. It
     /// is always larger than any address that was previously made part of a block.
     next_base_addr: u64,
@@ -34,24 +37,35 @@ impl GlobalStateInner {
         GlobalStateInner {
             int_to_ptr_map: Vec::default(),
             base_addr: FxHashMap::default(),
+            exposed: FxHashSet::default(),
             next_base_addr: STACK_ADDR,
             strict_provenance: config.strict_provenance,
         }
     }
 }
 
 impl<'mir, 'tcx> GlobalStateInner {
-    pub fn ptr_from_addr(addr: u64, ecx: &MiriEvalContext<'mir, 'tcx>) -> Pointer<Option<Tag>> {
-        trace!("Casting 0x{:x} to a pointer", addr);
+    // Returns the `AllocId` that corresponds to the specified addr,
+    // or `None` if the addr is out of bounds
+    fn alloc_id_from_addr(addr: u64, ecx: &MiriEvalContext<'mir, 'tcx>) -> Option<AllocId> {
         let global_state = ecx.machine.intptrcast.borrow();
 
-        if global_state.strict_provenance {
-            return Pointer::new(None, Size::from_bytes(addr));
+        if addr == 0 {
+            return None;
         }
 
         let pos = global_state.int_to_ptr_map.binary_search_by_key(&addr, |(addr, _)| *addr);
-        let alloc_id = match pos {
-            Ok(pos) => Some(global_state.int_to_ptr_map[pos].1),
+
+        match pos {
+            Ok(pos) => {
+                let (_, alloc_id) = global_state.int_to_ptr_map[pos];
+
+                if global_state.exposed.contains(&alloc_id) {
+                    Some(global_state.int_to_ptr_map[pos].1)
+                } else {
+                    None
+                }
+            }
             Err(0) => None,
             Err(pos) => {
                 // This is the largest of the adresses smaller than `int`,
@@ -60,22 +74,72 @@ impl<'mir, 'tcx> GlobalStateInner {
                 // This never overflows because `addr >= glb`
                 let offset = addr - glb;
                 // If the offset exceeds the size of the allocation, don't use this `alloc_id`.
-                if offset
-                    <= ecx
-                        .get_alloc_size_and_align(alloc_id, AllocCheck::MaybeDead)
-                        .unwrap()
-                        .0
-                        .bytes()
+
+                if global_state.exposed.contains(&alloc_id)
+                    && offset
+                        <= ecx
+                            .get_alloc_size_and_align(alloc_id, AllocCheck::MaybeDead)
+                            .unwrap()
+                            .0
+                            .bytes()
                 {
                     Some(alloc_id)
                 } else {
                     None
                 }
             }
+        }
+    }
+
+    pub fn expose_addr(ecx: &MiriEvalContext<'mir, 'tcx>, ptr: Pointer<Tag>) {
+        let mut global_state = ecx.machine.intptrcast.borrow_mut();
+        let (tag, _) = ptr.into_parts();
+
+        if let machine::AllocType::Concrete(alloc_id) = tag.alloc_id {
+            global_state.exposed.insert(alloc_id);
+        }
+    }
+
+    pub fn abs_ptr_to_rel(
+        ecx: &MiriEvalContext<'mir, 'tcx>,
+        ptr: Pointer<Tag>,
+    ) -> Option<(AllocId, Size)> {
+        let (tag, addr) = ptr.into_parts(); // addr is absolute
+
+        let alloc_id = if let machine::AllocType::Concrete(alloc_id) = tag.alloc_id {
+            alloc_id
+        } else {
+            match GlobalStateInner::alloc_id_from_addr(addr.bytes(), ecx) {
+                Some(alloc_id) => alloc_id,
+                None => return None,
+            }
         };
+
+        let base_addr = GlobalStateInner::alloc_base_addr(ecx, alloc_id);
+
+        // Wrapping "addr - base_addr"
+        let dl = ecx.data_layout();
+        let neg_base_addr = (base_addr as i64).wrapping_neg();
+
+        Some((
+            alloc_id,
+            Size::from_bytes(dl.overflowing_signed_offset(addr.bytes(), neg_base_addr).0),
+        ))
+    }
+
+    pub fn ptr_from_addr(ecx: &MiriEvalContext<'mir, 'tcx>, addr: u64) -> Pointer<Option<Tag>> {
+        trace!("Casting 0x{:x} to a pointer", addr);
+        let global_state = ecx.machine.intptrcast.borrow();
+
+        if global_state.strict_provenance {
+            return Pointer::new(None, Size::from_bytes(addr));
+        }
+
+        let alloc_id = GlobalStateInner::alloc_id_from_addr(addr, ecx);
+
         // Pointers created from integers are untagged.
         Pointer::new(
-            alloc_id.map(|alloc_id| Tag { alloc_id, sb: SbTag::Untagged }),
+            alloc_id.map(|_| Tag { alloc_id: machine::AllocType::Casted, sb: SbTag::Untagged }),
             Size::from_bytes(addr),
         )
     }
@@ -136,16 +200,6 @@ impl<'mir, 'tcx> GlobalStateInner {
         dl.overflowing_offset(base_addr, offset.bytes()).0
     }
 
-    pub fn abs_ptr_to_rel(ecx: &MiriEvalContext<'mir, 'tcx>, ptr: Pointer<Tag>) -> Size {
-        let (tag, addr) = ptr.into_parts(); // addr is absolute
-        let base_addr = GlobalStateInner::alloc_base_addr(ecx, tag.alloc_id);
-
-        // Wrapping "addr - base_addr"
-        let dl = ecx.data_layout();
-        let neg_base_addr = (base_addr as i64).wrapping_neg();
-        Size::from_bytes(dl.overflowing_signed_offset(addr.bytes(), neg_base_addr).0)
-    }
-
     /// Shifts `addr` to make it aligned with `align` by rounding `addr` to the smallest multiple
     /// of `align` that is larger or equal to `addr`
     fn align_addr(addr: u64, align: u64) -> u64 {

src/machine.rs

@@ -120,10 +120,16 @@ impl fmt::Display for MiriMemoryKind {
     }
 }
 
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub enum AllocType {
+    Concrete(AllocId),
+    Casted,
+}
+
 /// Pointer provenance (tag).
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
 pub struct Tag {
-    pub alloc_id: AllocId,
+    pub alloc_id: AllocType,
     /// Stacked Borrows tag.
     pub sb: SbTag,
 }
@@ -148,14 +154,21 @@ impl Provenance for Tag {
         write!(f, "{:?}", tag.sb)
     }
 
-    fn get_alloc_id(self) -> AllocId {
-        self.alloc_id
+    fn get_alloc_id(self) -> Option<AllocId> {
+        if let machine::AllocType::Concrete(alloc_id) = self.alloc_id {
+            Some(alloc_id)
+        } else {
+            None
+        }
     }
 }
 
 /// Extra per-allocation data
 #[derive(Debug, Clone)]
 pub struct AllocExtra {
+    // TODO: this really doesn't need to be here,
+    // but we're forced to bodge it here for now
+    pub alloc_id: AllocId,
     /// Stacked Borrows state is only added if it is enabled.
     pub stacked_borrows: Option<stacked_borrows::AllocExtra>,
     /// Data race detection via the use of a vector-clock,
@@ -566,7 +579,7 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
         };
         let alloc: Allocation<Tag, Self::AllocExtra> = alloc.convert_tag_add_extra(
             &ecx.tcx,
-            AllocExtra { stacked_borrows: stacks, data_race: race_alloc },
+            AllocExtra { alloc_id: id, stacked_borrows: stacks, data_race: race_alloc },
             |ptr| Evaluator::tag_alloc_base_pointer(ecx, ptr),
         );
         Cow::Owned(alloc)
@@ -582,40 +595,47 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
         } else {
             SbTag::Untagged
         };
-        Pointer::new(Tag { alloc_id: ptr.provenance, sb: sb_tag }, Size::from_bytes(absolute_addr))
+        Pointer::new(
+            Tag { alloc_id: machine::AllocType::Concrete(ptr.provenance), sb: sb_tag },
+            Size::from_bytes(absolute_addr),
+        )
     }
 
     #[inline(always)]
     fn ptr_from_addr(
         ecx: &MiriEvalContext<'mir, 'tcx>,
         addr: u64,
     ) -> Pointer<Option<Self::PointerTag>> {
-        intptrcast::GlobalStateInner::ptr_from_addr(addr, ecx)
+        intptrcast::GlobalStateInner::ptr_from_addr(ecx, addr)
     }
 
     /// Convert a pointer with provenance into an allocation-offset pair,
     /// or a `None` with an absolute address if that conversion is not possible.
     fn ptr_get_alloc(
         ecx: &MiriEvalContext<'mir, 'tcx>,
         ptr: Pointer<Self::PointerTag>,
-    ) -> (AllocId, Size) {
-        let rel = intptrcast::GlobalStateInner::abs_ptr_to_rel(ecx, ptr);
-        (ptr.provenance.alloc_id, rel)
+    ) -> Option<(AllocId, Size)> {
+        intptrcast::GlobalStateInner::abs_ptr_to_rel(ecx, ptr)
+    }
+
+    fn expose_addr(ecx: &MiriEvalContext<'mir, 'tcx>, ptr: Pointer<Self::PointerTag>) {
+        intptrcast::GlobalStateInner::expose_addr(ecx, ptr)
     }
 
