CFI: Fix many vtable-related problems #121962

This query computes the trait object, complete with associated type projections for its supertraits, from a trait ref. This is intended for use by CFI shimming.

In preparation to add recursive instance_defs, move this logic to its own convenience method.

Factored out to minimize the amount of noise in the main CfiShim defining patch.

Indirect calls through vtables (trait objects or drop_in_place) expect to have a type based on `dyn Trait` at the call-site. The actual implementations have types based on `MyImplType`. These shims allow the insertion of an explicit cast at the beginning of any instance, allowing a different type to be assigned. These shims function for both CFI and KCFI, as they have a single principal type.

Fixes: 118761

We no longer need the special instance resolution this added, and it can be broken in edge cases (specifically with a FnPtr shim, which will cause the calculation of fn_abi to fail). * We keep the Clone impls it added, because they have since become used by other portions of the compiler. * Add a test for the address-taken calls that this previously broke. This reverts commit 7c7b22e.

Rust will occasionally rely on fn((), X) -> Y being compatible with fn(X) -> Y, since () is a non-passed argument. Relax CFI by choosing not to encode non-passed arguments.

In user-facing Rust, `dyn` always has at least one predicate following it. Unfortunately, because we filter out marker traits and `dyn Sync` is, for example, legal, this results in us having `dyn` types with no predicates on occasion. This patch handles cases where there are no predicates in a `dyn` type.

Current `transform_ty` attempts to avoid cycles when normalizing `#[repr(transparent)]` types to their interior, but runs afoul of this pattern used in `self_cell`: ``` struct X<T> { x: u8, p: PhantomData<T>, } #[repr(transparent)] struct Y(X<Y>); ``` When attempting to normalize Y, it will still cycle indefinitely. By using a types-visited list, this will instead get expanded exactly one layer deep to X<Y>, and then stop, not attempting to normalize `Y` any further.

CFI shimming means they're not gauranteed to be pre-generated. Traditionally, the base vtable has all the elements of the supertrait vtable, and so visiting the base vtable implies you don't need to visit the supertrait vtable. However, with CFI the base vtable entries will have invocation type `dyn Child`, and the parent vtable will have invocation type `dyn Parent`, so they aren't actually the same instance, and both must be visited.

As the instance being called is behind a vtable, it cannot depend on auto traits on the receiver (unless the principal trait requires them, in which case the additional constraint is not needed). Removing this causes the type signature of the `Virtual` instance to match the type signature of the `CfiShim`-wrapped entry in the vtable.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

CFI: Fix many vtable-related problems #121962

CFI: Fix many vtable-related problems #121962

Commits on Mar 6, 2024