3 use std::ops::RangeInclusive;
5 use syntax_pos::symbol::{sym, Symbol};
7 use rustc::ty::layout::{self, Size, Align, TyLayout, LayoutOf, VariantIdx};
9 use rustc_data_structures::fx::FxHashSet;
10 use rustc::mir::interpret::{
11 Scalar, GlobalAlloc, InterpResult, InterpError, CheckInAllocMsg,
15 OpTy, Machine, InterpretCx, ValueVisitor, MPlaceTy,
18 macro_rules! validation_failure {
19 ($what:expr, $where:expr, $details:expr) => {{
20 let where_ = path_format(&$where);
21 let where_ = if where_.is_empty() {
24 format!(" at {}", where_)
26 err!(ValidationFailure(format!(
27 "encountered {}{}, but expected {}",
28 $what, where_, $details,
31 ($what:expr, $where:expr) => {{
32 let where_ = path_format(&$where);
33 let where_ = if where_.is_empty() {
36 format!(" at {}", where_)
38 err!(ValidationFailure(format!(
45 macro_rules! try_validation {
46 ($e:expr, $what:expr, $where:expr, $details:expr) => {{
49 Err(_) => return validation_failure!($what, $where, $details),
53 ($e:expr, $what:expr, $where:expr) => {{
56 Err(_) => return validation_failure!($what, $where),
61 /// We want to show a nice path to the invalid field for diagnostics,
62 /// but avoid string operations in the happy case where no error happens.
63 /// So we track a `Vec<PathElem>` where `PathElem` contains all the data we
64 /// need to later print something for the user.
65 #[derive(Copy, Clone, Debug)]
69 GeneratorState(VariantIdx),
78 /// State for tracking recursive validation of references
79 pub struct RefTracking<T> {
80 pub seen: FxHashSet<T>,
81 pub todo: Vec<(T, Vec<PathElem>)>,
84 impl<'tcx, T: Copy + Eq + Hash> RefTracking<T> {
85 pub fn new(op: T) -> Self {
86 let mut ref_tracking = RefTracking {
87 seen: FxHashSet::default(),
88 todo: vec![(op, Vec::new())],
90 ref_tracking.seen.insert(op);
96 fn path_format(path: &Vec<PathElem>) -> String {
97 use self::PathElem::*;
99 let mut out = String::new();
100 for elem in path.iter() {
102 Field(name) => write!(out, ".{}", name),
103 Variant(name) => write!(out, ".<downcast-variant({})>", name),
104 GeneratorState(idx) => write!(out, ".<generator-state({})>", idx.index()),
105 ClosureVar(name) => write!(out, ".<closure-var({})>", name),
106 TupleElem(idx) => write!(out, ".{}", idx),
107 ArrayElem(idx) => write!(out, "[{}]", idx),
109 // This does not match Rust syntax, but it is more readable for long paths -- and
110 // some of the other items here also are not Rust syntax. Actually we can't
111 // even use the usual syntax because we are just showing the projections,
113 write!(out, ".<deref>"),
114 Tag => write!(out, ".<enum-tag>"),
115 DynDowncast => write!(out, ".<dyn-downcast>"),
121 // Test if a range that wraps at overflow contains `test`
122 fn wrapping_range_contains(r: &RangeInclusive<u128>, test: u128) -> bool {
123 let (lo, hi) = r.clone().into_inner();
126 (..=hi).contains(&test) || (lo..).contains(&test)
133 // Formats such that a sentence like "expected something {}" to mean
134 // "expected something <in the given range>" makes sense.
135 fn wrapping_range_format(r: &RangeInclusive<u128>, max_hi: u128) -> String {
136 let (lo, hi) = r.clone().into_inner();
137 debug_assert!(hi <= max_hi);
139 format!("less or equal to {}, or greater or equal to {}", hi, lo)
142 debug_assert!(hi < max_hi, "should not be printing if the range covers everything");
143 format!("less or equal to {}", hi)
144 } else if hi == max_hi {
145 format!("greater or equal to {}", lo)
147 format!("in the range {:?}", r)
152 struct ValidityVisitor<'rt, 'a: 'rt, 'mir: 'rt, 'tcx: 'a+'rt+'mir, M: Machine<'a, 'mir, 'tcx>+'rt> {
153 /// The `path` may be pushed to, but the part that is present when a function
154 /// starts must not be changed! `visit_fields` and `visit_array` rely on
155 /// this stack discipline.
157 ref_tracking: Option<&'rt mut RefTracking<MPlaceTy<'tcx, M::PointerTag>>>,
159 ecx: &'rt InterpretCx<'a, 'mir, 'tcx, M>,
162 impl<'rt, 'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>> ValidityVisitor<'rt, 'a, 'mir, 'tcx, M> {
163 fn aggregate_field_path_elem(
165 layout: TyLayout<'tcx>,
168 match layout.ty.sty {
169 // generators and closures.
170 ty::Closure(def_id, _) | ty::Generator(def_id, _, _) => {
172 if def_id.is_local() {
173 let tables = self.ecx.tcx.typeck_tables_of(def_id);
174 if let Some(upvars) = tables.upvar_list.get(&def_id) {
175 // Sometimes the index is beyond the number of upvars (seen
177 if let Some((&var_hir_id, _)) = upvars.get_index(field) {
178 let var_node_id = self.ecx.tcx.hir().hir_to_node_id(var_hir_id);
179 if let hir::Node::Binding(pat) = self.ecx.tcx.hir().get(var_node_id) {
180 if let hir::PatKind::Binding(_, _, ident, _) = pat.node {
181 name = Some(ident.name);
188 PathElem::ClosureVar(name.unwrap_or_else(|| {
189 // Fall back to showing the field index.
195 ty::Tuple(_) => PathElem::TupleElem(field),
198 ty::Adt(def, ..) if def.is_enum() => {
199 // we might be projecting *to* a variant, or to a field *in*a variant.
200 match layout.variants {
201 layout::Variants::Single { index } =>
203 PathElem::Field(def.variants[index].fields[field].ident.name),
209 ty::Adt(def, _) => PathElem::Field(def.non_enum_variant().fields[field].ident.name),
212 ty::Array(..) | ty::Slice(..) => PathElem::ArrayElem(field),
215 ty::Dynamic(..) => PathElem::DynDowncast,
217 // nothing else has an aggregate layout
218 _ => bug!("aggregate_field_path_elem: got non-aggregate type {:?}", layout.ty),
224 new_op: OpTy<'tcx, M::PointerTag>,
226 ) -> InterpResult<'tcx> {
227 // Remember the old state
228 let path_len = self.path.len();
230 self.path.push(elem);
231 self.visit_value(new_op)?;
233 self.path.truncate(path_len);
238 impl<'rt, 'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>>
239 ValueVisitor<'a, 'mir, 'tcx, M> for ValidityVisitor<'rt, 'a, 'mir, 'tcx, M>
241 type V = OpTy<'tcx, M::PointerTag>;
244 fn ecx(&self) -> &InterpretCx<'a, 'mir, 'tcx, M> {
251 old_op: OpTy<'tcx, M::PointerTag>,
253 new_op: OpTy<'tcx, M::PointerTag>
254 ) -> InterpResult<'tcx> {
255 let elem = self.aggregate_field_path_elem(old_op.layout, field);
256 self.visit_elem(new_op, elem)
262 old_op: OpTy<'tcx, M::PointerTag>,
263 variant_id: VariantIdx,
264 new_op: OpTy<'tcx, M::PointerTag>
265 ) -> InterpResult<'tcx> {
266 let name = match old_op.layout.ty.sty {
267 ty::Adt(adt, _) => PathElem::Variant(adt.variants[variant_id].ident.name),
268 // Generators also have variants
269 ty::Generator(..) => PathElem::GeneratorState(variant_id),
270 _ => bug!("Unexpected type with variant: {:?}", old_op.layout.ty),
272 self.visit_elem(new_op, name)
276 fn visit_value(&mut self, op: OpTy<'tcx, M::PointerTag>) -> InterpResult<'tcx>
278 trace!("visit_value: {:?}, {:?}", *op, op.layout);
279 // Translate some possible errors to something nicer.