     #[inline(always)]
     fn memory_read(
+        _tcx: TyCtxt<'tcx>,
         machine: &Self,
         alloc_extra: &AllocExtra,
         tag: Tag,
         range: AllocRange,
     ) -> InterpResult<'tcx> {
         if let Some(data_race) = &alloc_extra.data_race {
-            data_race.read(tag.alloc_id, range, machine.data_race.as_ref().unwrap())?;
+            data_race.read(alloc_extra.alloc_id, range, machine.data_race.as_ref().unwrap())?;
         }
         if let Some(stacked_borrows) = &alloc_extra.stacked_borrows {
             stacked_borrows.memory_read(
-                tag.alloc_id,
+                alloc_extra.alloc_id,
                 tag.sb,
                 range,
                 machine.stacked_borrows.as_ref().unwrap(),
@@ -627,17 +647,18 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
 
     #[inline(always)]
     fn memory_written(
+        _tcx: TyCtxt<'tcx>,
         machine: &mut Self,
         alloc_extra: &mut AllocExtra,
         tag: Tag,
         range: AllocRange,
     ) -> InterpResult<'tcx> {
         if let Some(data_race) = &mut alloc_extra.data_race {
-            data_race.write(tag.alloc_id, range, machine.data_race.as_mut().unwrap())?;
+            data_race.write(alloc_extra.alloc_id, range, machine.data_race.as_mut().unwrap())?;
         }
         if let Some(stacked_borrows) = &mut alloc_extra.stacked_borrows {
             stacked_borrows.memory_written(
-                tag.alloc_id,
+                alloc_extra.alloc_id,
                 tag.sb,
                 range,
                 machine.stacked_borrows.as_mut().unwrap(),
@@ -649,20 +670,25 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
 
     #[inline(always)]
     fn memory_deallocated(
+        _tcx: TyCtxt<'tcx>,
         machine: &mut Self,
         alloc_extra: &mut AllocExtra,
         tag: Tag,
         range: AllocRange,
     ) -> InterpResult<'tcx> {
-        if Some(tag.alloc_id) == machine.tracked_alloc_id {
-            register_diagnostic(NonHaltingDiagnostic::FreedAlloc(tag.alloc_id));
+        if Some(alloc_extra.alloc_id) == machine.tracked_alloc_id {
+            register_diagnostic(NonHaltingDiagnostic::FreedAlloc(alloc_extra.alloc_id));
         }
         if let Some(data_race) = &mut alloc_extra.data_race {
-            data_race.deallocate(tag.alloc_id, range, machine.data_race.as_mut().unwrap())?;
+            data_race.deallocate(
+                alloc_extra.alloc_id,
+                range,
+                machine.data_race.as_mut().unwrap(),
+            )?;
         }
         if let Some(stacked_borrows) = &mut alloc_extra.stacked_borrows {
             stacked_borrows.memory_deallocated(
-                tag.alloc_id,
+                alloc_extra.alloc_id,
                 tag.sb,
                 range,
                 machine.stacked_borrows.as_mut().unwrap(),

src/shims/mod.rs

@@ -85,12 +85,16 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
         let ptr = this.read_pointer(ptr_op)?;
         if let Ok(ptr) = ptr.into_pointer_or_addr() {
             // Only do anything if we can identify the allocation this goes to.
-            let (_, cur_align) =
-                this.get_alloc_size_and_align(ptr.provenance.alloc_id, AllocCheck::MaybeDead)?;
-            if cur_align.bytes() >= req_align {
-                // If the allocation alignment is at least the required alignment we use the
-                // real implementation.
-                return Ok(false);
+
+            // TODO: should we test for casted pointers here too?
+            if let machine::AllocType::Concrete(alloc_id) = ptr.provenance.alloc_id {
+                let (_, cur_align) =
+                    this.get_alloc_size_and_align(alloc_id, AllocCheck::MaybeDead)?;
+                if cur_align.bytes() >= req_align {
+                    // If the allocation alignment is at least the required alignment we use the
+                    // real implementation.
+                    return Ok(false);
+                }
             }
         }
 

tests/compile-fail/ptr_int_guess.rs

@@ -0,0 +1,16 @@
+// compile-flags: -Zmiri-disable-stacked-borrows -Zmiri-seed=0
+
+fn ptr_int_guess() {
+    let x: i32 = 3;
+    // we fix the seed so that this pointer's value is 0x23080
+    let _x_ptr = &x as *const i32;
+
+    // try and get lucky with a guess
+    let x_usize = 0x23080 as usize;
+    let ptr = x_usize as *const i32;
+    assert_eq!(unsafe { *ptr }, 3); //~ ERROR 0x23080 is not a valid pointer
+}
+
+fn main() {
+    ptr_int_guess();
+}