Fix 32-bit overflows in LLVM composite constants #122000
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @nnethercote (or someone else) some time within the next two weeks. Please see the contribution instructions for more information. Namely, in order to ensure the minimum review times lag, PR authors and assigned reviewers should ensure that the review label (
|
rustbot
added
S-waiting-on-review
kadiwa4
reviewed
Mar 4, 2024
|
Not my area of expertise, let's try r? @nikic |
|
Would you be interested in upstreaming the new APIs to LLVM? If you do that, then we can directly start using them by providing shims like this: That way we'll automatically switch to using the upstream APIs as soon as we can. |
|
@nikic Yeah, I was planning on doing that. I'm not sure how long it would take to get through, so I'm not sure which version we would put in the version macro. |
|
Having 64bit APIs for structs and vectors did not make sense, because LLVM stores 32bit lengths for them anyway. Now we just assert for overflows before calling those functions. I made a pr to LLVM for 64bit ConstantString constructors and used your idea @nikic to create shims to delete later. If the LLVM patch gets through quickly we can update the LLVM_VERSION_LT check to be 19. |
DianQK
pushed a commit
to llvm/llvm-project
that referenced
this pull request
Mar 9, 2024
…signatures (#84433) Adds `LLVMConstStringInContext2` and `LLVMConstString2`, which are identical to originals except that they use `size_t` for length. This is a clone of 35276f1 and is needed for rust-lang/rust#122000. As an aside, the issue of 32 bit overflow on constants is present in the C++ APIs as well. A few classes, e.g. `ConstantDataArray` and `ConstantAggregateZero`, can hold 64-bit ArrayTypes but their length accessors return 32-bit values. This means the same issue from the original Rust report is also present in LLVM itself. Would it be a reasonable goal to update all of these length methods & types to be uint64_t, or would that be too breaking? Alternatively, we could use safe fallible casts instead of implicit ones inside the accessors (if an overflow does happen, the solution would be to use `MyValue->getType()->getArrayNumElements()` instead).
|
Barring the LLVM patch being rescinded, this is now finished. |
nikic
reviewed
Mar 9, 2024
This comment has been minimized.
This comment has been minimized.
nikic
reviewed
Mar 10, 2024
|
@bors r+ |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Mar 11, 2024
Fix 32-bit overflows in LLVM composite constants Inspired by rust-lang#121868. Fixes unsoundness created when constructing constant arrays, strings, and structs with 2^32 or more elements on x86_64. This introduces copies of a few LLVM functions that have their signatures updated to use size_t in place of unsigned int. Alternatively we could just add overflow checks and just disallow huge composite constants. That introduces less code, but maybe a huge static block of memory is useful in embedded/no-os situations?
This was referenced Mar 11, 2024
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 12, 2024
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#115141 (Update Windows platform support) - rust-lang#121865 (Add FileCheck annotations to MIR-opt unnamed-fields tests) - rust-lang#122000 (Fix 32-bit overflows in LLVM composite constants) - rust-lang#122194 (Enable creating backtraces via -Ztreat-err-as-bug when stashing errors) - rust-lang#122319 (Don't ICE when non-self part of trait goal is constrained in new solver) - rust-lang#122339 (Update books) - rust-lang#122342 (Update /NODEFAUTLIB comment for msvc) - rust-lang#122343 (Remove some unnecessary `allow(incomplete_features)` in the test suite) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Mar 12, 2024
Rollup merge of rust-lang#122000 - erer1243:issue-121868, r=nikic Fix 32-bit overflows in LLVM composite constants Inspired by rust-lang#121868. Fixes unsoundness created when constructing constant arrays, strings, and structs with 2^32 or more elements on x86_64. This introduces copies of a few LLVM functions that have their signatures updated to use size_t in place of unsigned int. Alternatively we could just add overflow checks and just disallow huge composite constants. That introduces less code, but maybe a huge static block of memory is useful in embedded/no-os situations?
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Inspired by #121868. Fixes unsoundness created when constructing constant arrays, strings, and structs with 2^32 or more elements on x86_64. This introduces copies of a few LLVM functions that have their signatures updated to use size_t in place of unsigned int. Alternatively we could just add overflow checks and just disallow huge composite constants. That introduces less code, but maybe a huge static block of memory is useful in embedded/no-os situations?