Extension of IL verification rules to address ref returns #17
Conversation
…w byref returns and validate that they are used in type-safe manner.
VSadov
changed the title
terrajobst
changed the title
proposed/verifiable-ref-returns.md
Outdated
|
|
||
| ## Metadata encoding of returnable local slots ## | ||
|
|
||
| Local slots can be marked as returnable by applying `modopt[System.Runtime.CompilerServices.IsReturnableAttribute]` in the local signature. |
There was a problem hiding this comment.
Is there a particular reason to use an Attribute suffix here? This will serve similar purpose as System.Runtime.CompilerServices.IsVolatile or IsConst. Those are not attributes either.
There was a problem hiding this comment.
No, no reason to be an attribute.
In the parallel case with readonly references, it seems appropriate to use IsReadOnlyAttribute since that is used in other places to express readonliness.
I could not think of a similar existing type for "returnable", so I suggest IsReturnableAttribute just for similarity, but you are right - it does not need to be an attribute or even a new type.
Any alternative ideas here would be appreciated, but we need to pick some type.
| - `LDFLDA` when the receiver is a returnable ref (see: C# rule #4) | ||
| - `LDARG` of a byref parameter (see: C# rule #2, #3), | ||
| except for arg0 in a struct method (see: C# rule #5). | ||
| - `CALL`, `CALLVIRT` when all reference arguments are returnable. (see: C# rule 6) |
There was a problem hiding this comment.
Should this also apply to CALLI?
There was a problem hiding this comment.
The rule could include CALLI for completeness. However CALLI cannot be present in verifiable code so generalization would not make much difference.
There was a problem hiding this comment.
However
CALLIcannot be present in verifiable code
Why not? ECMA-335 defines verification rules for when CALLI is verifiable. It's not like JMP (whose verification rules are simply "The jmp instruction is never verifiable").
There was a problem hiding this comment.
Is it? Perhaps I think of it as unverifiable because it invariably involves pointers.
Anyways, no problem with including it.
There was a problem hiding this comment.
I think, I should mention varargs/arglist case as well.
C# compiler does consider them for the purpose of "any ref argument can potentially come back as a ref return"
|
Merging this, since this has been opened for a long time, and informally approved by interested parties. NOTE: The proposal does not have direct impact on the language, but has effect on the compiler. |
|
@VSadov Based on your own comments "I think, I should mention varargs/arglist case as well.", the question around verification of CALLI, and not giving this |
|
@MichalStrehovsky - will make the update regarding As for the type to mark returnable local slots - any good ideas? Ideally that would be a preexisting type that exists everywhere - like |
I think we need a new type ( |
A proposal for extension of IL verification rules that would allow byref returns in verifiable code and validate that they are used in type-safe manner.
Motivation -
There seems to be enough interest in making typesafe code emitted by current compilers formally verifiable, so we need a central location where we discuss and agree on the rules.
The other areas that would need to be addressed are: readonly references (type-safe code may not be verifiable according to current rules) and ref-structs (opposite: current rules are insufficient to detect type-safety violations).
However, we need to start with something, so let’s start with ref returns.
Immediately actionable pieces: