bors [Wed, 1 Jun 2022 13:01:22 +0000 (13:01 +0000)]
Auto merge of #2174 - RalfJung:summary, r=oli-obk
print list of failed tests in summary
compiletest does this and it is quite useful; see e.g. [here](https://github.com/rust-lang/rust/runs/6473917188?check_suite_focus=true). Example output:
bors [Wed, 1 Jun 2022 07:22:31 +0000 (07:22 +0000)]
Auto merge of #2173 - RalfJung:rustlib, r=oli-obk
different strategy for normalizing Rust stdlib path
`-Zremap-cwd-prefix` has some [unintended side-effects](https://github.com/rust-lang/miri/issues/2172), so we could use regexp-based normalization instead. Unfortunately, this will fail if the user's home directory contains a space.
bors [Mon, 30 May 2022 23:43:51 +0000 (23:43 +0000)]
Auto merge of #2145 - saethlin:zero-size-creation, r=RalfJung
Save a created event for zero-size reborrows
Currently, we don't save a created event for zero-sized reborrows. Attempting to use something from a zero-sized reborrow is surprisingly common, for example on `minimal-lexical==0.2.1` we previously just emit this:
```
Undefined Behavior: attempting a write access using <187021> at alloc72933[0x0], but that tag does not exist in the borrow stack for this location
--> /root/rust/library/core/src/ptr/mod.rs:1287:9
|
1287 | copy_nonoverlapping(&src as *const T, dst, 1);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
| |
| attempting a write access using <187021> at alloc72933[0x0], but that tag does not exist in the borrow stack for this location
| this error occurs as part of an access at alloc72933[0x0..0x8]
|
= help: this indicates a potential bug in the program: it performed an invalid operation, but the rules it violated are still experimental
= help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
= note: inside `std::ptr::write::<u64>` at /root/rust/library/core/src/ptr/mod.rs:1287:9
note: inside `minimal_lexical::stackvec::StackVec::push_unchecked` at /root/build/src/stackvec.rs:82:13
--> /root/build/src/stackvec.rs:82:13
|
82 | ptr::write(self.as_mut_ptr().add(self.len()), value);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
... backtrace continues...
```
Which leaves us with the question "where did we make this pointer?" because for every other diagnostic you get a "was created by" note, so I suspect people might be tempted to think there is a Miri bug here. I certainly was.
---
This code duplication is so awful, I'm going to take a look at cleaning it up later. The fact that `ptr_get_alloc_id` can fail in this situation makes things annoying.
bors [Mon, 30 May 2022 21:41:41 +0000 (21:41 +0000)]
Auto merge of #2165 - saethlin:more-clocks, r=RalfJung
Add support for _COARSE clocks
Original idea does not work, so I'm just going to try expanding support to include the `_COARSE` clocks.
The original motivation for this PR is that the test suite for the crate [`minstant`](https://crates.io/crates/minstant) reports UB, because it tries to use a clock type Miri didn't support, but never checked for an error code and so just used the uninit `libc::timespec`. So, that's technically a bug in `minstant`, but outside of Miri you'd have to be using an incredibly old Linux to ever see an `EINVAL` so the more helpful thing for Miri to do is behave like a newer Linux.
So now we don't detect UB in `minstant`, but we have a test failure:
```
failures:
stderr:
thread 'main' panicked at 'assertion failed: (instant.as_unix_nanos(&anchor) as i64 - expected as i64).abs() < 1_000_000', src/instant.rs:11:1
```
I'm having trouble getting my head around the code in `minstant` that's involved in this test, but as far as I can tell from the man pages, these `_COARSE` clocks meet the requirements.
Closes https://github.com/rust-lang/miri/issues/1983 at least as best as I can.
bors [Wed, 25 May 2022 17:39:53 +0000 (17:39 +0000)]
Auto merge of #2157 - RalfJung:tests, r=oli-obk
tweak new test suite output
- Make the entire "## Running ui tests ..." green, including the target.
- Fix double-space in `testname.rs .. ok`.
- Make the final summary a bit more like compiletest-rs, in particular the newlines around it
- Use the term "ignored" consistently, rather than "skipped"
bors [Wed, 25 May 2022 14:35:06 +0000 (14:35 +0000)]
Auto merge of #2151 - RalfJung:numbers, r=oli-obk
enable number validity checking and ptr::invalid checking by default
This removes the `-Zmiri-check-number-validity` flag, enabling its effects by default. (We don't error when the flag is passed, for backwards compatibility.) We also enable by default that transmuting an integer to a pointer now creates a pointer with `None` provenance, which is invalid to dereference (and, in the case of a function pointer, invalid to call). I did this together since it is all related to ptr2int/int2ptr transmutation.
Two new flags are added to optionally take back these stricter checks:
- `-Zmiri-allow-uninit-numbers` makes Miri accept uninit data in integers and floats
- `-Zmiri-allow-ptr-int-transmute` makes Miri accept pointers (provenance data) in integers and floats, *and* makes Miri treat int2ptr transmutes as equivalent to a cast.
The flag names make sense IMO, but they are somewhat inconsistent with our existing flags since we usually call things `-Zmiri-disable-$CHECK` rather than `-Zmiri-allow-$THING`. But `-Zmiri-disable-uninit-number-check` sounds silly?
(Whenever I say "transmute" this includes union and pointer based type punning.)
Cc `@saethlin` I hope this won't break everything?^^ I think the most risky part is the int2ptr transmute aspect, in particular around function pointers where no `as` casts are possible. The correct pattern is to first cast to a raw ptr and then transmute that to a fn ptr. We should probably document this better, in the `transmute` documentation and maybe in the documentation for the `fn()` type. I should run this PR against the std test suite before we land it.
r? `@oli-obk`
- [x] Ensure stdlib docs recommend "usize -> raw ptr -> fn ptr" for int-to-fnptr casts: https://github.com/rust-lang/rust/pull/97321
- [x] Run the stdlib test suite
bors [Tue, 24 May 2022 15:17:33 +0000 (15:17 +0000)]
Auto merge of #2138 - JakobDegen:call-fallout, r=RalfJung
Adjust Miri to also require return places everywhere
This is the miri side of rust-lang/rust#96098 . It'll still need a bump to rust-version once the rust PR is merged, but the test suite passes against my local build of rustc.
bors [Mon, 23 May 2022 18:02:34 +0000 (18:02 +0000)]
Auto merge of #2152 - RalfJung:rustup, r=RalfJung
rustup
On macOS the timing tests [failed again](https://github.com/rust-lang/miri/runs/6557930217?check_suite_focus=true), so let's give them even more slack.
bors [Mon, 23 May 2022 10:39:51 +0000 (10:39 +0000)]
Auto merge of #2150 - RalfJung:rustup, r=RalfJung
Rustup
In particular, this contains https://github.com/rust-lang/rust/pull/97219. Miri support for actually erroring on misuse of `ptr::invalid` will happen later.
bors [Mon, 23 May 2022 09:25:16 +0000 (09:25 +0000)]
Auto merge of #2147 - RalfJung:readme, r=RalfJung
split flag section into common and advanced flags
As discussed with `@oli-obk` . However I was not always sure which flags to put where, so if you think some flags should be in the other category please let me know. :)
bors [Mon, 23 May 2022 07:24:33 +0000 (07:24 +0000)]
Auto merge of #2059 - carbotaniuman:master, r=RalfJung
Initial work on Miri permissive-exposed-provenance
Miri portions of the changes for portions of a permissive ptr-to-int model for Miri. This is more restrictive than what we currently have so it will probably need a flag once I figure out how to hook that up.
> This implements a form of permissive exposed-address provenance, wherein the only way to expose the address is with a cast to usize (ideally expose_addr). This is more restrictive than C in that stuff like reading the representation bytes (via unions, type-punning, transmute) does not expose the address, only expose_addr. This is less restrictive than C in that a pointer casted from an integer has union provenance of all exposed pointers, not any udi stuff.
