3 use std::ops::RangeInclusive;
5 use syntax_pos::symbol::{sym, Symbol};
7 use rustc::ty::layout::{self, Size, Align, TyLayout, LayoutOf, VariantIdx};
9 use rustc_data_structures::fx::FxHashSet;
10 use rustc::mir::interpret::{
11 Scalar, AllocKind, EvalResult, InterpError,
15 OpTy, Machine, InterpretCx, ValueVisitor, MPlaceTy,
18 macro_rules! validation_failure {
19 ($what:expr, $where:expr, $details:expr) => {{
20 let where_ = path_format(&$where);
21 let where_ = if where_.is_empty() {
24 format!(" at {}", where_)
26 err!(ValidationFailure(format!(
27 "encountered {}{}, but expected {}",
28 $what, where_, $details,
31 ($what:expr, $where:expr) => {{
32 let where_ = path_format(&$where);
33 let where_ = if where_.is_empty() {
36 format!(" at {}", where_)
38 err!(ValidationFailure(format!(
45 macro_rules! try_validation {
46 ($e:expr, $what:expr, $where:expr, $details:expr) => {{
49 Err(_) => return validation_failure!($what, $where, $details),
53 ($e:expr, $what:expr, $where:expr) => {{
56 Err(_) => return validation_failure!($what, $where),
61 /// We want to show a nice path to the invalid field for diagnostics,
62 /// but avoid string operations in the happy case where no error happens.
63 /// So we track a `Vec<PathElem>` where `PathElem` contains all the data we
64 /// need to later print something for the user.
65 #[derive(Copy, Clone, Debug)]
69 GeneratorState(VariantIdx),
78 /// State for tracking recursive validation of references
79 pub struct RefTracking<T> {
80 pub seen: FxHashSet<T>,
81 pub todo: Vec<(T, Vec<PathElem>)>,
84 impl<'tcx, T: Copy + Eq + Hash> RefTracking<T> {
85 pub fn new(op: T) -> Self {
86 let mut ref_tracking = RefTracking {
87 seen: FxHashSet::default(),
88 todo: vec![(op, Vec::new())],
90 ref_tracking.seen.insert(op);
96 fn path_format(path: &Vec<PathElem>) -> String {
97 use self::PathElem::*;
99 let mut out = String::new();
100 for elem in path.iter() {
102 Field(name) => write!(out, ".{}", name),
103 Variant(name) => write!(out, ".<downcast-variant({})>", name),
104 GeneratorState(idx) => write!(out, ".<generator-state({})>", idx.index()),
105 ClosureVar(name) => write!(out, ".<closure-var({})>", name),
106 TupleElem(idx) => write!(out, ".{}", idx),
107 ArrayElem(idx) => write!(out, "[{}]", idx),
109 // This does not match Rust syntax, but it is more readable for long paths -- and
110 // some of the other items here also are not Rust syntax. Actually we can't
111 // even use the usual syntax because we are just showing the projections,
113 write!(out, ".<deref>"),
114 Tag => write!(out, ".<enum-tag>"),
115 DynDowncast => write!(out, ".<dyn-downcast>"),
121 // Test if a range that wraps at overflow contains `test`
122 fn wrapping_range_contains(r: &RangeInclusive<u128>, test: u128) -> bool {
123 let (lo, hi) = r.clone().into_inner();
126 (..=hi).contains(&test) || (lo..).contains(&test)
133 // Formats such that a sentence like "expected something {}" to mean
134 // "expected something <in the given range>" makes sense.
135 fn wrapping_range_format(r: &RangeInclusive<u128>, max_hi: u128) -> String {
136 let (lo, hi) = r.clone().into_inner();
137 debug_assert!(hi <= max_hi);
139 format!("less or equal to {}, or greater or equal to {}", hi, lo)
142 debug_assert!(hi < max_hi, "should not be printing if the range covers everything");
143 format!("less or equal to {}", hi)
144 } else if hi == max_hi {
145 format!("greater or equal to {}", lo)
147 format!("in the range {:?}", r)
152 struct ValidityVisitor<'rt, 'a: 'rt, 'mir: 'rt, 'tcx: 'a+'rt+'mir, M: Machine<'a, 'mir, 'tcx>+'rt> {
153 /// The `path` may be pushed to, but the part that is present when a function
154 /// starts must not be changed! `visit_fields` and `visit_array` rely on
155 /// this stack discipline.
