TB: Track permissions on the byte-level #4314
Conversation
|
So, how does adding a new node work (and why do we need to call
For Stacked Borrows, there are no per-block operations: each stack at each offset its own stack and completely independent from the other ones at different offsets in the same allocation. So there, more (basically everything) can be moved into the per-offset function. So what do we do for Tree Borrows? One answer is to combine parent reading, permission setting and data race notifying together. This would be somewhat ugly, because you're constructing a node, while also accessing the tree, and this would only be fine because you're careful to not actually add the node into the Should we do this? |
|
Ignoring the SIFA thingy since I already forgot how it works, what I think would make sense is to do a single
Does that makes sense or is it too ugly as well? |
|
That would work. It has to construct an extra |
I'm not sure, but that's at least plausible. I also prefer it conceptually. |
Previously, the assert would cause an error if the `RangeMap` was empty.
There was a problem hiding this comment.
Thanks! This is a lot better.
I don't fully understand the logic around the new perms_map though. It seems like the map is created to cover all the bytes from the beginning of the allocation to the end of the retagged place, which is odd -- it should be either the entire allocation, or just the place. And given that we do not want to actually put anything into the perms map outside the place, I think it should be just the place.
| let mut tree_borrows = alloc_extra.borrow_tracker_tb().borrow_mut(); | ||
| let prot = new_perm.protector.is_some(); | ||
|
|
||
| // Store initialized permissions and their corresponding range. |
There was a problem hiding this comment.
| // Store initialized permissions and their corresponding range. | |
| // Store initial permissions and their corresponding range. |
| let NewPermission { freeze_perm, freeze_access, nonfreeze_perm, nonfreeze_access, .. } = | ||
| new_perm; |
There was a problem hiding this comment.
Why do you destruct the NewPermission like this here? Seems a bit more clear to say new_perm.<field> everywhere below.
| @@ -31,7 +33,7 @@ mod tests; | |||
|
|
|||
| /// Data for a single *location*. | |||
| #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)] | |||
| pub(super) struct LocationState { | |||
| pub(crate) struct LocationState { | |||
There was a problem hiding this comment.
Why does the entire crate now need access to this?
There was a problem hiding this comment.
Because the compiler would complain about the visibility of
LocationState being private than new_child. But seems like super
should be enough for new_child, so I will change both of the to super.
| @@ -0,0 +1,32 @@ | |||
| //@compile-flags: -Zmiri-tree-borrows | |||
There was a problem hiding this comment.
| //@compile-flags: -Zmiri-tree-borrows | |
| //! A version of `cell_inside_struct` that dumps the tree so that we can see what is happening. | |
| //@compile-flags: -Zmiri-tree-borrows |
| for (_perms_range, perms) in | ||
| self.rperms.iter_mut(Size::from_bytes(start), Size::from_bytes(end - start)) | ||
| { | ||
| perms.insert(idx, perm); |
There was a problem hiding this comment.
So this will insert a bunch of Disabled, won't it?
| let mut perms_map: RangeMap<LocationState> = RangeMap::new( | ||
| base_offset + ptr_size, | ||
| LocationState::new_uninit( | ||
| Permission::new_disabled(), | ||
| foreign_access_skipping::IdempotentForeignAccess::None, | ||
| ), | ||
| ); |
There was a problem hiding this comment.
I think this should be initialized with size ptr_size, and only cover the place we are retagging. That way we can avoid introducing some disabled states here that I don't think we actually want.
| let idx = self.tag_mapping.insert(new_tag); | ||
| let parent_idx = self.tag_mapping.get(&parent_tag).unwrap(); | ||
| let default_initial_perm = perm.freeze_perm; |
There was a problem hiding this comment.
I don't think this is obviously the right choice. There's an interesting decision to be made here: if I have an &Cell<i32>, should I be allowed to lazily write to surrounding memory? The general consensus, I think, is that the answer is "yes" -- the permission of an &T should default to frozen only if T: Freeze, and should default to non-frozen otherwise.
This should also be covered by a test.
There was a problem hiding this comment.
What do you mean with "lazily write to surrounding memory"? Do you have an example in mind?
There was a problem hiding this comment.
fn foo(x: &Cell<i32>) {
let ptr = x as *const Cell<i32> as *mut _ as *mut i32;
ptr.offset(1).write(0);
}
let arr = [Cell::new(1), Cell::new(1)];
foo(&arr[0]);This code should be accepted without UB.
This makes the tracking of permissions on the byte-level, like in Stacked Borrows, which makes the tracking of interior mutable data more fine-grained.
cc @RalfJung @JoJoDeveloping