Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Mitigate invalid transmute when checking memory initialization #3338

Merged
merged 6 commits into from
Jul 16, 2024
Merged

Mitigate invalid transmute when checking memory initialization #3338

merged 6 commits into from
Jul 16, 2024

Conversation

artemagvanian
Copy link
Contributor

@artemagvanian artemagvanian commented Jul 12, 2024
edited
Loading

This PR addresses another aspect of #3324, where delayed UB could be caused by transmuting a mutable pointer into the one of incompatible padding. It also adds a check to error whenever transmuting between two types of incompatible padding:

// 5 bytes of data + 3 bytes of padding.
#[repr(C)]
#[derive(kani::Arbitrary)]
struct S(u32, u8);

/// Checks that Kani catches an attempt to access padding of a struct using transmute.
#[kani::proof]
fn check_uninit_padding() {
    let s = kani::any();
    access_padding(s);
}

fn access_padding(s: S) {
    let _padding: u64 = unsafe { std::mem::transmute(s) }; // ~ERROR: padding bytes are uninitialized, so reading them is UB.
}

By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

@github-actions github-actions bot added the Z-BenchCI Tag a PR to run benchmark CI label Jul 12, 2024
@artemagvanian artemagvanian self-assigned this Jul 12, 2024
@artemagvanian artemagvanian marked this pull request as ready for review July 12, 2024 21:07
@artemagvanian artemagvanian requested a review from a team as a code owner July 12, 2024 21:07
celinval
celinval reviewed Jul 16, 2024
View reviewed changes
Copy link
Contributor

@celinval celinval left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just one minor comment. Thanks!

kani-compiler/src/kani_middle/transform/check_uninit/uninit_visitor.rs Outdated Show resolved Hide resolved
celinval
celinval approved these changes Jul 16, 2024
View reviewed changes
Copy link
Contributor

@celinval celinval left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It looks good. Just please add the new invariant to distinguish the unsupported vs the trivially false cases. Thanks!

@artemagvanian artemagvanian merged commit ff91762 into model-checking:main Jul 16, 2024
24 of 25 checks passed
@artemagvanian artemagvanian deleted the mitigate-transmute branch July 16, 2024 16:44
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@celinval celinval celinval approved these changes

Assignees

@artemagvanian artemagvanian

Labels
Z-BenchCI Tag a PR to run benchmark CI
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@artemagvanian @celinval