Initial work on permissive provenance

Author: carbotaniuman

src/bin/miri.rs

@@ -367,6 +367,10 @@ fn main() {
                     miri_config.tag_raw = true;
                     miri_config.check_number_validity = true;
                 }
+                "-Zmiri-permissive-provenance" => {
+                    miri_config.permissive_provenance = true;
+                    miri_config.tag_raw = true;
+                }
                 "-Zmiri-track-raw-pointers" => {
                     eprintln!(
                         "WARNING: -Zmiri-track-raw-pointers has been renamed to -Zmiri-tag-raw-pointers, the old name is deprecated."

src/eval.rs

@@ -111,6 +111,10 @@ pub struct MiriConfig {
     pub panic_on_unsupported: bool,
     /// Which style to use for printing backtraces.
     pub backtrace_style: BacktraceStyle,
+    /// Whether to allow "permissive provenance" rules. Enabling this means int2ptr casts return
+    /// pointers with "wildcard" provenance that basically match that of all exposed pointers
+    /// (and SB tags, if enabled).
+    pub permissive_provenance: bool,
     /// Whether to enforce "strict provenance" rules. Enabling this means int2ptr casts return
     /// pointers with an invalid provenance, i.e., not valid for any memory access.
     pub strict_provenance: bool,
@@ -139,6 +143,7 @@ impl Default for MiriConfig {
             measureme_out: None,
             panic_on_unsupported: false,
             backtrace_style: BacktraceStyle::Short,
+            permissive_provenance: false,
             strict_provenance: false,
         }
     }

src/helpers.rs

@@ -771,8 +771,13 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
     fn mark_immutable(&mut self, mplace: &MemPlace<Tag>) {
         let this = self.eval_context_mut();
         // This got just allocated, so there definitely is a pointer here.
-        this.alloc_mark_immutable(mplace.ptr.into_pointer_or_addr().unwrap().provenance.alloc_id)
-            .unwrap();
+        let provenance = mplace.ptr.into_pointer_or_addr().unwrap().provenance;
+
+        if let Tag::Concrete(concrete) = provenance {
+            this.alloc_mark_immutable(concrete.alloc_id).unwrap();
+        } else {
+            bug!("Machine allocation that was just created should have concrete provenance");
+        }
     }
 }
 

src/intptrcast.rs

@@ -4,7 +4,7 @@ use std::collections::hash_map::Entry;
 use log::trace;
 use rand::Rng;
 
-use rustc_data_structures::fx::FxHashMap;
+use rustc_data_structures::fx::{FxHashMap, FxHashSet};
 use rustc_target::abi::{HasDataLayout, Size};
 
 use crate::*;
@@ -21,9 +21,16 @@ pub struct GlobalStateInner {
     /// they do not have an `AllocExtra`.
     /// This is the inverse of `int_to_ptr_map`.
     base_addr: FxHashMap<AllocId, u64>,
+    /// Whether an allocation has been exposed or not. This cannot be put
+    /// into `AllocExtra` for the same reason as `base_addr`.
+    exposed: FxHashSet<AllocId>,
     /// This is used as a memory address when a new pointer is casted to an integer. It
     /// is always larger than any address that was previously made part of a block.
     next_base_addr: u64,
+    /// Whether to allow "permissive provenance" rules. Enabling this means int2ptr casts return
+    /// pointers with "wildcard" provenance that basically match that of all exposed pointers
+    /// (and SB tags, if enabled).
+    permissive_provenance: bool,
     /// Whether to enforce "strict provenance" rules. Enabling this means int2ptr casts return
     /// pointers with an invalid provenance, i.e., not valid for any memory access.
     strict_provenance: bool,
@@ -34,24 +41,32 @@ impl GlobalStateInner {
         GlobalStateInner {
             int_to_ptr_map: Vec::default(),
             base_addr: FxHashMap::default(),
+            exposed: FxHashSet::default(),
             next_base_addr: STACK_ADDR,
+            permissive_provenance: config.permissive_provenance,
             strict_provenance: config.strict_provenance,
         }
     }
 }
 
 impl<'mir, 'tcx> GlobalStateInner {
-    pub fn ptr_from_addr(addr: u64, ecx: &MiriEvalContext<'mir, 'tcx>) -> Pointer<Option<Tag>> {
-        trace!("Casting 0x{:x} to a pointer", addr);
+    // Returns the `AllocId` that corresponds to the specified addr,
+    // or `None` if the addr is out of bounds
+    fn alloc_id_from_addr(ecx: &MiriEvalContext<'mir, 'tcx>, addr: u64) -> Option<AllocId> {
         let global_state = ecx.machine.intptrcast.borrow();
 
-        if global_state.strict_provenance {
-            return Pointer::new(None, Size::from_bytes(addr));
-        }
-
         let pos = global_state.int_to_ptr_map.binary_search_by_key(&addr, |(addr, _)| *addr);
-        let alloc_id = match pos {
-            Ok(pos) => Some(global_state.int_to_ptr_map[pos].1),
+
+        match pos {
+            Ok(pos) => {
+                let (_, alloc_id) = global_state.int_to_ptr_map[pos];
+
+                if !global_state.permissive_provenance || global_state.exposed.contains(&alloc_id) {
+                    Some(global_state.int_to_ptr_map[pos].1)
+                } else {
+                    None
+                }
+            }
             Err(0) => None,
             Err(pos) => {
                 // This is the largest of the adresses smaller than `int`,
@@ -60,24 +75,39 @@ impl<'mir, 'tcx> GlobalStateInner {
                 // This never overflows because `addr >= glb`
                 let offset = addr - glb;
                 // If the offset exceeds the size of the allocation, don't use this `alloc_id`.
-                if offset
-                    <= ecx
-                        .get_alloc_size_and_align(alloc_id, AllocCheck::MaybeDead)
-                        .unwrap()
-                        .0
-                        .bytes()
+
+                if (!global_state.permissive_provenance || global_state.exposed.contains(&alloc_id))
+                    && offset
+                        <= ecx
+                            .get_alloc_size_and_align(alloc_id, AllocCheck::MaybeDead)
+                            .unwrap()
+                            .0
+                            .bytes()
                 {
                     Some(alloc_id)
                 } else {
                     None
                 }
             }
-        };
-        // Pointers created from integers are untagged.
-        Pointer::new(
-            alloc_id.map(|alloc_id| Tag { alloc_id, sb: SbTag::Untagged }),
-            Size::from_bytes(addr),
-        )
+        }
+    }
+
+    pub fn expose_addr(ecx: &MiriEvalContext<'mir, 'tcx>, alloc_id: AllocId) {
+        trace!("Exposing allocation id {:?}", alloc_id);
+
+        let mut global_state = ecx.machine.intptrcast.borrow_mut();
+        global_state.exposed.insert(alloc_id);
+    }
+
+    pub fn ptr_from_addr(ecx: &MiriEvalContext<'mir, 'tcx>, addr: u64) -> Pointer<Option<Tag>> {
+        trace!("Casting 0x{:x} to a pointer", addr);
+        let global_state = ecx.machine.intptrcast.borrow();
+
+        if addr == 0 || global_state.strict_provenance {
+            return Pointer::new(None, Size::from_bytes(addr));
+        }
+
+        Pointer::new(Some(Tag::Wildcard), Size::from_bytes(addr))
     }
 
     fn alloc_base_addr(ecx: &MiriEvalContext<'mir, 'tcx>, alloc_id: AllocId) -> u64 {
@@ -128,22 +158,38 @@ impl<'mir, 'tcx> GlobalStateInner {
 
     /// Convert a relative (tcx) pointer to an absolute address.
     pub fn rel_ptr_to_addr(ecx: &MiriEvalContext<'mir, 'tcx>, ptr: Pointer<AllocId>) -> u64 {
-        let (alloc_id, offset) = ptr.into_parts(); // offset is relative (AllocId provenance)
+        let (alloc_id, offset) = ptr.into_parts(); // offset is relative
         let base_addr = GlobalStateInner::alloc_base_addr(ecx, alloc_id);
 
         // Add offset with the right kind of pointer-overflowing arithmetic.
         let dl = ecx.data_layout();
         dl.overflowing_offset(base_addr, offset.bytes()).0
     }
 
-    pub fn abs_ptr_to_rel(ecx: &MiriEvalContext<'mir, 'tcx>, ptr: Pointer<Tag>) -> Size {
+    pub fn abs_ptr_to_rel(
+        ecx: &MiriEvalContext<'mir, 'tcx>,
+        ptr: Pointer<Tag>,
+    ) -> Option<(AllocId, Size)> {
         let (tag, addr) = ptr.into_parts(); // addr is absolute (Tag provenance)
-        let base_addr = GlobalStateInner::alloc_base_addr(ecx, tag.alloc_id);
+
+        let alloc_id = if let Tag::Concrete(concrete) = tag {
+            concrete.alloc_id
+        } else {
+            match GlobalStateInner::alloc_id_from_addr(ecx, addr.bytes()) {
+                Some(alloc_id) => alloc_id,
+                None => return None,
+            }
+        };
+
+        let base_addr = GlobalStateInner::alloc_base_addr(ecx, alloc_id);
 
         // Wrapping "addr - base_addr"
         let dl = ecx.data_layout();
         let neg_base_addr = (base_addr as i64).wrapping_neg();
-        Size::from_bytes(dl.overflowing_signed_offset(addr.bytes(), neg_base_addr).0)
+        Some((
+            alloc_id,
+            Size::from_bytes(dl.overflowing_signed_offset(addr.bytes(), neg_base_addr).0),
+        ))
     }
 
     /// Shifts `addr` to make it aligned with `align` by rounding `addr` to the smallest multiple

src/lib.rs

@@ -66,8 +66,8 @@ pub use crate::eval::{
 };
 pub use crate::helpers::EvalContextExt as HelpersEvalContextExt;
 pub use crate::machine::{
-    AllocExtra, Evaluator, FrameData, MiriEvalContext, MiriEvalContextExt, MiriMemoryKind, Tag,
-    NUM_CPUS, PAGE_SIZE, STACK_ADDR, STACK_SIZE,
+    AllocExtra, ConcreteTag, Evaluator, FrameData, MiriEvalContext, MiriEvalContextExt,
+    MiriMemoryKind, Tag, NUM_CPUS, PAGE_SIZE, STACK_ADDR, STACK_SIZE,
 };
 pub use crate::mono_hash_map::MonoHashMap;
 pub use crate::operator::EvalContextExt as OperatorEvalContextExt;

src/machine.rs

@@ -124,16 +124,22 @@ impl fmt::Display for MiriMemoryKind {
 
 /// Pointer provenance (tag).
 #[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
-pub struct Tag {
+pub enum Tag {
+    Concrete(ConcreteTag),
+    Wildcard,
+}
+
+#[derive(Debug, Clone, Copy, PartialEq, Eq, Hash)]
+pub struct ConcreteTag {
     pub alloc_id: AllocId,
     /// Stacked Borrows tag.
     pub sb: SbTag,
 }
 
 #[cfg(all(target_arch = "x86_64", target_pointer_width = "64"))]
 static_assert_size!(Pointer<Tag>, 24);
-#[cfg(all(target_arch = "x86_64", target_pointer_width = "64"))]
-static_assert_size!(Pointer<Option<Tag>>, 24);
+// #[cfg(all(target_arch = "x86_64", target_pointer_width = "64"))]
+// static_assert_size!(Pointer<Option<Tag>>, 24);
 #[cfg(all(target_arch = "x86_64", target_pointer_width = "64"))]
 static_assert_size!(ScalarMaybeUninit<Tag>, 32);
 
@@ -148,17 +154,30 @@ impl Provenance for Tag {
         let (tag, addr) = ptr.into_parts(); // address is absolute
         write!(f, "0x{:x}", addr.bytes())?;
         // Forward `alternate` flag to `alloc_id` printing.
-        if f.alternate() {
-            write!(f, "[{:#?}]", tag.alloc_id)?;
-        } else {
-            write!(f, "[{:?}]", tag.alloc_id)?;
+
+        match tag {
+            Tag::Concrete(tag) => {
+                if f.alternate() {
+                    write!(f, "[{:#?}]", tag.alloc_id)?;
+                } else {
+                    write!(f, "[{:?}]", tag.alloc_id)?;
+                }
+                // Print Stacked Borrows tag.
+                write!(f, "{:?}", tag.sb)?;
+            }
+            Tag::Wildcard => {
+                write!(f, "[Wildcard]")?;
+            }
         }
-        // Print Stacked Borrows tag.
-        write!(f, "{:?}", tag.sb)
+
+        Ok(())
     }
 