280 match self.walk_value(op) {
282 Err(err) => match err.kind {
283 InterpError::InvalidDiscriminant(val) =>
285 val, self.path, "a valid enum discriminant"
287 InterpError::ReadPointerAsBytes =>
289 "a pointer", self.path, "plain (non-pointer) bytes"
296 fn visit_primitive(&mut self, value: OpTy<'tcx, M::PointerTag>) -> InterpResult<'tcx>
298 let value = self.ecx.read_immediate(value)?;
299 // Go over all the primitive types
300 let ty = value.layout.ty;
303 let value = value.to_scalar_or_undef();
304 try_validation!(value.to_bool(),
305 value, self.path, "a boolean");
308 let value = value.to_scalar_or_undef();
309 try_validation!(value.to_char(),
310 value, self.path, "a valid unicode codepoint");
312 ty::Float(_) | ty::Int(_) | ty::Uint(_) => {
313 // NOTE: Keep this in sync with the array optimization for int/float
315 let size = value.layout.size;
316 let value = value.to_scalar_or_undef();
318 // Integers/floats in CTFE: Must be scalar bits, pointers are dangerous
319 try_validation!(value.to_bits(size),
320 value, self.path, "initialized plain (non-pointer) bytes");
322 // At run-time, for now, we accept *anything* for these types, including
323 // undef. We should fix that, but let's start low.
328 // Integers/floats in CTFE: For consistency with integers, we do not
330 let _ptr = try_validation!(value.to_scalar_ptr(),
331 "undefined address in raw pointer", self.path);
332 let _meta = try_validation!(value.to_meta(),
333 "uninitialized data in raw fat pointer metadata", self.path);
335 // Remain consistent with `usize`: Accept anything.
338 _ if ty.is_box() || ty.is_region_ptr() => {
339 // Handle fat pointers.
340 // Check metadata early, for better diagnostics
341 let ptr = try_validation!(value.to_scalar_ptr(),
342 "undefined address in pointer", self.path);
343 let meta = try_validation!(value.to_meta(),
344 "uninitialized data in fat pointer metadata", self.path);
345 let layout = self.ecx.layout_of(value.layout.ty.builtin_deref(true).unwrap().ty)?;
346 if layout.is_unsized() {
347 let tail = self.ecx.tcx.struct_tail(layout.ty);
350 let vtable = try_validation!(meta.unwrap().to_ptr(),
351 "non-pointer vtable in fat pointer", self.path);
352 try_validation!(self.ecx.read_drop_type_from_vtable(vtable),
353 "invalid drop fn in vtable", self.path);
354 try_validation!(self.ecx.read_size_and_align_from_vtable(vtable),
355 "invalid size or align in vtable", self.path);
356 // FIXME: More checks for the vtable.
358 ty::Slice(..) | ty::Str => {
359 try_validation!(meta.unwrap().to_usize(self.ecx),
360 "non-integer slice length in fat pointer", self.path);
363 // Unsized, but not fat.
366 bug!("Unexpected unsized type tail: {:?}", tail),
369 // Make sure this is non-NULL and aligned
370 let (size, align) = self.ecx.size_and_align_of(meta, layout)?
371 // for the purpose of validity, consider foreign types to have
372 // alignment and size determined by the layout (size will be 0,
373 // alignment should take attributes into account).
