Clarify black_box warning a bit #140341
Clarify black_box warning a bit #140341
Conversation
|
r? @ibraheemdev rustbot has assigned @ibraheemdev. Use |
rustbot
added
S-waiting-on-review
library/core/src/hint.rs
Outdated
| /// You should not be able to write a better `black_box` than the standard library provides. If you | ||
| /// can write a function that looks like `black_box` but is more effective at hiding the value of | ||
| /// the argument from optimizations, that would be a bug and should be reported. It just would not | ||
| /// be a *security* bug. |
There was a problem hiding this comment.
I'm not sure if that's quite true. For example user code might choose to use FFI and setup linking to evade LTO, I don't think std/rustc is going to jump through those kinds of hoops since it can't control linking of generic instantiations.
There was a problem hiding this comment.
Perhaps "you should not be able to use other parts of the standard library to write a better..." then?
There was a problem hiding this comment.
I'm not sure what you mean by evading LTO. If LTO can see through black_box it's already quite non-functional for benchmarking.
There was a problem hiding this comment.
A weak blackbox implementation might prevent DCE of the input but not optimizations based on properties of the output value.
You can also replace LTO with other post-link optimizations such as wasm JIT and user code taking steps avoid that.
There was a problem hiding this comment.
A JIT can break any black box so I'm not sure what point you are trying to make.
There was a problem hiding this comment.
A JIT will have blind spots or even explicit escape hatches and you can make a targeted blackbox using those.
The point I'm making is that users may be "able to write a better black_box" under specific circumstances and the standard library won't adopt those.
There was a problem hiding this comment.
A weak blackbox implementation might prevent DCE of the input but not optimizations based on properties of the output value.
that's an example where you could do better, and it would indeed be a buggy implementation that should be reported, as the docs say.
There was a problem hiding this comment.
No, I meant that as an example for a hypothetical backend or target where that's the best we can do.
E.g. by making a value "escape" to a static we could prevent DCE but the backend lacks a way to make the value opaque because it's a single-threaded closed-world environment that has no concept of MMIO or interactions with the environment outside the abstract machine other than special IO instructions, so even volatile would get lowered to plain stores and loads.
|
I think that talking about bugs confuses the message we are trying to send. What we really want to say is that there is no mechanism in the entire Rust language that can get you the guarantees you want for constant-time cryptography: you can't do better than |
|
I think the subtlety here is that from a spec perspective all approaches are equal; they're not guaranteed, even asking the question is nonsense because the constant-time aspect is not considered an observable property etc. etc.. And some other approaches such as FFI, assymbly or linker trickery just might achieve better results, under specific circumstances. So we can't really promise that this is the strongest possible implementation under all conditions. Maybe something like
|
I strongly disagree with this. If I'm writing a crypto library that is using I can't speak for everyone using rust for cryptography, but I think language that helps advocate for the above use case is really important. |
|
Going to pass this on to libs because it seems to be controversial. r? libs |
|
I've replaced the diff with @Amanieu's suggestion, though I'd quite like to hear from anyone who manages to get the optimization-suppressing effect they want from a volatile read but not |
saethlin
changed the title
|
Cc @rust-lang/opsem |
|
r=me with or without Ralf's wording. |
And note that the same limitation applies to all LLVM-based compilers Co-authored-by: Ralf Jung <[email protected]>
|
@bors r=Mark-Simulacrum rollup |
bors
added
S-waiting-on-bors
…ulacrum Clarify black_box warning a bit Trying to bring the docs on black_box more in line with the advice that we have discussed in Zulip. rust-lang#140341 (comment)
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#140095 (Eliminate `word_and_empty` methods.) - rust-lang#140341 (Clarify black_box warning a bit) - rust-lang#140684 (Only include `dyn Trait<Assoc = ...>` associated type bounds for `Self: Sized` associated types if they are provided) - rust-lang#140707 (Structurally normalize in range pattern checking in HIR typeck) - rust-lang#140716 (Improve `-Zremap-path-scope` tests with dependency) - rust-lang#140800 (Make `rustdoc-tempdir-removal` run-make tests work on other platforms than linux) - rust-lang#140802 (Add release notes for 1.87.0) - rust-lang#140811 (Enable triagebot note functionality for rust-lang/rust) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#140341 - saethlin:black-box-qoi, r=Mark-Simulacrum Clarify black_box warning a bit Trying to bring the docs on black_box more in line with the advice that we have discussed in Zulip. rust-lang#140341 (comment)
Trying to bring the docs on black_box more in line with the advice that we have discussed in Zulip.
#140341 (comment)