[breaking change] Disallow statics initializing themselves #71140
Conversation
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
|
@bors try |
|
⌛ Trying commit 438e1a4f0bbcea7629f327d4aaf0ec90272f2816 with merge 8a5e87609850cdd8679aada01eb0f3062f254ca8... |
|
@craterbot check |
This comment has been minimized.
This comment has been minimized.
|
☀️ Try build successful - checks-azure |
|
@craterbot check |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
the
S-waiting-on-crater
|
🚧 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
|
🎉 Experiment
|
craterbot
added
S-waiting-on-review
|
All regressions and fixes are spurious. |
oli-obk
added
I-nominated
T-lang
|
@rust-lang/lang I would like to perform a soundness fixing breaking change. Namely I want to forbid ZST statics from initializing themselves by value. This allows one to create a ZST that has private fields and can usually only be initialized via functions from the same module as the ZST. Since the user can reasonably expect these private parts to be private, self-initialization violates that expectation, breaking assumptions in unsafe code. There were no crater regressions, and I find it highly unlikely that anyone is using this for purposes other than breaking our privacy rules in private code. |
|
This has been broken since 1.37 according to the issue. I agree with @oli-obk though that it seems pretty unlikely that there are real use cases for this. It also feels a static ZST isn't really useful, right? With my release team hat on, I'd say we can go ahead here. Given the crater run I'm even comfortable with doing so without a warning period, though it'd be good to land it ASAP so that we get the full 12 weeks in nightly before it hits stable. |
|
I feel comfortable making this change as a soundness fix. I am quite surprised that it works as is, and I definitely think this was not really intended. Given that a crater run was done with no regressions, I think "just land it" (which is permitted per the compiler team policy on these kinds of changes). |
|
r? @RalfJung for the impl changes |
| if let Scalar::Ptr(ptr) = mplace.ptr { | ||
| // If the ZST pointer has provenance, we may be reading from a static. | ||
| // In order to ensure that `static FOO: Type = FOO;` causes a cycle, we need to | ||
| // trigger a read here. |
There was a problem hiding this comment.
Why do this here and not centrally in Memory::check_ptr_access?
There was a problem hiding this comment.
Because that function doesn't actually do any reads so far in order to prevent other kind of cycles. I'm not sure whether any of the call sites need this. I moved it to check_ptr_access and am running local tests now.
There was a problem hiding this comment.
Moving the check worked.
There was a problem hiding this comment.
So, moving this has started to cause problems, because validation goes through the check_ptr_access without actually doing a read (#71612 (comment)) and because const prop now creates references to foreign statics that later code ICEs on #71709 (comment)
|
r=me with comment nit fixed |
|
@bors r=RalfJung |
|
📌 Commit ccc2d203cff884cb21d0256d995314a77990e421 has been approved by |
bors
added
S-waiting-on-bors
This comment has been minimized.
This comment has been minimized.
Co-Authored-By: Ralf Jung <post@ralfj.de>
|
ran rustfmt @bors r=RalfJung |
|
💡 This pull request was already approved, no need to approve it again.
|
|
📌 Commit ccc2d203cff884cb21d0256d995314a77990e421 has been approved by |
|
💡 This pull request was already approved, no need to approve it again.
|
|
📌 Commit ccc2d203cff884cb21d0256d995314a77990e421 has been approved by |
|
📌 Commit e4ab4ee has been approved by |
|
Your PR failed (pretty log, raw log). Through arcane magic we have determined that the following fragments from the build log may contain information about the problem. Click to expand the log.I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
[breaking change] Disallow statics initializing themselves fixes rust-lang#71078 Self-initialization is unsound because it breaks privacy assumptions that unsafe code can make. In ```rust pub mod foo { #[derive(Debug, Copy, Clone)] pub struct Foo { x: (), } } pub static FOO: foo::Foo = FOO; ``` unsafe could could expect that ony functions inside the `foo` module were able to create a value of type `Foo`.
