-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
allocation functions and return-position noalias #196
Comments
Could you summarize what the unsoundness is? I have seen this example but I think that's an LLVM bug -- specifically, this is https://bugs.llvm.org/show_bug.cgi?id=35229. |
I also think that's no unsoundness other than the GVN bug, I just want to talk it out somewhere other than the Ref issue. @comex (re: rust-lang/rust#63787 (comment))
This conflict of integer GVN vs pointer provenance causes miscompiles even without involving custom allocators or Both of your examples seem to crucially rely on this GVN bug. Please correct me if I'm wrong (I've not fully digested either yet), but if that's true, I don't understand what either of them have to do with allocation returning The discussion in section 4.8 is a little bit related in that it's about allocators reusing addresses. But all of the approaches presented at there are perfectly satisfactory in that they can be implemented soundly and just differ in which optimizations they are compatible with (moving a free up above malloc vs moving a pointer comparison after a deallocation). I don't see how it's essential to your example programs -- if anything, the UB or non-determinism of comparing the pointer after it's been deallocated seems more like an obstacle to you (in that it only can make your examples UB or open up extra possibilities for the GVN bug to be rendered harmless). All that said, it is likely true that when you stop treating alloc/dealloc functions as built-ins all the time and start to (selectively) look at the C or Rust code that implements them through the lens of the language's general memory model, you'll run into trouble. But that's not at all surprising to me (those functions are deliberately treated as magic after all), and it's not related to the examples you've given, or to |
Pretty much. I just wouldn't characterize it as "yet another variation". If anything, it's one of two variations. The twin allocation paper creates pointers with the same address but different provenance by using two allocations that are adjacent in space (but exist at the same time). My second example does so using two allocations that are separated in time (but at the same address in space). My first example with ( But going back to the other example – I tried to make it clear that the problem in that example is likely LLVM's fault, not Rust's. For one thing, they don't seem to be in much of a hurry to implement any sort of formal model. For another, the model from the twin allocation paper is only one possibility among others. Even if I assumed that LLVM would end up making its optimizations sound with respect to some formal model, that wouldn't automatically justify basing Rust's My chain of reasoning in the other thread was a bit muddled, but the part about "escaping" is essentially a sketch of an alternative solution for temporal aliasing, compared to how the twin allocation model solves it. Namely, the allocator is modeled such that when it reuses an address, the pointer it returns is 'based on' the argument previously passed to
But also:
But for the record, under that model, Finally:
LLVM can, in fact, inline an alloc/dealloc function under the right circumstances. So the potential for "trouble" exists, mitigated by LLVM's lack of sophistication. If you say this is off topic – sure. I originally only mentioned it in passing. |
Agreed. In terms of the formal memory model presented in said paper, that is the same situation, so it is not surprising that they lead to the same kinds of miscompilation.
Interesting! That does seem worth exploring. |
Closing as a duplicate of #385 |
@comex brought this up in rust-lang/rust#63787 (comment) and IIUC believes there's unsoundness lurking there? Let's continue discussion here since it's not directly relevant to the specific problems of
Ref
.The text was updated successfully, but these errors were encountered: