Add debug assertions to raw pointer methods testing for unaligned/NULL pointers

[RalfJung]

In #53783, we document more precisely the rules for the various methods that can be used to access memory through raw pointers. In particular, we clarify that the pointer must be non-NULL and aligned even when the access has size 0.

This issue is about helping people find bugs in libstd by adding a debug_assert! to all these methods testing that condition, similar to what I did for from_raw_parts. I suggest to add a helper method to raw pointers to test this, and also use that for from_raw_parts and from_raw_parts_mut.

This may uncover issues in libstd, uncovering misuses of these methods. Those should then be fixed.

[nitnelave]

I might be interested in working on that. Could you help me with a starting point for that?

[RalfJung]

You might want to start with https://doc.rust-lang.org/nightly/std/ptr/fn.write_bytes.html. It could get a check similar to

rust/src/libcore/slice/mod.rs

Line 4883 in 7164a9f

debug_assert!(data as usize % mem::align_of::<T>() == 0, "attempt to create unaligned slice");

To avoid code duplication, consider adding a (private) helper method in ptr.rs for this purpose, and using it in both the old places (from_raw_parts{,_mut}) and write_bytes.

Other candidates besides write_bytes are copy and copy_nonoverlapping. We could also go further, but maybe we should involve the libs team there... so let's get started with these 3.

[nitnelave]

Sorry for the delay, it took me a while to free up some time. Quick questions:

• I found write_bytes in libcore/ptr.rs. However, one is just a delegation to the intrinsic, and the other one is for *const T, which is just a call to the previous one. Should I hunt the intrinsic in the C code, or provide a rust wrapper that will check the assumptions and call the intrinsic?
• I couldn't find a from_raw_parts in ptr.rs. The only ones I could find were for vec, string, slice and in libstd/sys/sgx/abi/usercalls/alloc.rs. Am I missing something?

[nitnelave]

Ah, intrinsics are still written in Rust, but as code generation functions. Well, I guess adding debug assertions everywhere in the intrinsics would be counter-productive, so we're going for the wrapper? Although, I'm not sure how to cleanly hijack the interface: I have to keep using the same function name for the callers, so that I don't have to change their code, but unless I don't understand how it works, I also need to have the same signature including the function name for the code generation. How should I proceed?

[RalfJung]

Ah good point, I forgot about these reexports.

I think the right way forward is to replace this line by a wrapper function that just calls the intrinsic. The docs should be moved from intrinsics.rs to ptr.rs. That move should be a total NOP.

The, in the 2nd step, you can add the debug_assert! in the delegating wrapper you just added.

couldn't find a from_raw_parts in ptr.rs

Sorry, I meant the one in slice.rs. It already has a debug_assert!, but that does not test as much as it could (i.e., it accepts NULL).

[RalfJung]

@nitnelave Congrats, your patch landed. :) So with the preparation out of the way, let me know if you need any help with adding the debug assertions.

[nitnelave]

Thanks! I should be okay, I just need to find the time :) I'll ping you when it's ready for review.

…

On Tue, Feb 26, 2019 at 9:45 AM Ralf Jung ***@***.***> wrote: @nitnelave <https://github.com/nitnelave> Congrats, your patch landed. :) So with the reparation out of the way, let me know if you need any help with adding the debug assertions. — You are receiving this because you were mentioned. Reply to this email directly, view it on GitHub <#53871 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AAwn2aSaZalWPVSbL7bsRV1f3cd3QvYhks5vRPQLgaJpZM4WV2qN> .

[RalfJung]

Cc #51713