Put shared buffer into UnsafeCell

[torfmaster]

Summary

This PR attempts to solve #129: Currently shared memory contains a mutable reference to a buffer which can be mutated by the kernel. This violates the pointer aliasing rules and can lead to undefined behavior. To circumvent this we replace this buffer by an UnsafeCell solving this issue.

Limitations

The following aspects are not touched by this PR:

• the shared buffer could be moved on the stack invalidating the kernels mutable reference to the buffer.
• the app could mem::forget the kernel without calling drop and reuse the memory still shared with the kernel (see Subscriptions and shared memory have a loophole which can lead to UB #143).

Both issues could be solved by taking one of the approaches proposed in #143, however this is not the content of this PR (and an appropriate solution has not yet been chosen).

[Woyten]

I think this is wrong! Instead of enforcing to pass an array reference which would pin the referenced array it is now possible to pass an entire array. This should result in UB once you move the SharedMemory object around.

Why not change the signature to UnsafeCell<&'a mut [u8]>?

[torfmaster]

Good point, I fixed this.

[Woyten]

Why not delegate this to operate_on_mut_ptr?

[torfmaster]

Good idea!

[Woyten]

• Couldn't this be transformed to a safe function where F: FnOnce(&mut u8) ->R?
• Shouldn't R: Sized be implicit?

[torfmaster]

Right!

[Woyten]

You no longer need this.

[Woyten]

I would prefer if all AsRef and AsMut implementations were removed until we see the need for them.

[jrvanwhy]

&UnsafeCell is still dereferenceable, so the UB persists with this design. Instead, we need to replace all references to the buffer with raw pointers. The following is an example of how that could be done:

EDIT: "derefenceable" in this post refers to LLVM's dereferenceable attribute: https://llvm.org/docs/LangRef.html#dereferenceable-metadata

    // We cannot store a slice or reference, as all references in Rust are
    // dereferencable and allow regions cannot be (we can't have the compiler
    // insert non-volatile reads or writes). Instead store it in raw and operate
    // entirely with raw pointers.
    pub struct AllowRegion<T> {
        data: core::ptr::NonNull<T>,
        len: usize,
    }

    impl<T> AllowRegion<T> {
        pub fn get(&self, idx: usize) -> Option<T> {
            if idx >= self.len { return None; }
            Some(unsafe { self.data.as_ptr().add(idx).read_volatile() })
        }

        pub fn set(&self, idx: usize, value: T) {
            if idx < self.len {
                unsafe { self.data.as_ptr().add(idx).write_volatile(value); }
            }
        }
    }


    // We take in the allow region as an &mut reference to ensure this is the
    // only reference alive to the region. To prevent the compiler from
    // accessing the region any more (apart from our manual *_volatile() calls),
    // we break the passed slice into raw parts and destroy all references to
    // it.
    pub fn allow<T>(major: usize, minor: usize, region: &'static mut [T]) -> AllowRegion<T> {
        // Split region into its parts (raw data + length), then drop it. This
        // prevents the compiler from touching that memory, apart from our
        // *_volatile calls.
        let data = unsafe { core::ptr::NonNull::new_unchecked(region.as_mut_ptr()) };
        let len = region.len();
        drop(region);
        // TODO: Do the raw allow here. Note that even if the allow failed, we cannot be
        // sure the capsule didn't keep a copy of it, so we cannot return the
        // region reference. However, we can still return an AllowRegion, even
        // if the grant failed, so perhaps should return a tuple of AllowRegion
        // and a success/error code.

        // Return the new allow region.
        AllowRegion { data, len }
    }

[torfmaster]

@jrvanwhy I have issues understanding your comment.

&UnsafeCell is still dereferenceable, so the UB persists with this design.

But it is unsafe.

Instead, we need to replace all references to the buffer with raw pointers.

raw pointers are also dereferenceable but this is unsafe.

I have issues understanding your code snippet. In my eyes AllowRegion::get should be unsafe as it dereferences arbitrary pointers. But the whole point of using an AllowRegion should be sharing memory safely (i.e. in absence of aliasing issues).

