futures-timer icon indicating copy to clipboard operation
futures-timer copied to clipboard

Published 20 hours ago verified publisher icon async-rs

Avoid lossy ptr-int transmutes by using AtomicPtr

Open saethlin opened this issue 3 years ago • 1 comments

This project looks pretty inactive, but it is still used very widely by the ecosystem and Miri detects UB in it that looks unambiguously bad to me, so that's why I'm submitting a patch for it.

Rust doesn't have a formal memory model yet, but as far as we can tell it isn't sound to round-trip a pointer through an integer via transmutes in a compiler which does provenance-based optimizations (which LLVM and basically all modern compilers currently do). The fix here is pretty easy: we store an AtomicPtr instead of an AtomicUsize and we create our sentinel values using the wrapping_ pointer methods.

This PR is very similar to https://github.com/rust-lang/rust/pull/95621.

saethlin avatar Apr 17 '22 23:04 saethlin

@yoshuawuyts any chance on getting this merged soon? Would be pretty useful since this crate is causing Miri checking to fail for many crates.

Noratrieb avatar Sep 26 '22 14:09 Noratrieb

Meanwhile, RFC 3559 has been accepted, which states that

This means that a pointer, in general, carries more information than can be captured by an integer type. For instance, transmuting a raw pointer to an array of u8, and then transmuting it back, does not restore the original pointer! (This RFC does not specify what exactly that roundtrip does. Unsafe code authors should conservatively assume that it is UB.)

@yoshuawuyts would be good to see this fix land so this widely-used crate can be brought into the realm of unambiguously sound code. :)

RalfJung avatar Feb 21 '24 22:02 RalfJung

Published as v3.0.3

yoshuawuyts avatar Feb 22 '24 14:02 yoshuawuyts