Rollup of 5 pull requests Successful merges: - rust-lang#70043 (Add all remaining `DefKind`s.) - rust-lang#71140 ([breaking change] Disallow statics initializing themselves) - rust-lang#71392 (Don't hold the predecessor cache lock longer than necessary) - rust-lang#71541 (Add regression test for rust-lang#26376) - rust-lang#71554 (Replace thread_local with generator resume arguments in box_region.) Failed merges: r? @ghost
Move recursion check for zsts back to read site instead of access check site Reverts rust-lang#71140 (comment) Fix rust-lang#71612 Fix rust-lang#71709 r? @RalfJung
While here clean up all pkglint warnings. Changes since 1.44.1: Version 1.45.2 (2020-08-03) ========================== * [Fix bindings in tuple struct patterns][74954] * [Fix track_caller integration with trait objects][74784] [74954]: rust-lang/rust#74954 [74784]: rust-lang/rust#74784 Version 1.45.1 (2020-07-30) ========================== * [Fix const propagation with references.][73613] * [rustfmt accepts rustfmt_skip in cfg_attr again.][73078] * [Avoid spurious implicit region bound.][74509] * [Install clippy on x.py install][74457] [73613]: rust-lang/rust#73613 [73078]: rust-lang/rust#73078 [74509]: rust-lang/rust#74509 [74457]: rust-lang/rust#74457 Version 1.45.0 (2020-07-16) ========================== Language -------- - [Out of range float to int conversions using `as` has been defined as a saturating conversion.][71269] This was previously undefined behaviour, but you can use the `{f64, f32}::to_int_unchecked` methods to continue using the current behaviour, which may be desirable in rare performance sensitive situations. - [`mem::Discriminant<T>` now uses `T`'s discriminant type instead of always using `u64`.][70705] - [Function like procedural macros can now be used in expression, pattern, and statement positions.][68717] This means you can now use a function-like procedural macro anywhere you can use a declarative (`macro_rules!`) macro. Compiler -------- - [You can now override individual target features through the `target-feature` flag.][72094] E.g. `-C target-feature=+avx2 -C target-feature=+fma` is now equivalent to `-C target-feature=+avx2,+fma`. - [Added the `force-unwind-tables` flag.][69984] This option allows rustc to always generate unwind tables regardless of panic strategy. - [Added the `embed-bitcode` flag.][71716] This codegen flag allows rustc to include LLVM bitcode into generated `rlib`s (this is on by default). - [Added the `tiny` value to the `code-model` codegen flag.][72397] - [Added tier 3 support\* for the `mipsel-sony-psp` target.][72062] - [Added tier 3 support for the `thumbv7a-uwp-windows-msvc` target.][72133] \* Refer to Rust's [platform support page][forge-platform-support] for more information on Rust's tiered platform support. Libraries --------- - [`net::{SocketAddr, SocketAddrV4, SocketAddrV6}` now implements `PartialOrd` and `Ord`.][72239] - [`proc_macro::TokenStream` now implements `Default`.][72234] - [You can now use `char` with `ops::{Range, RangeFrom, RangeFull, RangeInclusive, RangeTo}` to iterate over a range of codepoints.][72413] E.g. you can now write the following; ```rust for ch in 'a'..='z' { print!("{}", ch); } println!(); // Prints "abcdefghijklmnopqrstuvwxyz" ``` - [`OsString` now implements `FromStr`.][71662] - [The `saturating_neg` method as been added to all signed integer primitive types, and the `saturating_abs` method has been added for all integer primitive types.][71886] - [`Arc<T>`, `Rc<T>` now implement `From<Cow<'_, T>>`, and `Box` now implements `From<Cow>` when `T` is `[T: Copy]`, `str`, `CStr`, `OsStr`, or `Path`.][71447] - [`Box<[T]>` now implements `From<[T; N]>`.][71095] - [`BitOr` and `BitOrAssign` are implemented for all `NonZero` integer types.][69813] - [The `fetch_min`, and `fetch_max` methods have been added to all atomic integer types.][72324] - [The `fetch_update` method has been added to all atomic integer types.][71843] Stabilized APIs --------------- - [`Arc::as_ptr`] - [`BTreeMap::remove_entry`] - [`Rc::as_ptr`] - [`rc::Weak::as_ptr`] - [`rc::Weak::from_raw`] - [`rc::Weak::into_raw`] - [`str::strip_prefix`] - [`str::strip_suffix`] - [`sync::Weak::as_ptr`] - [`sync::Weak::from_raw`] - [`sync::Weak::into_raw`] - [`char::UNICODE_VERSION`] - [`Span::resolved_at`] - [`Span::located_at`] - [`Span::mixed_site`] - [`unix::process::CommandExt::arg0`] Cargo ----- Misc ---- - [Rustdoc now supports strikethrough text in Markdown.][71928] E.g. `~~outdated information~~` becomes "~~outdated information~~". - [Added an emoji to Rustdoc's deprecated API message.][72014] Compatibility Notes ------------------- - [Trying to self initialize a static value (that is creating a value using itself) is unsound and now causes a compile error.][71140] - [`{f32, f64}::powi` now returns a slightly different value on Windows.][73420] This is due to changes in LLVM's intrinsics which `{f32, f64}::powi` uses. - [Rustdoc's CLI's extra error exit codes have been removed.][71900] These were previously undocumented and not intended for public use. Rustdoc still provides a non-zero exit code on errors. Internals Only -------------- - [Make clippy a git subtree instead of a git submodule][70655] - [Unify the undo log of all snapshot types][69464] [73420]: rust-lang/rust#73420 [72324]: rust-lang/rust#72324 [71843]: rust-lang/rust#71843 [71886]: rust-lang/rust#71886 [72234]: rust-lang/rust#72234 [72239]: rust-lang/rust#72239 [72397]: rust-lang/rust#72397 [72413]: rust-lang/rust#72413 [72014]: rust-lang/rust#72014 [72062]: rust-lang/rust#72062 [72094]: rust-lang/rust#72094 [72133]: rust-lang/rust#72133 [71900]: rust-lang/rust#71900 [71928]: rust-lang/rust#71928 [71662]: rust-lang/rust#71662 [71716]: rust-lang/rust#71716 [71447]: rust-lang/rust#71447 [71269]: rust-lang/rust#71269 [71095]: rust-lang/rust#71095 [71140]: rust-lang/rust#71140 [70655]: rust-lang/rust#70655 [70705]: rust-lang/rust#70705 [69984]: rust-lang/rust#69984 [69813]: rust-lang/rust#69813 [69464]: rust-lang/rust#69464 [68717]: rust-lang/rust#68717 [`Arc::as_ptr`]: https://doc.rust-lang.org/stable/std/sync/struct.Arc.html#method.as_ptr [`BTreeMap::remove_entry`]: https://doc.rust-lang.org/stable/std/collections/struct.BTreeMap.html#method.remove_entry [`Rc::as_ptr`]: https://doc.rust-lang.org/stable/std/rc/struct.Rc.html#method.as_ptr [`rc::Weak::as_ptr`]: https://doc.rust-lang.org/stable/std/rc/struct.Weak.html#method.as_ptr [`rc::Weak::from_raw`]: https://doc.rust-lang.org/stable/std/rc/struct.Weak.html#method.from_raw [`rc::Weak::into_raw`]: https://doc.rust-lang.org/stable/std/rc/struct.Weak.html#method.into_raw [`sync::Weak::as_ptr`]: https://doc.rust-lang.org/stable/std/sync/struct.Weak.html#method.as_ptr [`sync::Weak::from_raw`]: https://doc.rust-lang.org/stable/std/sync/struct.Weak.html#method.from_raw [`sync::Weak::into_raw`]: https://doc.rust-lang.org/stable/std/sync/struct.Weak.html#method.into_raw [`str::strip_prefix`]: https://doc.rust-lang.org/stable/std/primitive.str.html#method.strip_prefix [`str::strip_suffix`]: https://doc.rust-lang.org/stable/std/primitive.str.html#method.strip_suffix [`char::UNICODE_VERSION`]: https://doc.rust-lang.org/stable/std/char/constant.UNICODE_VERSION.html [`Span::resolved_at`]: https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.resolved_at [`Span::located_at`]: https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.located_at [`Span::mixed_site`]: https://doc.rust-lang.org/stable/proc_macro/struct.Span.html#method.mixed_site [`unix::process::CommandExt::arg0`]: https://doc.rust-lang.org/std/os/unix/process/trait.CommandExt.html#tymethod.arg0
fixes #71078
Self-initialization is unsound because it breaks privacy assumptions that unsafe code can make. In
unsafe could could expect that ony functions inside the
foomodule were able to create a value of typeFoo.