157 ref_tracking: Option<&'rt mut RefTracking<MPlaceTy<'tcx, M::PointerTag>>>,
159 ecx: &'rt InterpretCx<'a, 'mir, 'tcx, M>,
162 impl<'rt, 'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>> ValidityVisitor<'rt, 'a, 'mir, 'tcx, M> {
163 fn aggregate_field_path_elem(
165 layout: TyLayout<'tcx>,
168 match layout.ty.sty {
169 // generators and closures.
170 ty::Closure(def_id, _) | ty::Generator(def_id, _, _) => {
172 if def_id.is_local() {
173 let tables = self.ecx.tcx.typeck_tables_of(def_id);
174 if let Some(upvars) = tables.upvar_list.get(&def_id) {
175 // Sometimes the index is beyond the number of upvars (seen
177 if let Some(upvar_id) = upvars.get(field) {
178 let var_hir_id = upvar_id.var_path.hir_id;
179 let var_node_id = self.ecx.tcx.hir().hir_to_node_id(var_hir_id);
180 if let hir::Node::Binding(pat) = self.ecx.tcx.hir().get(var_node_id) {
181 if let hir::PatKind::Binding(_, _, ident, _) = pat.node {
182 name = Some(ident.name);
189 PathElem::ClosureVar(name.unwrap_or_else(|| {
190 // Fall back to showing the field index.
196 ty::Tuple(_) => PathElem::TupleElem(field),
199 ty::Adt(def, ..) if def.is_enum() => {
200 // we might be projecting *to* a variant, or to a field *in*a variant.
201 match layout.variants {
202 layout::Variants::Single { index } =>
204 PathElem::Field(def.variants[index].fields[field].ident.name),
210 ty::Adt(def, _) => PathElem::Field(def.non_enum_variant().fields[field].ident.name),
213 ty::Array(..) | ty::Slice(..) => PathElem::ArrayElem(field),
216 ty::Dynamic(..) => PathElem::DynDowncast,
218 // nothing else has an aggregate layout
219 _ => bug!("aggregate_field_path_elem: got non-aggregate type {:?}", layout.ty),
225 new_op: OpTy<'tcx, M::PointerTag>,
227 ) -> EvalResult<'tcx> {
228 // Remember the old state
229 let path_len = self.path.len();
231 self.path.push(elem);
232 self.visit_value(new_op)?;
234 self.path.truncate(path_len);
239 impl<'rt, 'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>>
240 ValueVisitor<'a, 'mir, 'tcx, M> for ValidityVisitor<'rt, 'a, 'mir, 'tcx, M>
242 type V = OpTy<'tcx, M::PointerTag>;
245 fn ecx(&self) -> &InterpretCx<'a, 'mir, 'tcx, M> {
252 old_op: OpTy<'tcx, M::PointerTag>,
254 new_op: OpTy<'tcx, M::PointerTag>
255 ) -> EvalResult<'tcx> {
256 let elem = self.aggregate_field_path_elem(old_op.layout, field);
257 self.visit_elem(new_op, elem)
263 old_op: OpTy<'tcx, M::PointerTag>,
264 variant_id: VariantIdx,
265 new_op: OpTy<'tcx, M::PointerTag>
266 ) -> EvalResult<'tcx> {
267 let name = match old_op.layout.ty.sty {
268 ty::Adt(adt, _) => PathElem::Variant(adt.variants[variant_id].ident.name),
269 // Generators also have variants
270 ty::Generator(..) => PathElem::GeneratorState(variant_id),
271 _ => bug!("Unexpected type with variant: {:?}", old_op.layout.ty),
273 self.visit_elem(new_op, name)
277 fn visit_value(&mut self, op: OpTy<'tcx, M::PointerTag>) -> EvalResult<'tcx>
279 trace!("visit_value: {:?}, {:?}", *op, op.layout);
280 // Translate some possible errors to something nicer.
281 match self.walk_value(op) {
283 Err(err) => match err.kind {
284 InterpError::InvalidDiscriminant(val) =>
286 val, self.path, "a valid enum discriminant"
288 InterpError::ReadPointerAsBytes =>
290 "a pointer", self.path, "plain (non-pointer) bytes"
297 fn visit_primitive(&mut self, value: OpTy<'tcx, M::PointerTag>) -> EvalResult<'tcx>
299 let value = self.ecx.read_immediate(value)?;
300 // Go over all the primitive types
301 let ty = value.layout.ty;
304 let value = value.to_scalar_or_undef();
305 try_validation!(value.to_bool(),
306 value, self.path, "a boolean");
309 let value = value.to_scalar_or_undef();
310 try_validation!(value.to_char(),
311 value, self.path, "a valid unicode codepoint");
313 ty::Float(_) | ty::Int(_) | ty::Uint(_) => {
314 // NOTE: Keep this in sync with the array optimization for int/float
316 let size = value.layout.size;
317 let value = value.to_scalar_or_undef();
319 // Integers/floats in CTFE: Must be scalar bits, pointers are dangerous
320 try_validation!(value.to_bits(size),
321 value, self.path, "initialized plain (non-pointer) bytes");
323 // At run-time, for now, we accept *anything* for these types, including
324 // undef. We should fix that, but let's start low.
329 // Integers/floats in CTFE: For consistency with integers, we do not
331 let _ptr = try_validation!(value.to_scalar_ptr(),
332 "undefined address in raw pointer", self.path);
333 let _meta = try_validation!(value.to_meta(),
334 "uninitialized data in raw fat pointer metadata", self.path);
336 // Remain consistent with `usize`: Accept anything.
339 _ if ty.is_box() || ty.is_region_ptr() => {
340 // Handle fat pointers.
341 // Check metadata early, for better diagnostics
342 let ptr = try_validation!(value.to_scalar_ptr(),
343 "undefined address in pointer", self.path);
344 let meta = try_validation!(value.to_meta(),
345 "uninitialized data in fat pointer metadata", self.path);
346 let layout = self.ecx.layout_of(value.layout.ty.builtin_deref(true).unwrap().ty)?;
347 if layout.is_unsized() {
348 let tail = self.ecx.tcx.struct_tail(layout.ty);
351 let vtable = try_validation!(meta.unwrap().to_ptr(),
352 "non-pointer vtable in fat pointer", self.path);
353 try_validation!(self.ecx.read_drop_type_from_vtable(vtable),
354 "invalid drop fn in vtable", self.path);
355 try_validation!(self.ecx.read_size_and_align_from_vtable(vtable),
356 "invalid size or align in vtable", self.path);
357 // FIXME: More checks for the vtable.
359 ty::Slice(..) | ty::Str => {
360 try_validation!(meta.unwrap().to_usize(self.ecx),
361 "non-integer slice length in fat pointer", self.path);
364 // Unsized, but not fat.
367 bug!("Unexpected unsized type tail: {:?}", tail),
370 // Make sure this is non-NULL and aligned
371 let (size, align) = self.ecx.size_and_align_of(meta, layout)?
372 // for the purpose of validity, consider foreign types to have
373 // alignment and size determined by the layout (size will be 0,
374 // alignment should take attributes into account).
375 .unwrap_or_else(|| (layout.size, layout.align.abi));
376 match self.ecx.memory.check_align(ptr, align) {
379 info!("{:?} is not aligned to {:?}", ptr, align);
381 InterpError::InvalidNullPointerUsage =>
382 return validation_failure!("NULL reference", self.path),
383 InterpError::AlignmentCheckFailed { required, has } =>
384 return validation_failure!(format!("unaligned reference \
385 (required {} byte alignment but found {})",
386 required.bytes(), has.bytes()), self.path),
388 return validation_failure!(
389 "dangling (out-of-bounds) reference (might be NULL at \
396 // Recursive checking
397 if let Some(ref mut ref_tracking) = self.ref_tracking {
398 assert!(self.const_mode, "We should only do recursie checking in const mode");
399 let place = self.ecx.ref_to_mplace(value)?;
400 if size != Size::ZERO {
401 // Non-ZST also have to be dereferencable
402 let ptr = try_validation!(place.ptr.to_ptr(),
403 "integer pointer in non-ZST reference", self.path);
404 // Skip validation entirely for some external statics
405 let alloc_kind = self.ecx.tcx.alloc_map.lock().get(ptr.alloc_id);
406 if let Some(AllocKind::Static(did)) = alloc_kind {
407 // `extern static` cannot be validated as they have no body.
408 // FIXME: Statics from other crates are also skipped.
409 // They might be checked at a different type, but for now we
410 // want to avoid recursing too deeply. This is not sound!
411 if !did.is_local() || self.ecx.tcx.is_foreign_item(did) {
415 // Maintain the invariant that the place we are checking is
416 // already verified to be in-bounds.
420 .check_bounds(self.ecx, ptr, size),
421 "dangling (not entirely in bounds) reference", self.path);
423 // Check if we have encountered this pointer+layout combination
424 // before. Proceed recursively even for integer pointers, no
425 // reason to skip them! They are (recursively) valid for some ZST,
426 // but not for others (e.g., `!` is a ZST).
427 if ref_tracking.seen.insert(place) {
428 trace!("Recursing below ptr {:#?}", *place);
429 // We need to clone the path anyway, make sure it gets created
430 // with enough space for the additional `Deref`.
431 let mut new_path = Vec::with_capacity(self.path.len()+1);
432 new_path.clone_from(&self.path);
433 new_path.push(PathElem::Deref);
434 // Remember to come back to this later.
435 ref_tracking.todo.push((place, new_path));
440 let value = value.to_scalar_or_undef();
441 let ptr = try_validation!(value.to_ptr(),
442 value, self.path, "a pointer");
443 let _fn = try_validation!(self.ecx.memory.get_fn(ptr),
444 value, self.path, "a function pointer");
445 // FIXME: Check if the signature matches
447 // This should be all the primitive types
448 _ => bug!("Unexpected primitive type {}", value.layout.ty)
453 fn visit_uninhabited(&mut self) -> EvalResult<'tcx>
455 validation_failure!("a value of an uninhabited type", self.path)
460 op: OpTy<'tcx, M::PointerTag>,
461 layout: &layout::Scalar,
462 ) -> EvalResult<'tcx> {
463 let value = self.ecx.read_scalar(op)?;
464 // Determine the allowed range
465 let (lo, hi) = layout.valid_range.clone().into_inner();
466 // `max_hi` is as big as the size fits
467 let max_hi = u128::max_value() >> (128 - op.layout.size.bits());
468 assert!(hi <= max_hi);
469 // We could also write `(hi + 1) % (max_hi + 1) == lo` but `max_hi + 1` overflows for `u128`
470 if (lo == 0 && hi == max_hi) || (hi + 1 == lo) {
474 // At least one value is excluded. Get the bits.
475 let value = try_validation!(value.not_undef(),
480 wrapping_range_format(&layout.valid_range, max_hi),
483 let bits = match value {
484 Scalar::Ptr(ptr) => {
485 if lo == 1 && hi == max_hi {
486 // only NULL is not allowed.
487 // We can call `check_align` to check non-NULL-ness, but have to also look
488 // for function pointers.
490 self.ecx.memory.check_align(
491 Scalar::Ptr(ptr), Align::from_bytes(1).unwrap()
493 self.ecx.memory.get_fn(ptr).is_ok();
496 return validation_failure!("a potentially NULL pointer", self.path);
500 // Conservatively, we reject, because the pointer *could* have this
502 return validation_failure!(
506 "something that cannot possibly fail to be {}",
507 wrapping_range_format(&layout.valid_range, max_hi)
512 Scalar::Bits { bits, size } => {
513 assert_eq!(size as u64, op.layout.size.bytes());
517 // Now compare. This is slightly subtle because this is a special "wrap-around" range.
518 if wrapping_range_contains(&layout.valid_range, bits) {
524 format!("something {}", wrapping_range_format(&layout.valid_range, max_hi))
531 op: OpTy<'tcx, M::PointerTag>,
532 fields: impl Iterator<Item=EvalResult<'tcx, Self::V>>,
533 ) -> EvalResult<'tcx> {
534 match op.layout.ty.sty {
536 let mplace = op.to_mem_place(); // strings are never immediate
537 try_validation!(self.ecx.read_str(mplace),
538 "uninitialized or non-UTF-8 data in str", self.path);
540 ty::Array(tys, ..) | ty::Slice(tys) if {
541 // This optimization applies only for integer and floating point types
542 // (i.e., types that can hold arbitrary bytes).
544 ty::Int(..) | ty::Uint(..) | ty::Float(..) => true,
548 // bailing out for zsts is ok, since the array element type can only be int/float
549 if op.layout.is_zst() {
552 // non-ZST array cannot be immediate, slices are never immediate
553 let mplace = op.to_mem_place();
554 // This is the length of the array/slice.
555 let len = mplace.len(self.ecx)?;
556 // zero length slices have nothing to be checked
560 // This is the element type size.
561 let ty_size = self.ecx.layout_of(tys)?.size;
562 // This is the size in bytes of the whole array.
563 let size = ty_size * len;
565 let ptr = mplace.ptr.to_ptr()?;
567 // NOTE: Keep this in sync with the handling of integer and float
568 // types above, in `visit_primitive`.
569 // In run-time mode, we accept pointers in here. This is actually more
570 // permissive than a per-element check would be, e.g., we accept
571 // an &[u8] that contains a pointer even though bytewise checking would
572 // reject it. However, that's good: We don't inherently want
573 // to reject those pointers, we just do not have the machinery to
574 // talk about parts of a pointer.
575 // We also accept undef, for consistency with the type-based checks.
576 match self.ecx.memory.get(ptr.alloc_id)?.check_bytes(
580 /*allow_ptr_and_undef*/!self.const_mode,
582 // In the happy case, we needn't check anything else.
584 // Some error happened, try to provide a more detailed description.
586 // For some errors we might be able to provide extra information
588 InterpError::ReadUndefBytes(offset) => {
589 // Some byte was undefined, determine which
590 // element that byte belongs to so we can
592 let i = (offset.bytes() / ty_size.bytes()) as usize;
593 self.path.push(PathElem::ArrayElem(i));
595 return validation_failure!(
596 "undefined bytes", self.path
599 // Other errors shouldn't be possible
600 _ => return Err(err),
606 self.walk_aggregate(op, fields)? // default handler
613 impl<'a, 'mir, 'tcx, M: Machine<'a, 'mir, 'tcx>> InterpretCx<'a, 'mir, 'tcx, M> {
614 /// This function checks the data at `op`. `op` is assumed to cover valid memory if it
615 /// is an indirect operand.
616 /// It will error if the bits at the destination do not match the ones described by the layout.
618 /// `ref_tracking` can be None to avoid recursive checking below references.
619 /// This also toggles between "run-time" (no recursion) and "compile-time" (with recursion)
620 /// validation (e.g., pointer values are fine in integers at runtime).
621 pub fn validate_operand(
623 op: OpTy<'tcx, M::PointerTag>,
625 ref_tracking: Option<&mut RefTracking<MPlaceTy<'tcx, M::PointerTag>>>,
627 ) -> EvalResult<'tcx> {
628 trace!("validate_operand: {:?}, {:?}", *op, op.layout.ty);
630 // Construct a visitor
631 let mut visitor = ValidityVisitor {
639 visitor.visit_value(op)