374 .unwrap_or_else(|| (layout.size, layout.align.abi));
375 match self.ecx.memory.check_align(ptr, align) {
378 info!("{:?} is not aligned to {:?}", ptr, align);
380 InterpError::InvalidNullPointerUsage =>
381 return validation_failure!("NULL reference", self.path),
382 InterpError::AlignmentCheckFailed { required, has } =>
383 return validation_failure!(format!("unaligned reference \
384 (required {} byte alignment but found {})",
385 required.bytes(), has.bytes()), self.path),
387 return validation_failure!(
388 "dangling (out-of-bounds) reference (might be NULL at \
395 // Recursive checking
396 if let Some(ref mut ref_tracking) = self.ref_tracking {
397 assert!(self.const_mode, "We should only do recursie checking in const mode");
398 let place = self.ecx.ref_to_mplace(value)?;
399 if size != Size::ZERO {
400 // Non-ZST also have to be dereferencable
401 let ptr = try_validation!(place.ptr.to_ptr(),
402 "integer pointer in non-ZST reference", self.path);
403 // Skip validation entirely for some external statics
404 let alloc_kind = self.ecx.tcx.alloc_map.lock().get(ptr.alloc_id);
405 if let Some(GlobalAlloc::Static(did)) = alloc_kind {
406 // `extern static` cannot be validated as they have no body.
407 // FIXME: Statics from other crates are also skipped.
408 // They might be checked at a different type, but for now we
409 // want to avoid recursing too deeply. This is not sound!
410 if !did.is_local() || self.ecx.tcx.is_foreign_item(did) {
414 // Maintain the invariant that the place we are checking is
415 // already verified to be in-bounds.
419 .check_bounds(self.ecx, ptr, size, CheckInAllocMsg::InboundsTest),
420 "dangling (not entirely in bounds) reference", self.path);
422 // Check if we have encountered this pointer+layout combination
423 // before. Proceed recursively even for integer pointers, no
424 // reason to skip them! They are (recursively) valid for some ZST,
425 // but not for others (e.g., `!` is a ZST).
426 if ref_tracking.seen.insert(place) {
427 trace!("Recursing below ptr {:#?}", *place);
428 // We need to clone the path anyway, make sure it gets created
429 // with enough space for the additional `Deref`.
430 let mut new_path = Vec::with_capacity(self.path.len()+1);
431 new_path.clone_from(&self.path);
432 new_path.push(PathElem::Deref);
433 // Remember to come back to this later.
434 ref_tracking.todo.push((place, new_path));
439 let value = value.to_scalar_or_undef();
440 let ptr = try_validation!(value.to_ptr(),
441 value, self.path, "a pointer");
442 let _fn = try_validation!(self.ecx.memory.get_fn(ptr),
443 value, self.path, "a function pointer");
444 // FIXME: Check if the signature matches
446 // This should be all the primitive types
447 _ => bug!("Unexpected primitive type {}", value.layout.ty)
452 fn visit_uninhabited(&mut self) -> InterpResult<'tcx>
454 validation_failure!("a value of an uninhabited type", self.path)
459 op: OpTy<'tcx, M::PointerTag>,
460 layout: &layout::Scalar,
461 ) -> InterpResult<'tcx> {
462 let value = self.ecx.read_scalar(op)?;
463 // Determine the allowed range
464 let (lo, hi) = layout.valid_range.clone().into_inner();
465 // `max_hi` is as big as the size fits
466 let max_hi = u128::max_value() >> (128 - op.layout.size.bits());
467 assert!(hi <= max_hi);
468 // We could also write `(hi + 1) % (max_hi + 1) == lo` but `max_hi + 1` overflows for `u128`
469 if (lo == 0 && hi == max_hi) || (hi + 1 == lo) {
473 // At least one value is excluded. Get the bits.
474 let value = try_validation!(value.not_undef(),
479 wrapping_range_format(&layout.valid_range, max_hi),
482 let bits = match value.to_bits_or_ptr(op.layout.size, self.ecx) {
484 if lo == 1 && hi == max_hi {
485 // only NULL is not allowed.
486 // We can call `check_align` to check non-NULL-ness, but have to also look
487 // for function pointers.