-    fn get_alloc_id(self) -> AllocId {
-        self.alloc_id
+    fn get_alloc_id(self) -> Option<AllocId> {
+        match self {
+            Tag::Concrete(concrete) => Some(concrete.alloc_id),
+            Tag::Wildcard => None,
+        }
     }
 }
 
@@ -594,25 +613,52 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
         } else {
             SbTag::Untagged
         };
-        Pointer::new(Tag { alloc_id: ptr.provenance, sb: sb_tag }, Size::from_bytes(absolute_addr))
+        Pointer::new(
+            Tag::Concrete(ConcreteTag { alloc_id: ptr.provenance, sb: sb_tag }),
+            Size::from_bytes(absolute_addr),
+        )
     }
 
     #[inline(always)]
     fn ptr_from_addr(
         ecx: &MiriEvalContext<'mir, 'tcx>,
         addr: u64,
     ) -> Pointer<Option<Self::PointerTag>> {
-        intptrcast::GlobalStateInner::ptr_from_addr(addr, ecx)
+        intptrcast::GlobalStateInner::ptr_from_addr(ecx, addr)
+    }
+
+    #[inline(always)]
+    fn expose_ptr(
+        ecx: &mut InterpCx<'mir, 'tcx, Self>,
+        ptr: Pointer<Self::PointerTag>,
+    ) -> InterpResult<'tcx> {
+        let (tag, _) = ptr.into_parts();
+
+        // We have a concrete pointer, so we don't need to reify it.
+        if let Tag::Concrete(concrete) = tag {
+            intptrcast::GlobalStateInner::expose_addr(ecx, concrete.alloc_id);
+        }
+
+        // No need to do anything for wildcard pointers as
+        // their provenances have already been previously exposed.
+        Ok(())
     }
 
     /// Convert a pointer with provenance into an allocation-offset pair,
     /// or a `None` with an absolute address if that conversion is not possible.
     fn ptr_get_alloc(
         ecx: &MiriEvalContext<'mir, 'tcx>,
         ptr: Pointer<Self::PointerTag>,
-    ) -> (AllocId, Size, Self::TagExtra) {
+    ) -> Option<(AllocId, Size, Self::TagExtra)> {
         let rel = intptrcast::GlobalStateInner::abs_ptr_to_rel(ecx, ptr);
-        (ptr.provenance.alloc_id, rel, ptr.provenance.sb)
+
+        let (tag, _) = ptr.into_parts();
+        let sb = match tag {
+            Tag::Concrete(ConcreteTag { sb, .. }) => sb,
+            Tag::Wildcard => SbTag::Untagged,
+        };
+
+        rel.map(|(alloc_id, size)| (alloc_id, size, sb))
     }
 
     #[inline(always)]

src/stacked_borrows.rs

@@ -820,7 +820,16 @@ trait EvalContextPrivExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
         this.reborrow(&place, size, kind, new_tag, protect)?;
 
         // Adjust pointer.
-        let new_place = place.map_provenance(|p| p.map(|t| Tag { sb: new_tag, ..t }));
+        let new_place = place.map_provenance(|p| {
+            p.map(|t| {
+                // TODO: Fix this eventually
+                if let Tag::Concrete(t) = t {
+                    Tag::Concrete(ConcreteTag { sb: new_tag, ..t })
+                } else {
+                    t
+                }
+            })
+        });
 
         // Return new pointer.
         Ok(ImmTy::from_immediate(new_place.to_ref(this), val.layout))

tests/compile-fail/ptr_int_guess.rs

@@ -0,0 +1,11 @@
+// compile-flags: -Zmiri-permissive-provenance -Zmiri-disable-stacked-borrows
+
+fn main() {
+    let x: i32 = 3;
+    let x_ptr = &x as *const i32;
+
+    // TODO: switch this to addr() once we intrinsify it
+    let x_usize: usize = unsafe { std::mem::transmute(x_ptr) };
+    let ptr = x_usize as *const i32;
+    assert_eq!(unsafe { *ptr }, 3); //~ ERROR Undefined Behavior: dereferencing pointer failed
+}