-
Notifications
You must be signed in to change notification settings - Fork 12.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
stabilize Strict Provenance and Exposed Provenance APIs #130350
Conversation
rustbot has assigned @Mark-Simulacrum. Use |
The Miri subtree was changed cc @rust-lang/miri Portable SIMD is developed in its own repository. If possible, consider making this change to rust-lang/portable-simd instead. |
This comment has been minimized.
This comment has been minimized.
3652514
to
fec397d
Compare
This comment has been minimized.
This comment has been minimized.
d42b82f
to
f3df34f
Compare
One thing I'm not entirely sure about is: if we ever plan to support actual targets (as opposed to just running under miri) that cannot implement Personally I would prefer the functions to simply not exist if they can't act according to the docs, akin to target specific atomic types. That way, if a user of a library tries to run the library on a target that doesn't support expose, they get told upfront that the library can't be used. Not that I would expect that to come up much, since as far as I know every current target can implement expose, and anyone running code on CHERI or similar would need to audit their libraries anyways (since |
I'm not sure. But no such target is supported right now, and
I think I'd prefer that, too (and doing the same with |
Makes sense, as long as this isn't stabilizing the fact that these functions will always exist on all (even future) targets, it's fine as-is, I was unsure if that's what it meant. My bad! |
This comment has been minimized.
This comment has been minimized.
18a2985
to
d8636a5
Compare
This comment has been minimized.
This comment has been minimized.
d8636a5
to
01e8884
Compare
This comment was marked as outdated.
This comment was marked as outdated.
Also asked on zulip, but posting here as well because I find zulip confusing (and so it doesn't get lost):
In particular, if the underlying LLVM semantics aren't fully figured out, should Rust really stabilise the high level API before that? |
It won’t be implemented. |
For the purposes of this discussion, maybe. But your model has gaping security issues and huge overheads, so calling it CHERI is disingenuous, confusing and risks people thinking that those are real issues with CHERI. It is generally best to present a faithful approximation as a model rather than something quite different that happens to have similar properties within the context of this discussion. |
This may be true for C which has been designed decades ago, but I think that Rust should reasonably strive for something like CHERI (and in general any predictable future execution environment change) to NOT be a breaking change, and in fact be something that is seamless to adopt, which means not encouraging crates to depend on APIs that are planned to not be supported there. One possibility is to design with API with CHERI-like systems in mind; another is to discourage its direct usage and instead have crates rely on a wrapper crate that uses the API when available and does something like the global interval tree map construction on CHERI-like architectures. I think it might be better to directly support the API everywhere since it avoids the burden of having people learn about the third-party crate and avoids the risk of them using the API directly when they shouldn't. |
For some embedded hardware it is literally impossible to program it in a CHERI-compatible way. So I'm afraid your utopia is not going to happen. Instead we're doing what we generally do in Rust: we give people a nice tool that covers >90% of the usecases (and fully works on CHERI), and then for the few cases where that's not enough we give people the tools they require to Get The Job Done, even if that means handing them a loaded gun. The Strict Provenance API has been designed with CHERI in mind, and this PR will improve the Rust ecosystem support for CHERI by pushing people towards using that API. This is the wrong thread to suggest that Rust should be 100% CHERI compatible. This PR does not add any fundamentally new CHERI-incompatible operation to Rust, it just gives a new name to an existing such operation (namely the But meanwhile, please stop derailing this PR, or I'll have to lock it to contributors. |
🔔 This is now entering its final comment period, as per the review above. 🔔 |
☔ The latest upstream changes (presumably #131635) made this pull request unmergeable. Please resolve the merge conflicts. |
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
This comes with a big docs rewrite.
5be50af
to
21a330e
Compare
@traviscross @dtolnay @scottmcm @CAD97 you all left approving reviews, would one of you like to tell bors about the good news? ;) |
This comment has been minimized.
This comment has been minimized.
Too late, @rust-log-analyzer gave some bad news ;) |
21a330e
to
56ee492
Compare
@bors r+ |
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#130350 (stabilize Strict Provenance and Exposed Provenance APIs) - rust-lang#131737 (linkchecker: add a reminder on broken links to add new/renamed pages to `SUMMARY.md` for mdBooks) - rust-lang#131991 (test: Add test for trait in FQS cast, issue rust-lang#98565) - rust-lang#131997 (Make `rustc_abi` compile on stable again) - rust-lang#131999 (Improve test coverage for `unit_bindings` lint) - rust-lang#132001 (fix coherence error for very large tuples™) - rust-lang#132003 (update ABI compatibility docs for new option-like rules) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#130350 - RalfJung:strict-provenance, r=dtolnay stabilize Strict Provenance and Exposed Provenance APIs Given that [RFC 3559](https://rust-lang.github.io/rfcs/3559-rust-has-provenance.html) has been accepted, t-lang has approved the concept of provenance to exist in the language. So I think it's time that we stabilize the strict provenance and exposed provenance APIs, and discuss provenance explicitly in the docs: ```rust // core::ptr pub const fn without_provenance<T>(addr: usize) -> *const T; pub const fn dangling<T>() -> *const T; pub const fn without_provenance_mut<T>(addr: usize) -> *mut T; pub const fn dangling_mut<T>() -> *mut T; pub fn with_exposed_provenance<T>(addr: usize) -> *const T; pub fn with_exposed_provenance_mut<T>(addr: usize) -> *mut T; impl<T: ?Sized> *const T { pub fn addr(self) -> usize; pub fn expose_provenance(self) -> usize; pub fn with_addr(self, addr: usize) -> Self; pub fn map_addr(self, f: impl FnOnce(usize) -> usize) -> Self; } impl<T: ?Sized> *mut T { pub fn addr(self) -> usize; pub fn expose_provenance(self) -> usize; pub fn with_addr(self, addr: usize) -> Self; pub fn map_addr(self, f: impl FnOnce(usize) -> usize) -> Self; } impl<T: ?Sized> NonNull<T> { pub fn addr(self) -> NonZero<usize>; pub fn with_addr(self, addr: NonZero<usize>) -> Self; pub fn map_addr(self, f: impl FnOnce(NonZero<usize>) -> NonZero<usize>) -> Self; } ``` I also did a pass over the docs to adjust them, because this is no longer an "experiment". The `ptr` docs now discuss the concept of provenance in general, and then they go into the two families of APIs for dealing with provenance: Strict Provenance and Exposed Provenance. I removed the discussion of how pointers also have an associated "address space" -- that is not actually tracked in the pointer value, it is tracked in the type, so IMO it just distracts from the core point of provenance. I also adjusted the docs for `with_exposed_provenance` to make it clear that we cannot guarantee much about this function, it's all best-effort. There are two unstable lints associated with the strict_provenance feature gate; I moved them to a new [strict_provenance_lints](rust-lang#130351) feature since I didn't want this PR to have an even bigger FCP. ;) `@rust-lang/opsem` Would be great to get some feedback on the docs here. :) Nominating for `@rust-lang/libs-api.` Part of rust-lang#95228. [FCP comment](rust-lang#130350 (comment))
Given that RFC 3559 has been accepted, t-lang has approved the concept of provenance to exist in the language. So I think it's time that we stabilize the strict provenance and exposed provenance APIs, and discuss provenance explicitly in the docs:
I also did a pass over the docs to adjust them, because this is no longer an "experiment". The
ptr
docs now discuss the concept of provenance in general, and then they go into the two families of APIs for dealing with provenance: Strict Provenance and Exposed Provenance. I removed the discussion of how pointers also have an associated "address space" -- that is not actually tracked in the pointer value, it is tracked in the type, so IMO it just distracts from the core point of provenance. I also adjusted the docs forwith_exposed_provenance
to make it clear that we cannot guarantee much about this function, it's all best-effort.There are two unstable lints associated with the strict_provenance feature gate; I moved them to a new strict_provenance_lints feature since I didn't want this PR to have an even bigger FCP. ;)
@rust-lang/opsem Would be great to get some feedback on the docs here. :)
Nominating for @rust-lang/libs-api.
Part of #95228.
FCP comment