489 self.ecx.memory.check_align(
490 Scalar::Ptr(ptr), Align::from_bytes(1).unwrap()
492 self.ecx.memory.get_fn(ptr).is_ok();
495 return validation_failure!("a potentially NULL pointer", self.path);
499 // Conservatively, we reject, because the pointer *could* have this
501 return validation_failure!(
505 "something that cannot possibly fail to be {}",
506 wrapping_range_format(&layout.valid_range, max_hi)
514 // Now compare. This is slightly subtle because this is a special "wrap-around" range.
515 if wrapping_range_contains(&layout.valid_range, bits) {
521 format!("something {}", wrapping_range_format(&layout.valid_range, max_hi))
528 op: OpTy<'tcx, M::PointerTag>,
529 fields: impl Iterator<Item=InterpResult<'tcx, Self::V>>,
530 ) -> InterpResult<'tcx> {
531 match op.layout.ty.sty {
533 let mplace = op.to_mem_place(); // strings are never immediate
534 try_validation!(self.ecx.read_str(mplace),
535 "uninitialized or non-UTF-8 data in str", self.path);
537 ty::Array(tys, ..) | ty::Slice(tys) if {
538 // This optimization applies only for integer and floating point types
539 // (i.e., types that can hold arbitrary bytes).
541 ty::Int(..) | ty::Uint(..) | ty::Float(..) => true,
545 // bailing out for zsts is ok, since the array element type can only be int/float
546 if op.layout.is_zst() {
549 // non-ZST array cannot be immediate, slices are never immediate
550 let mplace = op.to_mem_place();
551 // This is the length of the array/slice.
552 let len = mplace.len(self.ecx)?;
553 // zero length slices have nothing to be checked
557 // This is the element type size.
558 let ty_size = self.ecx.layout_of(tys)?.size;
559 // This is the size in bytes of the whole array.
560 let size = ty_size * len;
562 let ptr = mplace.ptr.to_ptr()?;
564 // NOTE: Keep this in sync with the handling of integer and float
565 // types above, in `visit_primitive`.
566 // In run-time mode, we accept pointers in here. This is actually more
567 // permissive than a per-element check would be, e.g., we accept
568 // an &[u8] that contains a pointer even though bytewise checking would
569 // reject it. However, that's good: We don't inherently want
570 // to reject those pointers, we just do not have the machinery to
571 // talk about parts of a pointer.
572 // We also accept undef, for consistency with the type-based checks.
573 match self.ecx.memory.get(ptr.alloc_id)?.check_bytes(
577 /*allow_ptr_and_undef*/!self.const_mode,
579 // In the happy case, we needn't check anything else.
581 // Some error happened, try to provide a more detailed description.
583 // For some errors we might be able to provide extra information
585 InterpError::ReadUndefBytes(offset) => {
586 // Some byte was undefined, determine which
587 // element that byte belongs to so we can
589 let i = (offset.bytes() / ty_size.bytes()) as usize;
590 self.path.push(PathElem::ArrayElem(i));
592 return validation_failure!(
593 "undefined bytes", self.path
596 // Other errors shouldn't be possible
597 _ => return Err(err),
603 self.walk_aggregate(op, fields)? // default handler
610 impl<'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>> InterpretCx<'a, 'mir, 'tcx, M> {
611 /// This function checks the data at `op`. `op` is assumed to cover valid memory if it
612 /// is an indirect operand.
613 /// It will error if the bits at the destination do not match the ones described by the layout.
615 /// `ref_tracking` can be `None` to avoid recursive checking below references.
616 /// This also toggles between "run-time" (no recursion) and "compile-time" (with recursion)
617 /// validation (e.g., pointer values are fine in integers at runtime).
618 pub fn validate_operand(
620 op: OpTy<'tcx, M::PointerTag>,
622 ref_tracking: Option<&mut RefTracking<MPlaceTy<'tcx, M::PointerTag>>>,
624 ) -> InterpResult<'tcx> {
625 trace!("validate_operand: {:?}, {:?}", *op, op.layout.ty);
627 // Construct a visitor
628 let mut visitor = ValidityVisitor {
636 visitor.visit_value(op)
projects / rust.git / blob