-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Validity of pointers and references to memory not allocated by the compiler #285
Comments
For the global allocator all allocations and deallocations go through certain symbols that LLVM is told to be allocation and deallocation functions: rust-lang/llvm-project@f234a4d |
Also note that within LLVM's memory rules volatile access bypasses some of the normal access rules and just does "target specific" stuff. While Rust doesn't always go precisely by what LLVM does (sometimes things are more strict in rust than in LLVM), so far mmio/volatile have mostly been "whatever llvm does, i guess". |
Suppose the following happens:
Example question, that I don't think we currently have an answer to: How do we make sense of this from a bounds checking perspective? Presumably, we want the pointer arithmetic in step 4 to step over the allocated object without invoking UB. |
They have to be in-bounds of whatever the actual bounds of the object are. :)
Things become extra tricky when considering an allocation function written in Rust, and I am not aware of any formal work in this space (implementing an allocator "inside" the C/C++/Rust Abstract Machine), so all I can do here is some educated guessing for how this might be done properly. I think what happens is that a pointer returned by The allocator implementation in step 4 must ensure to use pointers with the original provenance; that pointer will thus still point to the (Now I hope you won't ask about |
Rust's
core::ptr
documentation currently says:This is difficult to satisfy when working with MMIO as well as when working across kernelspace:userspace boundaries. For example, the above constraint prevents a kernel from creating a valid pointer into userspace memory when the address range of the userspace memory is determined at runtime.
This leads to the following questions:
It's also unclear how this works for a
malloc
written in Rust. Presumably, that allocator would get raw pointers from a system call likemmap
, but it would eventually return something like an "allocated object" the compiler does know about.The text was updated successfully, but these errors were encountered: