-
Notifications
You must be signed in to change notification settings - Fork 356
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Miri should catch uses of slice::from_raw_parts on uninitialized memory #1240
Comments
And, as it turns out, would've caught an even more insidious bug of the same ilk, where my probe for |
This is currently deliberate. Quoting from the README:
The reasoning is that I think this will complain about tons of stuff and make Miri basically unusable. Additionally, checking recursively below references will be extremely slow. The discussion in the UCG was mostly moving towards "we probably eventually want to accept that code", so I figured I'd make Miri less aggressive here. I suppose we could offer a flag for more aggressive checking, for those that want it. However, checking transitively below references is expensive, I don't think we can reasonably do it -- and fixing this issue would require traversing below a reference. |
We could do it on the result of calls to |
Yeah, this is intended to just be for some small "easier" subset. That could be just |
That feels like a rather unprincipled hack to me... ad-hoc diagnostics for special cases are fine and useful, but ad-hoc changes to the basic semantics are somewhat disconcerting, IMO. |
Being able to form a mutable slice to an unitialized region of memory isn't a bug and is instead a feature. Consider networking buffers which must first allocate memory which then immediately gets read into. Forcing initialization of these bytes makes erroneous reads "safe" but it does slightly hinder perf. |
You should use |
Technically the validity (including initializedness) of anything behind a reference is an open question. Even if constructing a reference to uninitialized data is valid, it's still likely that performing any kind of typed copy of that reference (such as passing it to a function) asserts that the value behind the reference is valid. On top of that, even for data that is trivially dropped by forgetting, it's likely that a reference write still asserts that the value previously there is valid. TL;DR using references to uninitialized data in a regular type is at the very best unclear if it's sound, and likely to be determined unsound as we nail down the memory and borrowing model for Rust. Use raw pointers and/or |
It's a feature only if you tell the compiler that you are doing it. Just be explicit, that's all. You can be explicit by using |
Well, I'm happy to stand corrected! |
I think Miri flagged an example of this: let pos = result.len();
let target = result.get_unchecked_mut(pos..reserved_len); (reported here: rust-lang/rust#91574) This is only flagged with |
I think Miri is flagging an unrelated aliasing problem in that code. |
You mean a slice of integers? The 2nd one is definitely UB since you are comparing two uninitialized integers. |
The fist one is not UB. How about this one:
I am curious because Miri does not support |
Since you've specified (Note that you've not specified |
[example]
This would have prevented an actual issue I had where I accidentally used
slice::from_raw_parts
instead ofptr::slice_from_raw_parts
from a version-aware import.More generally, this is the "create reference to uninitialized memory" catch, but since these two methods have now-stable sound alternatives, it'd be nice for miri to catch incorrect usage and point at the correct raw pointer version.
The text was updated successfully, but these errors were encountered: