Skip to content
体验新版
项目
组织
正在加载...
登录
切换导航
打开侧边栏
int
Rust
提交
6147260f
R
Rust
项目概览
int
/
Rust
11 个月 前同步成功
通知
1
Star
0
Fork
0
代码
文件
提交
分支
Tags
贡献者
分支图
Diff
Issue
0
列表
看板
标记
里程碑
合并请求
0
DevOps
流水线
流水线任务
计划
Wiki
0
Wiki
分析
仓库
DevOps
项目成员
Pages
R
Rust
项目概览
项目概览
详情
发布
仓库
仓库
文件
提交
分支
标签
贡献者
分支图
比较
Issue
0
Issue
0
列表
看板
标记
里程碑
合并请求
0
合并请求
0
Pages
DevOps
DevOps
流水线
流水线任务
计划
分析
分析
仓库分析
DevOps
Wiki
0
Wiki
成员
成员
收起侧边栏
关闭侧边栏
动态
分支图
创建新Issue
流水线任务
提交
Issue看板
体验新版 GitCode,发现更多精彩内容 >>
提交
6147260f
编写于
7月 09, 2023
作者:
R
Ralf Jung
浏览文件
操作
浏览文件
下载
电子邮件补丁
差异文件
C string function shims: consistently treat "invalid" pointers as UB
上级
05773210
变更
6
隐藏空白更改
内联
并排
Showing
6 changed file
with
46 addition
and
6 deletion
+46
-6
src/tools/miri/src/shims/foreign_items.rs
src/tools/miri/src/shims/foreign_items.rs
+12
-0
src/tools/miri/tests/fail/shims/memchr_null.stderr
src/tools/miri/tests/fail/shims/memchr_null.stderr
+2
-2
src/tools/miri/tests/fail/shims/memcmp_null.stderr
src/tools/miri/tests/fail/shims/memcmp_null.stderr
+2
-2
src/tools/miri/tests/fail/shims/memcmp_zero.rs
src/tools/miri/tests/fail/shims/memcmp_zero.rs
+13
-0
src/tools/miri/tests/fail/shims/memcmp_zero.stderr
src/tools/miri/tests/fail/shims/memcmp_zero.stderr
+15
-0
src/tools/miri/tests/fail/shims/memrchr_null.stderr
src/tools/miri/tests/fail/shims/memrchr_null.stderr
+2
-2
未找到文件。
src/tools/miri/src/shims/foreign_items.rs
浏览文件 @
6147260f
...
...
@@ -690,6 +690,10 @@ fn emulate_foreign_item_by_name(
let
right
=
this
.read_pointer
(
right
)
?
;
let
n
=
Size
::
from_bytes
(
this
.read_target_usize
(
n
)
?
);
// C requires that this must always be a valid pointer (C18 §7.1.4).
this
.ptr_get_alloc_id
(
left
)
?
;
this
.ptr_get_alloc_id
(
right
)
?
;
let
result
=
{
let
left_bytes
=
this
.read_bytes_ptr_strip_provenance
(
left
,
n
)
?
;
let
right_bytes
=
this
.read_bytes_ptr_strip_provenance
(
right
,
n
)
?
;
...
...
@@ -714,6 +718,9 @@ fn emulate_foreign_item_by_name(
#[allow(clippy::cast_sign_loss,
clippy::cast_possible_truncation)]
let
val
=
val
as
u8
;
// C requires that this must always be a valid pointer (C18 §7.1.4).
this
.ptr_get_alloc_id
(
ptr
)
?
;
if
let
Some
(
idx
)
=
this
.read_bytes_ptr_strip_provenance
(
ptr
,
Size
::
from_bytes
(
num
))
?
.iter
()
...
...
@@ -738,6 +745,9 @@ fn emulate_foreign_item_by_name(
#[allow(clippy::cast_sign_loss,
clippy::cast_possible_truncation)]
let
val
=
val
as
u8
;
// C requires that this must always be a valid pointer (C18 §7.1.4).
this
.ptr_get_alloc_id
(
ptr
)
?
;
let
idx
=
this
.read_bytes_ptr_strip_provenance
(
ptr
,
Size
::
from_bytes
(
num
))
?
