Commit Graph

15530 Commits

Author SHA1 Message Date
Trevor Gross
1a1b44fcae
Rollup merge of #127836 - workingjubilee:forbid-unsafe-ops-in-xous-uefi, r=tgross35
std: Forbid unwrapped unsafe ops in xous and uefi modules
2024-07-16 20:10:14 -05:00
Trevor Gross
dd80a728cc
Rollup merge of #127833 - risc0:erik/zkvm-deny-unsafe, r=workingjubilee
zkvm: add `#[forbid(unsafe_op_in_unsafe_fn)]` in `stdlib`

This also adds an additional `unsafe` block to address compiler errors.
This PR is intended to address https://github.com/rust-lang/rust/issues/127747 for the zkvm target.
2024-07-16 20:10:13 -05:00
Trevor Gross
446e0177ec
Rollup merge of #127807 - ChrisDenton:win-parking, r=joboet
Use futex.rs for Windows thread parking

If I'm not overlooking anything then the Windows 10+ thread parking implementation is practically the same as the futex.rs implementation. So we may as well use the same implementation for both. The old version is still kept around for Windows 7 support.

r? ````@joboet```` if you wouldn't mind double checking I've not missed something
2024-07-16 20:10:12 -05:00
Trevor Gross
045b8107f2
Rollup merge of #127792 - workingjubilee:read-unaligned-is-dwarfier, r=joboet
std: Use `read_unaligned` for reads from DWARF

There's a lot of... *stuff* going on here. Meanwhile, `read_unaligned` has been available since 1.17.0, so let's just use that.
2024-07-16 20:10:12 -05:00
Trevor Gross
4013acdda2
Rollup merge of #127444 - Sky9x:cstr-bytes-iter, r=dtolnay
`impl Send + Sync` and override `count` for the `CStr::bytes` iterator

cc tracking issue #112115
2024-07-16 20:10:11 -05:00
Trevor Gross
606d8cf9e8
Rollup merge of #126776 - nnethercote:rustfmt-use-pre-cleanups-2, r=cuviper
Clean up more comments near use declarations

#125443 will reformat all use declarations in the repository. There are a few edge cases involving comments on use declarations that require care. This PR fixes them up so #125443 can go ahead with a simple `x fmt --all`. A follow-up to #126717.

r? ``@cuviper``
2024-07-16 20:10:10 -05:00
Trevor Gross
fe1dc02163
Rollup merge of #126271 - diondokter:dec2flt-skip-fast-path, r=tgross35
Skip fast path for dec2flt when optimize_for_size

Tracking issue: https://github.com/rust-lang/rust/issues/125612

Skip the fast algorithm when optimizing for size.
When compiling for https://github.com/quartiq/stabilizer I get these numbers:

Before
```
   text    data     bss     dec     hex filename
 192192       8   49424  241624   3afd8 dual-iir
```

After
```
   text    data     bss     dec     hex filename
 191632       8   49424  241064   3ada8 dual-iir
```

This saves 560 bytes.
2024-07-16 20:10:09 -05:00
Trevor Gross
689d27293a
Rollup merge of #125206 - mgeisler:simplify-std-env-vars, r=jhpratt,tgross35
Simplify environment variable examples

I’ve found myself visiting the documentation for `std::env::vars` every few months, and every time I do, it is because I want to quickly get a snippet to print out all environment variables :-)

So I think it could be nice to simplify the examples a little to make them self-contained. It is of course a style question if one should import a module a not, but I personally don’t import modules used just once in a code snippet.
2024-07-16 20:10:09 -05:00
Jubilee Young
586ef83f3f uefi: Forbid unwrapped unsafe in platform modules 2024-07-16 16:21:10 -07:00
Dion Dokter
33f1d9d554
Cfg nit
Co-authored-by: Clar Fon <15850505+clarfonthey@users.noreply.github.com>
2024-07-17 01:20:56 +02:00
Jubilee Young
b5a83a6f71 xous: Forbid unwrapped unsafe in platform modules 2024-07-16 16:16:03 -07:00
Erik Kaneda
e48d33e18a
zkvm: add #[forbid(unsafe_op_in_unsafe_fn)] in stdlib
This also adds an additional `unsafe` block to address compiler errors.
2024-07-16 16:04:02 -07:00
Nicholas Nethercote
7f0ccfe69d Adjust some comments on individual use declarations.
When we do the big `use` reformatting there are a tiny number of cases
where rustfmt moves a comment from one `use` item to another in an
undesirable way. This commit pre-emptively rearranges things to prevent
this from happening.
2024-07-17 08:05:39 +10:00
Nicholas Nethercote
75b6ec9800 Avoid comments that describe multiple use items.
There are some comments describing multiple subsequent `use` items. When
the big `use` reformatting happens some of these `use` items will be
reordered, possibly moving them away from the comment. With this
additional level of formatting it's not really feasible to have comments
of this type. This commit removes them in various ways:

- merging separate `use` items when appropriate;

- inserting blank lines between the comment and the first `use` item;

- outright deletion (for comments that are relatively low-value);

- adding a separate "top-level" comment.

We also entirely skip formatting for four library files that contain
nothing but `pub use` re-exports, where reordering would be painful.
2024-07-17 08:02:46 +10:00
Nicholas Nethercote
d9fde2504a Merge some core::iter entries. 2024-07-17 08:02:46 +10:00
Jubilee
249905780f
std: unwrapped unsafe is VERBOTEN!
Co-authored-by: Jonas Böttiger <jonasboettiger@icloud.com>
2024-07-16 12:51:14 -07:00
Matthias Krüger
08809eb746
Rollup merge of #127789 - Sword-Destiny:master, r=petrochenkov
delete #![allow(unsafe_op_in_unsafe_fn)] in teeos

deny unsafe_op_in_unsafe_fn for teeos
2024-07-16 18:09:11 +02:00
Chris Denton
51bdcf66d3
Use futex.rs for Windows thread parking 2024-07-16 11:21:51 +00:00
Jubilee Young
8dafc5c819 std: Use read_unaligned for reading DWARF 2024-07-16 00:10:08 -07:00
Trevor Gross
57fef31096
Rollup merge of #127047 - tspiteri:f128-aconsts-lsd, r=tgross35
fix least significant digits of f128 associated constants

While the numbers are parsed to the correct value, the decimal numbers in the source were rounded to zero instead of to the nearest, making the literals different from the values shown in the documentation.
2024-07-16 02:02:24 -05:00
袁浩----天命剑主
9183af25e5
deny unsafe_op_in_unsafe_fn for teeos 2024-07-16 11:47:22 +08:00
袁浩----天命剑主
af5c90d33f
clean unsafe op in unsafe fn 2024-07-16 11:46:16 +08:00
袁浩----天命剑主
00fff8ac64
clean unsafe op in unsafe fn 2024-07-16 11:34:23 +08:00
袁浩----天命剑主
060a40de63
clean unsafe op in unsafe fn 2024-07-16 11:18:51 +08:00
袁浩----天命剑主
00811621fe
delete #![allow(unsafe_op_in_unsafe_fn)]
this is redundant, so we can just delete it.
2024-07-16 11:05:18 +08:00
Sky
7f8f1780d4
impl Send + Sync and override count for the CStr::bytes iterator 2024-07-15 23:01:41 -04:00
bors
24d2ac0b56 Auto merge of #127777 - matthiaskrgr:rollup-qp2vkan, r=matthiaskrgr
Rollup of 6 pull requests

Successful merges:

 - #124921 (offset_from: always allow pointers to point to the same address)
 - #127407 (Make parse error suggestions verbose and fix spans)
 - #127684 (consolidate miri-unleashed tests for mutable refs into one file)
 - #127729 (Stop using the `gen` identifier in the compiler)
 - #127736 (Add myself to the review rotation)
 - #127758 (coverage: Restrict `ExpressionUsed` simplification to `Code` mappings)

r? `@ghost`
`@rustbot` modify labels: rollup
2024-07-15 19:44:22 +00:00
Matthias Krüger
78529d9841
Rollup merge of #124921 - RalfJung:offset-from-same-addr, r=oli-obk
offset_from: always allow pointers to point to the same address

This PR implements the last remaining part of the t-opsem consensus in https://github.com/rust-lang/unsafe-code-guidelines/issues/472: always permits offset_from when both pointers have the same address, no matter how they are computed. This is required to achieve *provenance monotonicity*.

Tracking issue: https://github.com/rust-lang/rust/issues/117945

### What is provenance monotonicity and why does it matter?

Provenance monotonicity is the property that adding arbitrary provenance to any no-provenance pointer must never make the program UB. More specifically, in the program state, data in memory is stored as a sequence of [abstract bytes](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#abstract-byte), where each byte can optionally carry provenance. When a pointer is stored in memory, all of the bytes it is stored in carry that provenance. Provenance monotonicity means: if we take some byte that does not have provenance, and give it some arbitrary provenance, then that cannot change program behavior or introduce UB into a UB-free program.

We care about provenance monotonicity because we want to allow the optimizer to remove provenance-stripping operations. Removing a provenance-stripping operation effectively means the program after the optimization has provenance where the program before the optimization did not -- since the provenance removal does not happen in the optimized program. IOW, the compiler transformation added provenance to previously provenance-free bytes. This is exactly what provenance monotonicity lets us do.

We care about removing provenance-stripping operations because `*ptr = *ptr` is, in general, (likely) a provenance-stripping operation. Specifically, consider `ptr: *mut usize` (or any integer type), and imagine the data at `*ptr` is actually a pointer (i.e., we are type-punning between pointers and integers). Then `*ptr` on the right-hand side evaluates to the data in memory *without* any provenance (because [integers do not have provenance](https://rust-lang.github.io/rfcs/3559-rust-has-provenance.html#integers-do-not-have-provenance)). Storing that back to `*ptr` means that the abstract bytes `ptr` points to are the same as before, except their provenance is now gone. This makes  `*ptr = *ptr`  a provenance-stripping operation  (Here we assume `*ptr` is fully initialized. If it is not initialized, evaluating `*ptr` to a value is UB, so removing `*ptr = *ptr` is trivially correct.)

### What does `offset_from` have to do with provenance monotonicity?

With `ptr = without_provenance(N)`, `ptr.offset_from(ptr)` is always well-defined and returns 0. By provenance monotonicity, I can now add provenance to the two arguments of `offset_from` and it must still be well-defined. Crucially, I can add *different* provenance to the two arguments, and it must still be well-defined. In other words, this must always be allowed: `ptr1.with_addr(N).offset_from(ptr2.with_addr(N))` (and it returns 0). But the current spec for `offset_from` says that the two pointers must either both be derived from an integer or both be derived from the same allocation, which is not in general true for arbitrary `ptr1`, `ptr2`.

To obtain provenance monotonicity, this PR hence changes the spec for offset_from to say that if both pointers have the same address, the function is always well-defined.

### What further consequences does this have?

It means the compiler can no longer transform `end2 = begin.offset(end.offset_from(begin))` into `end2 = end`. However, it can still be transformed into `end2 = begin.with_addr(end.addr())`, which later parts of the backend (when provenance has been erased) can trivially turn into `end2 = end`.

The only alternative I am aware of is a fundamentally different handling of zero-sized accesses, where a "no provenance" pointer is not allowed to do zero-sized accesses and instead we have a special provenance that indicates "may be used for zero-sized accesses (and nothing else)". `offset` and `offset_from` would then always be UB on a "no provenance" pointer, and permit zero-sized offsets on a "zero-sized provenance" pointer. This achieves provenance monotonicity. That is, however, a breaking change as it contradicts what we landed in https://github.com/rust-lang/rust/pull/117329. It's also a whole bunch of extra UB, which doesn't seem worth it just to achieve that transformation.

### What about the backend?

LLVM currently doesn't have an intrinsic for pointer difference, so we anyway cast to integer and subtract there. That's never UB so it is compatible with any relaxation we may want to apply.

If LLVM gets a `ptrsub` in the future, then plausibly it will be consistent with `ptradd` and [consider two equal pointers to be inbounds](https://github.com/rust-lang/rust/pull/124921#issuecomment-2205795829).
2024-07-15 21:11:47 +02:00
bors
eb72697e41 Auto merge of #127020 - tgross35:f16-f128-classify, r=workingjubilee
Add classify and related methods for f16 and f128

Also constify some functions where that was blocked on classify being available.

r? libs
2024-07-15 17:20:33 +00:00
Jubilee
476d399782
Rollup merge of #127750 - ChrisDenton:safe-unsafe-unsafe, r=workingjubilee
Make os/windows and pal/windows default to `#![deny(unsafe_op_in_unsafe_fn)]`

This is to prevent regressions in modules that currently pass. I did also fix up a few trivial places where the module contained only one or two simple wrappers. In more complex cases we should try to ensure the `unsafe` blocks are appropriately scoped and have any appropriate safety comments.

This does not fix the windows bits of #127747 but it should help prevent regressions until that is done and also make it more obvious specifically which modules need attention.
2024-07-15 02:28:44 -07:00
Jubilee
99c5302d9f
Rollup merge of #127744 - workingjubilee:deny-unsafe-op-in-std, r=jhpratt
std: `#![deny(unsafe_op_in_unsafe_fn)]` in platform-independent code

This applies the `unsafe_op_in_unsafe_fn` lint in all places in std that _do not have platform-specific cfg in their code_. For all such places, the lint remains allowed, because they need further work to address the relevant concerns. This list includes:

- `std::backtrace_rs` (internal-only)
- `std::sys` (internal-only)
- `std::os`

Notably this eliminates all "unwrapped" unsafe operations in `std::io` and `std::sync`, which will make them much more auditable in the future. Such has *also* been left for future work. While I made a few safety comments along the way on interfaces I have grown sufficiently familiar with, in most cases I had no context, nor particular confidence the unsafety was correct.

In the cases where I was able to determine the unsafety was correct without having prior context, it was obviously redundant. For example, an unsafe function calling another unsafe function that has the exact same contract, forwarding its caller's requirements just as it forwards its actual call.
2024-07-15 02:28:44 -07:00
Jubilee
64495b5f94
Rollup merge of #127712 - ChrisDenton:raw-types, r=workingjubilee
Windows: Remove some unnecessary type aliases

Back in the olden days, C did not have fixed-width types so these type aliases were at least potentially useful. Nowadays, and especially in Rust, we don't need the aliases and they don't help with anything. Notably the windows bindings we use also don't bother with the aliases. And even when we have used aliases they're often only used once then forgotten about.

The only one that gives me pause is `DWORD` because it's used a fair bit. But it's still used inconsistently and we implicitly assume it's a `u32` anyway (e.g. `as` casting from an `i32`).
2024-07-15 02:28:43 -07:00
Trevor Gross
2393093bb5 Mark some f16 and f128 functions unstably const
These constifications were blocked on classification functions being
added. Now that those methods are available, constify them.

This brings things more in line with `f32` and `f64`.
2024-07-15 03:34:32 -05:00
Chris Denton
7e16d5fb61
Move safety comment outside unsafe block 2024-07-15 07:30:11 +00:00
Chris Denton
3411a025d5
Make os/windows default to deny unsafe in unsafe 2024-07-15 07:17:39 +00:00
Chris Denton
2402e84e78
Make pal/windows default to deny unsafe in unsafe 2024-07-15 07:00:40 +00:00
Chris Denton
816d90ae5f
Fix Windows 7 2024-07-15 06:14:53 +00:00
bors
0da95bd869 Auto merge of #127719 - devnexen:math_log_fix_solill, r=Amanieu
std: removes logarithms family function edge cases handling for solaris.

Issue had been fixed over time with solaris, 11.x behaves correctly
 (and we support it as minimum), illumos works correctly too.
2024-07-15 05:43:22 +00:00
Chris Denton
ffe8fc276e
Don't re-export c_int from c 2024-07-15 05:01:23 +00:00
Chris Denton
e2b062c9b5
Remove DWORD 2024-07-15 05:01:22 +00:00
Chris Denton
d8d7c5c3b9
Remove ULONG 2024-07-15 05:01:22 +00:00
Chris Denton
21f69b5b82
Remove PSRWLOCK 2024-07-15 05:01:22 +00:00
Chris Denton
84dd7e4959
Remove LPVOID 2024-07-15 05:01:21 +00:00
Chris Denton
351f1f36f6
Remove LPSECURITY_ATTRIBUTES 2024-07-15 05:01:21 +00:00
Chris Denton
1b7cf3a3f2
Remove LPOVERLAPPED 2024-07-15 05:01:21 +00:00
Chris Denton
8052fb8f3c
Remove LPCVOID 2024-07-15 05:01:21 +00:00
Chris Denton
286c3270b4
Remove SIZE_T 2024-07-15 05:01:20 +00:00
Chris Denton
5b700a76cf
Remove CHAR
As with USHORT, keep using C types for BSD socket APIs.
2024-07-15 05:01:20 +00:00
Chris Denton
f2cc94361c
Remove USHORT
We stick to C types in for socket and address as these are at least nominally BSD-ish and they're used outside of pal/windows in general *nix code
2024-07-15 05:01:20 +00:00
Chris Denton
e70cc28831
Remove LPWSTR 2024-07-15 05:01:20 +00:00