X-Git-Url: https://git.lizzy.rs/?a=blobdiff_plain;f=src%2Fintptrcast.rs;h=0e6a9f69aebab656228929959ae560419325dd48;hb=31bd77c7d82dda48f7c77ecc2314bc15219969c9;hp=1247150cc1199c1b20f75cfbc979ba57b618449d;hpb=310649bb8e528c8cc91a6467569ba474f22b2271;p=rust.git diff --git a/src/intptrcast.rs b/src/intptrcast.rs index 1247150cc11..0e6a9f69aeb 100644 --- a/src/intptrcast.rs +++ b/src/intptrcast.rs @@ -1,14 +1,14 @@ use std::cell::RefCell; -use std::collections::{HashMap, hash_map::Entry}; use std::cmp::max; +use std::collections::hash_map::Entry; +use log::trace; use rand::Rng; -use rustc::ty::layout::HasDataLayout; -use rustc_mir::interpret::{AllocId, Pointer, InterpResult, Memory, AllocCheck, PointerArithmetic}; -use rustc_target::abi::Size; +use rustc_data_structures::fx::FxHashMap; +use rustc_target::abi::{Size, HasDataLayout}; -use crate::{Evaluator, Tag, STACK_ADDR}; +use crate::*; pub type MemoryExtra = RefCell; @@ -21,7 +21,7 @@ pub struct GlobalState { /// `AllocExtra` because function pointers also have a base address, and /// they do not have an `AllocExtra`. /// This is the inverse of `int_to_ptr_map`. - pub base_addr: HashMap, + pub base_addr: FxHashMap, /// This is used as a memory address when a new pointer is casted to an integer. It /// is always larger than any address that was previously made part of a block. pub next_base_addr: u64, @@ -31,7 +31,7 @@ impl Default for GlobalState { fn default() -> Self { GlobalState { int_to_ptr_map: Vec::default(), - base_addr: HashMap::default(), + base_addr: FxHashMap::default(), next_base_addr: STACK_ADDR, } } @@ -40,22 +40,21 @@ fn default() -> Self { impl<'mir, 'tcx> GlobalState { pub fn int_to_ptr( int: u64, - memory: &Memory<'mir, 'tcx, Evaluator<'tcx>>, + memory: &Memory<'mir, 'tcx, Evaluator<'mir, 'tcx>>, ) -> InterpResult<'tcx, Pointer> { - if int == 0 { - return err!(InvalidNullPointerUsage); - } - let global_state = memory.extra.intptrcast.borrow(); - - match global_state.int_to_ptr_map.binary_search_by_key(&int, |(addr, _)| *addr) { + let pos = global_state.int_to_ptr_map.binary_search_by_key(&int, |(addr, _)| *addr); + + // The int must be in-bounds after being cast to a pointer, so we error + // with `CheckInAllocMsg::InboundsTest`. + Ok(match pos { Ok(pos) => { let (_, alloc_id) = global_state.int_to_ptr_map[pos]; // `int` is equal to the starting address for an allocation, the offset should be // zero. The pointer is untagged because it was created from a cast - Ok(Pointer::new_with_tag(alloc_id, Size::from_bytes(0), Tag::Untagged)) - }, - Err(0) => err!(DanglingPointerDeref), + Pointer::new_with_tag(alloc_id, Size::from_bytes(0), Tag::Untagged) + } + Err(0) => throw_ub!(DanglingIntPointer(int, CheckInAllocMsg::InboundsTest)), Err(pos) => { // This is the largest of the adresses smaller than `int`, // i.e. the greatest lower bound (glb) @@ -63,28 +62,29 @@ pub fn int_to_ptr( // This never overflows because `int >= glb` let offset = int - glb; // If the offset exceeds the size of the allocation, this access is illegal - if offset <= memory.get(alloc_id)?.bytes.len() as u64 { + if offset <= memory.get_size_and_align(alloc_id, AllocCheck::MaybeDead)?.0.bytes() { // This pointer is untagged because it was created from a cast - Ok(Pointer::new_with_tag(alloc_id, Size::from_bytes(offset), Tag::Untagged)) + Pointer::new_with_tag(alloc_id, Size::from_bytes(offset), Tag::Untagged) } else { - err!(DanglingPointerDeref) - } + throw_ub!(DanglingIntPointer(int, CheckInAllocMsg::InboundsTest)) + } } - } + }) } pub fn ptr_to_int( ptr: Pointer, - memory: &Memory<'mir, 'tcx, Evaluator<'tcx>>, + memory: &Memory<'mir, 'tcx, Evaluator<'mir, 'tcx>>, ) -> InterpResult<'tcx, u64> { let mut global_state = memory.extra.intptrcast.borrow_mut(); let global_state = &mut *global_state; + let id = ptr.alloc_id; // There is nothing wrong with a raw pointer being cast to an integer only after // it became dangling. Hence `MaybeDead`. - let (size, align) = memory.get_size_and_align(ptr.alloc_id, AllocCheck::MaybeDead)?; + let (size, align) = memory.get_size_and_align(id, AllocCheck::MaybeDead)?; - let base_addr = match global_state.base_addr.entry(ptr.alloc_id) { + let base_addr = match global_state.base_addr.entry(id) { Entry::Occupied(entry) => *entry.get(), Entry::Vacant(entry) => { // This allocation does not have a base address yet, pick one. @@ -92,7 +92,7 @@ pub fn ptr_to_int( let slack = { let mut rng = memory.extra.rng.borrow_mut(); // This means that `(global_state.next_base_addr + slack) % 16` is uniformly distributed. - rng.gen_range(0, 16) + rng.gen_range(0..16) }; // From next_base_addr + slack, round up to adjust for alignment. let base_addr = global_state.next_base_addr.checked_add(slack).unwrap(); @@ -100,7 +100,10 @@ pub fn ptr_to_int( entry.insert(base_addr); trace!( "Assigning base address {:#x} to allocation {:?} (slack: {}, align: {})", - base_addr, ptr.alloc_id, slack, align.bytes(), + base_addr, + id, + slack, + align.bytes(), ); // Remember next base address. If this allocation is zero-sized, leave a gap @@ -108,13 +111,14 @@ pub fn ptr_to_int( global_state.next_base_addr = base_addr.checked_add(max(size.bytes(), 1)).unwrap(); // Given that `next_base_addr` increases in each allocation, pushing the // corresponding tuple keeps `int_to_ptr_map` sorted - global_state.int_to_ptr_map.push((base_addr, ptr.alloc_id)); + global_state.int_to_ptr_map.push((base_addr, id)); base_addr } }; - debug_assert_eq!(base_addr % align.bytes(), 0); // sanity check + // Sanity check that the base address is aligned. + debug_assert_eq!(base_addr % align.bytes(), 0); // Add offset with the right kind of pointer-overflowing arithmetic. let dl = memory.data_layout(); Ok(dl.overflowing_offset(base_addr, ptr.offset.bytes()).0) @@ -125,7 +129,7 @@ pub fn ptr_to_int( fn align_addr(addr: u64, align: u64) -> u64 { match addr % align { 0 => addr, - rem => addr.checked_add(align).unwrap() - rem + rem => addr.checked_add(align).unwrap() - rem, } } }