[jrvanwhy]

I should clarify: when I said "dereferenceable" in my previous comment, I was referring to LLVM's dereferenceable attribute: https://llvm.org/docs/LangRef.html#dereferenceable-metadata. In Rust, references (including references to UnsafeCell) are deferenceable but raw pointers are not.

[torfmaster]

when I said "dereferenceable" in my previous comment, I was referring to LLVM's dereferenceable attribute:

I don't understand how this exactly relates to the issue this PR is aiming to solve and from what I understand the problem you are trying to solve is beyond the aliasing rules of Rust in particular and probably also beyond the safety guarantuees of Rust in general.

Your proposal (from the code snippet) is about implementing an alternative to UnsafeCell and requires a lot more effort to be really a safe implementation of shared memory (e.g. it requires phantom lifetimes).

My proposal is: Let us merge this PR once it improves the library safety-wise. Open an issue (or more...) describing the exact problem the implementation still has and let us develop a PR fixing this particular problem after this PR is merged.

[jrvanwhy]

when I said "dereferenceable" in my previous comment, I was referring to LLVM's dereferenceable attribute:

I don't understand how this exactly relates to the issue this PR is aiming to solve

It is undefined behavior to have a dereferenceable (in the LLVM sense) pointer to memory that is modified by an unknown-to-LLVM entity (such as the kernel). Therefore, it is important that the pointer type used to refer to the shared memory is not dereferenceable. There is a lot of background on this in the following issue and other issues it links to: rust-lang/unsafe-code-guidelines#33.

My proposal is: Let us merge this PR once it improves the library safety-wise.

This PR has no effect on the library's memory safety properties. As-is, it does not remove any source of undefined behavior.

[torfmaster]

Thank you for the reference to the issue (#33), I didn't know it and I am happy to learn about that from you.

This PR has no effect on the library's memory safety properties. As-is, it does not remove any source of undefined behavior.

This depends on the perspective, still. From the perspective of what is currently (i.e. merged to master) consensus (i.e. https://doc.rust-lang.org/stable/reference/behavior-considered-undefined.html) this PR removes a source of UB.

However, I still would recommend to not do your suggested change in this PR, for two reasons:

• you are referring to an ongoing discussion about the memory model of Rust which has not come to an end (and didn't have any effect on the official Rust reference so far)
• re-implementing something safer than UnsafeCell requires some care and I would like to do that change in isolation. Eventually, such a TockCell would probably make sense for us.

I would at least consider https://github.com/rust-embedded/wg/pull/387/files#diff-deb4784915d448685e0ca924234ecc03R476, i.e. waiting until the issues with UnsafeCell/VolatileCell get fixed upstream.

[jrvanwhy]

This PR has no effect on the library's memory safety properties. As-is, it does not remove any source of undefined behavior.

This depends on the perspective, still. From the perspective of what is currently (i.e. merged to master) consensus (i.e. https://doc.rust-lang.org/stable/reference/behavior-considered-undefined.html) this PR removes a source of UB.

Ah, I didn't think about that document. I agree, this PR does remove a documented source of UB.

[torfmaster]

Ah, I didn't think about that document. I agree, this PR does remove a documented source of UB.

@jrvanwhy So would it make sense to merge this PR in your eyes?

[jrvanwhy]

Ah, I didn't think about that document. I agree, this PR does remove a documented source of UB.

@jrvanwhy So would it make sense to merge this PR in your eyes?

I think so. That said, I expect to refactor the syscall/platform code soon. My current TODO list is as follows:

1. Add the QEMU test invocation to make test #199
2. Add code size tooling to libtock-rs
3. Refactor syscall and platform layer (goals: remove UB, better testability)

Note that license header tooling may become my top priority (based on past core WG meetings) somewhere in there, but I don't expect that to take too long.

[torfmaster]

So as this PR has two approvals can someone do a "bors r+", please?

[Woyten]

Could you remove the AsMuts before I bors r+?

[Woyten]

Could you revert this?

[Woyten]

And this.

[Woyten]

Do we need a second lifetime here?

[Woyten]

Revert?

[Woyten]

Revert this?

[jrvanwhy]

The Tock 1.0 libtock-rs crates have been removed from the repository, so this PR is obsolete. The Tock 2.0 libtock-rs crates have a substantially different Read-Write Allow interface, which does not have the soundness issue that this PR was created to address.