There's a few TODOs here, namely related to `fn memory_read` and friends. We pass it the maybe/unreified provenance before `ptr_get_alloc` reifies it into a concrete one, so it doesn't have the `AllocId` (or the SB tag, but that's getting ahead of ourselves). One way this could be fixed is changing `ptr_get_alloc` and (`ptr_try_get_alloc_id` on the rustc side) to return a pointer with the tag fixed up. We could also take in different arguments, but I'm not sure what works best.
The other TODOs here are how permissive this model could be. This currently does not enforce that a ptr-to-int cast happens before the corresponding int-to-ptr (colloquial meaning of happens before, not atomic meaning). Example:
```
let ptr = 0x2000 as *const i32;
let a: i32 = 5;
let a_ptr = &a as *const i32;
// value is 0x2000;
a_ptr as usize;
println!("{}", unsafe { *ptr }); // this is valid
```
We also allow the resulting pointer to dereference different non-contiguous allocations (the "not any udi stuff" mentioned above), which I'm not sure if is allowed by LLVM.
This is the Miri side of https://github.com/rust-lang/rust/pull/95826.
bors [Mon, 23 May 2022 06:46:46 +0000 (06:46 +0000)]
Auto merge of #2139 - saethlin:lazy-current-span, r=RalfJung
Factor current-span logic into a caching handle
After https://github.com/rust-lang/miri/pull/2030 and while working on https://github.com/rust-lang/miri/pull/1935 it became quite clear that we need to do some caching here, because some retag operations generate many calls to `log_invalidation`, and would thus search the current thread's stack _many_ times for a local crate. This caching fixes that. This handle type also has the nice benefit of tucking away all the `ThreadManager` + `CrateNum` logic.
bors [Sun, 22 May 2022 20:00:17 +0000 (20:00 +0000)]
Auto merge of #2144 - matthiaskrgr:stderrfix, r=RalfJung
mute_stdout_stderr: mute stderr instead of stdin
should fix #2143
note: this is entirely untested, I was getting tons of errors on `cargo test` because of some missing setup.
I hope that CI can tell me if this works or not :see_no_evil:
bors [Sun, 22 May 2022 16:17:17 +0000 (16:17 +0000)]
Auto merge of #2141 - saethlin:early-diagnostics-ice, r=RalfJung
Adjust diagnostics assertion so we don't ICE in setup
Fixes https://github.com/rust-lang/miri/issues/2076 just by handling diagnostics produced during setup. The tracking notes don't have any spans but it's better than an ICE.
It looks like we leak allocations 1..20, and allocations 13..19 don't have any creation notes, and 14 only has a `FreedAlloc` alloc tracking diagnostic.
I've tried for hours now to come up with a test case for this ICE with no luck. I suspect there's something about the way the data race detection works under these conditions that I just don't understand :weary:.
But I tried this change out on a handful of crates and I don't see any more ICEs of this form. For whatever reason it seems like `bastion==0.4.5` is a good way to run into this, with the flags
```
MIRIFLAGS="-Zmiri-tag-raw-pointers -Zmiri-panic-on-unsupported -Zmiri-disable-isolation" cargo +miri miri test --no-fail-fast --doc
```
I think all the cases I've run into with this involve both `-Zmiri-panic-on-unsupported` and `-Zmiri-tag-raw-pointers`, so it could be that the combination of an unexpected panic and a machine halt is required.
bors [Sun, 22 May 2022 05:59:39 +0000 (05:59 +0000)]
Auto merge of #2140 - V0ldek:page_size, r=RalfJung
Update GetSystemInfo to work with `page_size` (#2136)
- Change logic in GetSystemInfo shim to take into account the two possible layouts of `SYSTEM_INFO`, the first-field-is-union used by [winapi::um::sysinfoapi::SYSTEM_INFO](https://docs.rs/winapi/latest/winapi/um/sysinfoapi/struct.SYSTEM_INFO.html), and first-two-fields-are-inlined-union used by [num_cpus](https://github.com/seanmonstar/num_cpus/blob/5f1b03332000b4c4274b5bd35fac516049ff1c6b/src/lib.rs#L206).
- Fill out the `dwPageSize` field with the `PAGE_SIZE` constant of `4096`.