Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Rewrite Gankra's provenance draft to be lib-only #95229

Closed
wants to merge 5 commits into from
Closed

Rewrite Gankra's provenance draft to be lib-only #95229

wants to merge 5 commits into from

Conversation

workingjubilee
Copy link
Member

See #95199 if you want to know what all the fuss is about.

@rustbot rustbot added the T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. label Mar 23, 2022
@rust-highfive
Copy link
Collaborator

r? @scottmcm

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 23, 2022
@workingjubilee
Copy link
Member Author

Apologies. I thought highfive knew better than that.
r? @ghost

@workingjubilee workingjubilee force-pushed the provenance-fn branch 2 times, most recently from 6176e4f to d93c8ce Compare March 23, 2022 04:41
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@Gankra @workingjubilee
WIP PROOF-OF-CONCEPT: experiment with very strict pointer provenance
c75caa5 
This patch series examines the question: how bad would it be if we adopted
an extremely strict pointer provenance model that completely banished all
int<->ptr casts.

The key insight to making this approach even *vaguely* pallatable is the

ptr.with_addr(addr) -> ptr

function, which takes a pointer and an address and creates a new pointer
with that address and the provenance of the input pointer. In this way
the "chain of custody" is completely and dynamically restored, making the
model suitable even for dynamic checkers like CHERI and Miri.

This is not a formal model, but lots of the docs discussing the model
have been updated to try to the *concept* of this design in the hopes
that it can be iterated on.

Many new methods have been added to ptr to attempt to fill in semantic gaps
that this introduces, or to just get the ball rolling on "hey this is a
problem that needs to be solved, here's a bad solution as a starting point".
@Gankra @workingjubilee
WIP PROOF-OF-CONCEPT: handle all the fallout in the libs
7112a9e 
Still working on this, but it seems to largely be a lot of `as usize` -> `.addr()`
@Gankra @workingjubilee
WIP PROOF-OF-CONCEPT handle all the fallout in rustc
312187b 
Why does rustc do oh so many crimes? Oh so many...
@Gankra @workingjubilee
WIP PROOF-OF-CONCEPT fixup linux libs
81b7942
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@workingjubilee
feature(strict_provenance) in doc examples
8cc6326 
and unsafe
and ptr methods
and cleaning up unused uses
and intra-doc links...
@bors
Copy link
Contributor

bors commented Mar 23, 2022

☔ The latest upstream changes (presumably #95173) made this pull request unmergeable. Please resolve the merge conflicts.

@workingjubilee
Copy link
Member Author

This has become, in effect, #95241.

@workingjubilee workingjubilee deleted the provenance-fn branch March 23, 2022 18:53
@workingjubilee workingjubilee restored the provenance-fn branch March 23, 2022 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
7 participants
@workingjubilee @rust-highfive @rust-log-analyzer @bors @scottmcm @rustbot @Gankra