-
Notifications
You must be signed in to change notification settings - Fork 352
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
add -Zmiri-strict-provenance #2045
Conversation
And don't forget |
I'm trying to convince the community that In that context, I propose to rename this flag to Ideally I would like specific functions to stdlib for strict-provenance conversions, so that we have interpret both sets of operations differently in Miri. But we can't do that in this MR. So a rename is preferable. |
@bgeron I don't quite see what that extra "only" would accomplish. The entire thing is called "strict provenance experiment", and "following strict provenance" means to follow the rules of the experiment. The confusion is around whether rustc is been given license to assume that all code follows strict provenance (no, it is not). But following strict provenance makes it much easier (or sometimes is required to make it possible) to check your code with Miri or CHERI, and that is what this flag corresponds to. What the flag does is enforce the rules of strict provenance. If anything we could name it |
That would basically mean not having a strict provenance memory model, so it doesn't need a flag. It is currently the default. Maybe one day we can swap the default, but that's a different question. |
Fair point. |
@bors r+ |
📌 Commit 9af03bf has been approved by |
☀️ Test successful - checks-actions |
410: Enable strict provenance in Miri. r=jrvanwhy a=jrvanwhy This merges the two miri commands together, as strict provenance is strictly more restrictive than all other configurations. See rust-lang/miri#2045 for some more background on `-Zmiri-strict-provenance`. Closes #400 Co-authored-by: Johnathan Van Why <[email protected]>
This implements strict provenance in Miri. The only change is that casting an integer to a pointer does not even attempt to produce a good provenance for the given address; instead, it always uses the invalid provenance. This stricter than even
-Zmiri-tag-raw-pointers
in that it also rejects the following example (which does not even involve Stacked Borrows):The new flag also implies
-Zmiri-tag-raw-pointers
since the only reason one would not want to tag raw pointers is to support ptr-int-ptr roundtrips.Note that the flag does not check against ptr-to-int transmutes; that still requires
-Zmiri-check-number-validity
. You can also check for strict provenance without Stacked Borrows by adding-Zmiri-disable-stacked-borrows
.The new "Miri hard mode" flags for maximal checking are
-Zmiri-strict-provenance -Zmiri-check-number-validity
. (Add-Zmiri-symbolic-alignment-check
if you feel extra spicy today.)