Skip to content

Commit

Permalink
epoch: Fix stacked borrows violations
Browse files Browse the repository at this point in the history
  • Loading branch information
taiki-e committed Jul 20, 2022
1 parent 7ef27ed commit fcafef5
Show file tree
Hide file tree
Showing 4 changed files with 60 additions and 51 deletions.
9 changes: 3 additions & 6 deletions ci/miri.sh
Original file line number Diff line number Diff line change
Expand Up @@ -16,8 +16,7 @@ MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disab
-p crossbeam-utils \
-p crossbeam-channel 2>&1 | ts -i '%.s '

# -Zmiri-disable-stacked-borrows is needed for https://github.com/crossbeam-rs/crossbeam/issues/545
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disable-isolation -Zmiri-disable-stacked-borrows" \
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disable-isolation" \
cargo miri test \
-p crossbeam-epoch 2>&1 | ts -i '%.s '

Expand All @@ -27,15 +26,13 @@ MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disab
cargo miri test \
-p crossbeam-skiplist 2>&1 | ts -i '%.s '

# -Zmiri-disable-stacked-borrows is needed for https://github.com/crossbeam-rs/crossbeam/issues/545
# -Zmiri-compare-exchange-weak-failure-rate=0.0 is needed because some sequential tests (e.g.,
# doctest of Stealer::steal) incorrectly assume that sequential weak CAS will never fail.
# -Zmiri-preemption-rate=0 is needed because this code technically has UB and Miri catches that.
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disable-stacked-borrows -Zmiri-compare-exchange-weak-failure-rate=0.0 -Zmiri-preemption-rate=0" \
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-compare-exchange-weak-failure-rate=0.0 -Zmiri-preemption-rate=0" \
cargo miri test \
-p crossbeam-deque 2>&1 | ts -i '%.s '

# -Zmiri-disable-stacked-borrows is needed for https://github.com/crossbeam-rs/crossbeam/issues/545
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check -Zmiri-disable-stacked-borrows" \
MIRIFLAGS="-Zmiri-strict-provenance -Zmiri-symbolic-alignment-check" \
cargo miri test \
-p crossbeam 2>&1 | ts -i '%.s '
54 changes: 35 additions & 19 deletions crossbeam-epoch/src/atomic.rs
Original file line number Diff line number Diff line change
Expand Up @@ -184,7 +184,7 @@ pub trait Pointable {
/// - The given `ptr` should have been initialized with [`Pointable::init`].
/// - `ptr` should not have yet been dropped by [`Pointable::drop`].
/// - `ptr` should not be mutably dereferenced by [`Pointable::deref_mut`] concurrently.
unsafe fn deref<'a>(ptr: *mut ()) -> &'a Self;
unsafe fn as_ptr(ptr: *mut ()) -> *const Self;

/// Mutably dereferences the given pointer.
///
Expand All @@ -194,7 +194,7 @@ pub trait Pointable {
/// - `ptr` should not have yet been dropped by [`Pointable::drop`].
/// - `ptr` should not be dereferenced by [`Pointable::deref`] or [`Pointable::deref_mut`]
/// concurrently.
unsafe fn deref_mut<'a>(ptr: *mut ()) -> &'a mut Self;
unsafe fn as_mut_ptr(ptr: *mut ()) -> *mut Self;

/// Drops the object pointed to by the given pointer.
///
Expand All @@ -216,12 +216,12 @@ impl<T> Pointable for T {
Box::into_raw(Box::new(init)) as *mut ()
}

unsafe fn deref<'a>(ptr: *mut ()) -> &'a Self {
&*(ptr as *const T)
unsafe fn as_ptr(ptr: *mut ()) -> *const Self {
ptr as *const T
}

unsafe fn deref_mut<'a>(ptr: *mut ()) -> &'a mut Self {
&mut *(ptr as *mut T)
unsafe fn as_mut_ptr(ptr: *mut ()) -> *mut Self {
ptr as *mut T
}

unsafe fn drop(ptr: *mut ()) {
Expand Down Expand Up @@ -276,18 +276,20 @@ impl<T> Pointable for [MaybeUninit<T>] {
ptr as *mut ()
}

unsafe fn deref<'a>(ptr: *mut ()) -> &'a Self {
let array = &*(ptr as *const Array<T>);
slice::from_raw_parts(array.elements.as_ptr() as *const _, array.len)
unsafe fn as_ptr(ptr: *mut ()) -> *const Self {
let array = ptr as *mut Array<T>;
// deallocation requires raw/mut provenance: <https://github.com/rust-lang/rust/pull/67339>
let data = ptr::addr_of_mut!((*array).elements);
slice::from_raw_parts(data as *const _, (*array).len)
}

unsafe fn deref_mut<'a>(ptr: *mut ()) -> &'a mut Self {
let array = &*(ptr as *mut Array<T>);
slice::from_raw_parts_mut(array.elements.as_ptr() as *mut _, array.len)
unsafe fn as_mut_ptr(ptr: *mut ()) -> *mut Self {
let array = &mut *(ptr as *mut Array<T>);
slice::from_raw_parts_mut(array.elements.as_mut_ptr(), array.len)
}

unsafe fn drop(ptr: *mut ()) {
let array = &*(ptr as *mut Array<T>);
let array = &mut *(ptr as *mut Array<T>);
let size = mem::size_of::<Array<T>>() + mem::size_of::<MaybeUninit<T>>() * array.len;
let align = mem::align_of::<Array<T>>();
let layout = alloc::Layout::from_size_align(size, align).unwrap();
Expand Down Expand Up @@ -1001,7 +1003,7 @@ impl<T: ?Sized + Pointable> fmt::Pointer for Atomic<T> {
fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
let data = self.data.load(Ordering::SeqCst);
let (raw, _) = decompose_tag::<T>(data);
fmt::Pointer::fmt(&(unsafe { T::deref(raw) as *const _ }), f)
fmt::Pointer::fmt(&(unsafe { T::as_ptr(raw) }), f)
}
}

Expand Down Expand Up @@ -1287,14 +1289,14 @@ impl<T: ?Sized + Pointable> Deref for Owned<T> {

fn deref(&self) -> &T {
let (raw, _) = decompose_tag::<T>(self.data);
unsafe { T::deref(raw) }
unsafe { &*T::as_ptr(raw) }
}
}

impl<T: ?Sized + Pointable> DerefMut for Owned<T> {
fn deref_mut(&mut self) -> &mut T {
let (raw, _) = decompose_tag::<T>(self.data);
unsafe { T::deref_mut(raw) }
unsafe { &mut *T::as_mut_ptr(raw) }
}
}

Expand Down Expand Up @@ -1480,7 +1482,7 @@ impl<'g, T: ?Sized + Pointable> Shared<'g, T> {
/// ```
pub unsafe fn deref(&self) -> &'g T {
let (raw, _) = decompose_tag::<T>(self.data);
T::deref(raw)
&*T::as_ptr(raw)
}

/// Dereferences the pointer.
Expand Down Expand Up @@ -1522,7 +1524,7 @@ impl<'g, T: ?Sized + Pointable> Shared<'g, T> {
/// ```
pub unsafe fn deref_mut(&mut self) -> &'g mut T {
let (raw, _) = decompose_tag::<T>(self.data);
T::deref_mut(raw)
&mut *T::as_mut_ptr(raw)
}

/// Converts the pointer to a reference.
Expand Down Expand Up @@ -1562,10 +1564,24 @@ impl<'g, T: ?Sized + Pointable> Shared<'g, T> {
if raw.is_null() {
None
} else {
Some(T::deref(raw))
Some(&*T::as_ptr(raw))
}
}

pub(crate) unsafe fn as_non_null(&self) -> Option<*const T> {
let (raw, _) = decompose_tag::<T>(self.data);
if raw.is_null() {
None
} else {
Some(T::as_ptr(raw))
}
}

pub(crate) unsafe fn as_ptr(&self) -> *const T {
let (raw, _) = decompose_tag::<T>(self.data);
T::as_ptr(raw)
}

/// Takes ownership of the pointee.
///
/// # Panics
Expand Down
16 changes: 6 additions & 10 deletions crossbeam-epoch/src/internal.rs
Original file line number Diff line number Diff line change
Expand Up @@ -609,22 +609,18 @@ impl Local {
}

impl IsElement<Local> for Local {
fn entry_of(local: &Local) -> &Entry {
fn entry_of(local: *const Local) -> *const Entry {
unsafe {
let entry_ptr =
(local as *const Local as *const u8).add(offset_of!(Local, entry)) as *const Entry;
&*entry_ptr
(local as *const Local as *const u8).add(offset_of!(Local, entry)) as *const Entry
}
}

unsafe fn element_of(entry: &Entry) -> &Local {
let local_ptr =
(entry as *const Entry as *const u8).sub(offset_of!(Local, entry)) as *const Local;
&*local_ptr
unsafe fn element_of(entry: *const Entry) -> *const Local {
(entry as *const Entry as *const u8).sub(offset_of!(Local, entry)) as *const Local
}

unsafe fn finalize(entry: &Entry, guard: &Guard) {
guard.defer_destroy(Shared::from(Self::element_of(entry) as *const _));
unsafe fn finalize(entry: *const Entry, guard: &Guard) {
guard.defer_destroy(Shared::from(Self::element_of(entry)));
}
}

Expand Down
32 changes: 16 additions & 16 deletions crossbeam-epoch/src/sync/list.rs
Original file line number Diff line number Diff line change
Expand Up @@ -66,7 +66,7 @@ pub(crate) struct Entry {
///
pub(crate) trait IsElement<T> {
/// Returns a reference to this element's `Entry`.
fn entry_of(_: &T) -> &Entry;
fn entry_of(_: *const T) -> *const Entry;

/// Given a reference to an element's entry, returns that element.
///
Expand All @@ -80,15 +80,15 @@ pub(crate) trait IsElement<T> {
///
/// The caller has to guarantee that the `Entry` is called with was retrieved from an instance
/// of the element type (`T`).
unsafe fn element_of(_: &Entry) -> &T;
unsafe fn element_of(_: *const Entry) -> *const T;

/// The function that is called when an entry is unlinked from list.
///
/// # Safety
///
/// The caller has to guarantee that the `Entry` is called with was retrieved from an instance
/// of the element type (`T`).
unsafe fn finalize(_: &Entry, _: &Guard);
unsafe fn finalize(_: *const Entry, _: &Guard);
}

/// A lock-free, intrusive linked list of type `T`.
Expand Down Expand Up @@ -173,16 +173,16 @@ impl<T, C: IsElement<T>> List<T, C> {
// Insert right after head, i.e. at the beginning of the list.
let to = &self.head;
// Get the intrusively stored Entry of the new element to insert.
let entry: &Entry = C::entry_of(container.deref());
let entry: *const Entry = C::entry_of(container.as_ptr());
// Make a Shared ptr to that Entry.
let entry_ptr = Shared::from(entry as *const _);
let entry_ptr = Shared::from(entry);
// Read the current successor of where we want to insert.
let mut next = to.load(Relaxed, guard);

loop {
// Set the Entry of the to-be-inserted element to point to the previous successor of
// `to`.
entry.next.store(next, Relaxed);
(*entry).next.store(next, Relaxed);
match to.compare_exchange_weak(next, entry_ptr, Release, Relaxed, guard) {
Ok(_) => break,
// We lost the race or weak CAS failed spuriously. Update the successor and try
Expand Down Expand Up @@ -225,7 +225,7 @@ impl<T, C: IsElement<T>> Drop for List<T, C> {
// Verify that all elements have been removed from the list.
assert_eq!(succ.tag(), 1);

C::finalize(curr.deref(), guard);
C::finalize(curr.as_ptr(), guard);
curr = succ;
}
}
Expand All @@ -236,8 +236,8 @@ impl<'g, T: 'g, C: IsElement<T>> Iterator for Iter<'g, T, C> {
type Item = Result<&'g T, IterError>;

fn next(&mut self) -> Option<Self::Item> {
while let Some(c) = unsafe { self.curr.as_ref() } {
let succ = c.next.load(Acquire, self.guard);
while let Some(c) = unsafe { self.curr.as_non_null() } {
let succ = unsafe { (*c).next.load(Acquire, self.guard) };

if succ.tag() == 1 {
// This entry was removed. Try unlinking it from the list.
Expand All @@ -257,7 +257,7 @@ impl<'g, T: 'g, C: IsElement<T>> Iterator for Iter<'g, T, C> {
// deallocation. Deferred drop is okay, because `list.delete()` can only be
// called if `T: 'static`.
unsafe {
C::finalize(self.curr.deref(), self.guard);
C::finalize(self.curr.as_ptr(), self.guard);
}

// `succ` is the new value of `self.pred`.
Expand All @@ -284,10 +284,10 @@ impl<'g, T: 'g, C: IsElement<T>> Iterator for Iter<'g, T, C> {
}

// Move one step forward.
self.pred = &c.next;
self.pred = unsafe { &(*c).next };
self.curr = succ;

return Some(Ok(unsafe { C::element_of(c) }));
return Some(Ok(unsafe { &*C::element_of(c) }));
}

// We reached the end of the list.
Expand All @@ -303,16 +303,16 @@ mod tests {
use std::sync::Barrier;

impl IsElement<Entry> for Entry {
fn entry_of(entry: &Entry) -> &Entry {
fn entry_of(entry: *const Entry) -> *const Entry {
entry
}

unsafe fn element_of(entry: &Entry) -> &Entry {
unsafe fn element_of(entry: *const Entry) -> *const Entry {
entry
}

unsafe fn finalize(entry: &Entry, guard: &Guard) {
guard.defer_destroy(Shared::from(Self::element_of(entry) as *const _));
unsafe fn finalize(entry: *const Entry, guard: &Guard) {
guard.defer_destroy(Shared::from(Self::element_of(entry)));
}
}

Expand Down

0 comments on commit fcafef5

Please sign in to comment.