Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rewrite Gankra's provenance draft to be lib-only #95229

Closed
wants to merge 5 commits into from

Conversation

workingjubilee
Copy link
Member

See #95199 if you want to know what all the fuss is about.

@rustbot rustbot added the T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. label Mar 23, 2022
@rust-highfive
Copy link
Collaborator

r? @scottmcm

(rust-highfive has picked a reviewer for you, use r? to override)

@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 23, 2022
@workingjubilee
Copy link
Member Author

Apologies. I thought highfive knew better than that.
r? @ghost

@rust-log-analyzer

This comment has been minimized.

This patch series examines the question: how bad would it be if we adopted
an extremely strict pointer provenance model that completely banished all
int<->ptr casts.

The key insight to making this approach even *vaguely* pallatable is the

ptr.with_addr(addr) -> ptr

function, which takes a pointer and an address and creates a new pointer
with that address and the provenance of the input pointer. In this way
the "chain of custody" is completely and dynamically restored, making the
model suitable even for dynamic checkers like CHERI and Miri.

This is not a formal model, but lots of the docs discussing the model
have been updated to try to the *concept* of this design in the hopes
that it can be iterated on.

Many new methods have been added to ptr to attempt to fill in semantic gaps
that this introduces, or to just get the ball rolling on "hey this is a
problem that needs to be solved, here's a bad solution as a starting point".
Still working on this, but it seems to largely be a lot of `as usize` -> `.addr()`
Why does rustc do oh so many crimes? Oh so many...
@rust-log-analyzer

This comment has been minimized.

and unsafe
and ptr methods
and cleaning up unused uses
and intra-doc links...
@bors
Copy link
Contributor

bors commented Mar 23, 2022

☔ The latest upstream changes (presumably #95173) made this pull request unmergeable. Please resolve the merge conflicts.

@workingjubilee
Copy link
Member Author

This has become, in effect, #95241.

@workingjubilee workingjubilee deleted the provenance-fn branch March 23, 2022 18:53
@workingjubilee workingjubilee restored the provenance-fn branch March 23, 2022 18:53
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

7 participants