.iter
()
...
...
@@ -752,6 +762,7 @@ fn emulate_foreign_item_by_name(
"strlen"
=>
{
let
[
ptr
]
=
this
.check_shim
(
abi
,
Abi
::
C
{
unwind
:
false
},
link_name
,
args
)
?
;
let
ptr
=
this
.read_pointer
(
ptr
)
?
;
// This reads at least 1 byte, so we are already enforcing that this is a valid pointer.
let
n
=
this
.read_c_str
(
ptr
)
?
.len
();
this
.write_scalar
(
Scalar
::
from_target_usize
(
u64
::
try_from
(
n
)
.unwrap
(),
this
),
...
...
@@ -791,6 +802,7 @@ fn emulate_foreign_item_by_name(
// pointer provenance is preserved by this implementation of `strcpy`.
// That is probably overly cautious, but there also is no fundamental
// reason to have `strcpy` destroy pointer provenance.
// This reads at least 1 byte, so we are already enforcing that this is a valid pointer.
let
n
=
this
.read_c_str
(
ptr_src
)
?
.len
()
.checked_add
(
1
)
.unwrap
();
this
.mem_copy
(
ptr_src
,
...
...
src/tools/miri/tests/fail/shims/memchr_null.stderr
浏览文件 @
6147260f
error: Undefined Behavior:
memory access failed
: null pointer is a dangling pointer (it has no provenance)
error: Undefined Behavior:
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
--> $DIR/memchr_null.rs:LL:CC
|
LL | libc::memchr(ptr::null(), 0, 0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
memory access failed
: null pointer is a dangling pointer (it has no provenance)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
...
...
src/tools/miri/tests/fail/shims/memcmp_null.stderr
浏览文件 @
6147260f
error: Undefined Behavior:
memory access failed
: null pointer is a dangling pointer (it has no provenance)
error: Undefined Behavior:
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
--> $DIR/memcmp_null.rs:LL:CC
|
LL | libc::memcmp(ptr::null(), ptr::null(), 0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
memory access failed
: null pointer is a dangling pointer (it has no provenance)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
...
...
src/tools/miri/tests/fail/shims/memcmp_zero.rs
0 → 100644
浏览文件 @
6147260f
//@ignore-target-windows: No libc on Windows
//@compile-flags: -Zmiri-permissive-provenance
// C says that passing "invalid" pointers is UB for all string functions.
// It is unclear whether `(int*)42` is "invalid", but there is no actually
// a `char` living at that address, so arguably it cannot be a valid pointer.
// Hence this is UB.
fn
main
()
{
let
ptr
=
42
as
*
const
u8
;
unsafe
{
libc
::
memcmp
(
ptr
.cast
(),
ptr
.cast
(),
0
);
//~ERROR: dangling
}
}
src/tools/miri/tests/fail/shims/memcmp_zero.stderr
0 → 100644
浏览文件 @
6147260f
error: Undefined Behavior: out-of-bounds pointer use: 0x2a[noalloc] is a dangling pointer (it has no provenance)
--> $DIR/memcmp_zero.rs:LL:CC
|
LL | libc::memcmp(ptr.cast(), ptr.cast(), 0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ out-of-bounds pointer use: 0x2a[noalloc] is a dangling pointer (it has no provenance)
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
= note: BACKTRACE:
= note: inside `main` at $DIR/memcmp_zero.rs:LL:CC
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
error: aborting due to previous error
src/tools/miri/tests/fail/shims/memrchr_null.stderr
浏览文件 @
6147260f
error: Undefined Behavior:
memory access failed
: null pointer is a dangling pointer (it has no provenance)
error: Undefined Behavior:
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
--> $DIR/memrchr_null.rs:LL:CC
|
LL | libc::memrchr(ptr::null(), 0, 0);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
memory access failed
: null pointer is a dangling pointer (it has no provenance)
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
out-of-bounds pointer use
: null pointer is a dangling pointer (it has no provenance)
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
...
...
编辑
预览
Markdown
is supported
0%
请重试
或
添加新附件
.
添加附件
取消
You are about to add
0
people
to the discussion. Proceed with caution.
先完成此消息的编辑!
取消
想要评论请
注册
或
登录