initial implementation of wildcard provenence for tree borrows #4630
Conversation
|
Thank you for contributing to Miri! |
There was a problem hiding this comment.
Here's a first round of comments. I didn't get to the wildcard.rs file yet. Also you did some really deep surgery in this code, much deeper than I expected, so we may have to discuss this in person because this is code I didn't write and therefore don't remember all that much about how it works.
Some general points that I didn't comment on everywhere, but that should be fixed everywhere:
- Please write complete, correctly capitalized and punctuated sentences.
- Please leave empty lines between functions and between types (except when you define a group of types that should be seen as a single unit).
src/borrow_tracker/mod.rs
Outdated
| // The body of this loop needs `borrow_tracker` immutably | ||
| // so we can't move this code inside the following `end_call`. | ||
|
|
||
| // TODO support protected wildcard pointers |
There was a problem hiding this comment.
It's unclear what "support" means.
| machine: &MiriMachine<'tcx>, | ||
| ) -> InterpResult<'tcx> { | ||
| // TODO: for now we bail out on wildcard pointers. Eventually we should | ||
| // handle them as much as we can. |
There was a problem hiding this comment.
This comment seems outdated now?
| let orig_tag = match parent_prov { | ||
| ProvenanceExtra::Wildcard => return interp_ok(place.ptr().provenance), // TODO: handle wildcard pointers | ||
| ProvenanceExtra::Concrete(tag) => tag, | ||
| let (orig_tag, provenance) = match parent_prov { |
There was a problem hiding this comment.
So orig_tag is exactly the same as parent_prov except you converted it from ProvenanceExtra to Option...? What's the point of that?
Also, provenance is way to imprecise as a name. There's so many provenances floating around here, this isn't useful. I'd suggest new_prov.
| pub fn dealloc( | ||
| &mut self, | ||
| tag: BorTag, | ||
| tag: Option<BorTag>, |
There was a problem hiding this comment.
It's odd that dealloc changes its signature like this but perform_access does not.
| for (perms_range, Location { perms, .. }) in | ||
| self.rperms.iter_mut(access_range.start, access_range.size) | ||
| { | ||
| let tag = if let Some(tag) = tag { | ||
| tag | ||
| } else { | ||
| // the order in which we check if any nodes are invalidated doesnt matter, | ||
| // so we use the root as a default tag | ||
| self.nodes.get(self.root).unwrap().tag | ||
| }; | ||
| TreeVisitor { | ||
| nodes: &mut self.nodes, | ||
| tag_mapping: &self.tag_mapping, | ||
| perms, | ||
| wildcard_accesses: None, | ||
| } | ||
| .traverse_this_parents_children_other( | ||
| tag, | ||
| // visit all children, skipping none | ||
| |_| ContinueTraversal::Recurse, | ||
| |args: NodeAppArgs<'_>| -> Result<(), TransitionError> { | ||
| let NodeAppArgs { node, perm, .. } = args; | ||
| let perm = perm.get().copied().unwrap_or_else(|| node.default_location_state()); | ||
| if global.borrow().protected_tags.get(&node.tag) |
There was a problem hiding this comment.
This looks like you entirely changed the old logic here... what is happening?
There was a problem hiding this comment.
These changes are mostly whitespace.
Only the let tag = ... on line 787 and wildcard_accesses: None, on line 798 are actual changes.
| if node.is_exposed { | ||
| return None; | ||
| } |
There was a problem hiding this comment.
Why does this make sense? This is definitely non-trivial, therefore needs a comment.
| /// methods for wildcard borrows | ||
| impl<'tcx> Tree { | ||
| /// analogous to `perform_access`, but we do not know from which exposed reference the access happens. | ||
| pub fn perform_wildcard_access( |
There was a problem hiding this comment.
Shouldn't this be in wildcard.rs?
There was a problem hiding this comment.
This is in tree.rs mostly because it accesses private functions of LocationState (perform_access, skip_if_known_noop, record_new_access)
| /// We do not know the accessed pointer, but we know that it is a child of this pointer | ||
| WildcardChildAccess, | ||
| /// We do not know the accessed pointer, but we know that it is foreign to this pointer | ||
| WildcardForeignAccess, |
There was a problem hiding this comment.
Why does it make sense to have these as new variants in this type, rather than having a separate type for the wildcard traversal?
There was a problem hiding this comment.
This way I can reuse the code of perms.rs and LocationState::perform_access directly, which both take a AccessRelatedness as an argument. Also, no code seems to rely on the concrete value of AccessRelatedness. Only if its foreign or child access.
There was a problem hiding this comment.
So could this enum be simplified to just Local vs Foreign?
There was a problem hiding this comment.
This could also be part of the traversal adjustment preparation PR.
| // Keep original provenance. | ||
| return interp_ok(place.ptr().provenance); | ||
| } | ||
| }; |
There was a problem hiding this comment.
There is a ptr_try_get_alloc_id above (which github doesn't let me add a comment to -- thanks github) which is subtle and I think not entirely correct. For a wildcard pointer, this will resolve the pointer to an AllocId if it can. If ptr_size is 0, however, that might not be the only legal AllocId!
If the size is 0 on a wildcard pointer I think we have to bail early, there's not much we can do.
| /// with possible lazy initialization. | ||
| /// | ||
| /// NOTE: same guarantees on entry initialisation as for `perms` | ||
| pub wildcard_accesses: UniValMap<WildcardAccessTracking>, |
There was a problem hiding this comment.
This needs a more extensive comment for why it is a separate map.
| /// childrens max_child_access/max_foreign_access | ||
| #[derive(Debug, Clone, Default, PartialEq, Eq)] | ||
| pub struct WildcardAccessTracking { | ||
| /// how many of this nodes direct children have `max_child_access==Write` |
There was a problem hiding this comment.
| /// how many of this nodes direct children have `max_child_access==Write` | |
| /// how many of this node's direct children have `max_child_access==Write` |
| /// were relative to the pointer the access happened from | ||
| #[derive(Clone, Copy, Debug, PartialEq, Eq)] | ||
| pub enum WildcardAccessRelatedness { | ||
| /// the access definitively happened through a child pointer |
There was a problem hiding this comment.
"pointer" is confusing here, do you mean "node"?
| #[derive(Clone, Copy, Debug, PartialEq, Eq)] | ||
| pub enum WildcardAccessRelatedness { | ||
| /// the access definitively happened through a child pointer | ||
| ChildAccess, |
There was a problem hiding this comment.
When you use "child" to mean the reflexive transitive closure, please say "local".
There was a problem hiding this comment.
Please factor the changes to the visitor that give the callbacks access to the entire tree into a separate commit/PR. We also don't need two layers of visitors, just adjust the existing NodeAppArgs to have the extra state.
| AccessKind::Write => self.write_access_relatedness(exposed_as), | ||
| } | ||
| } | ||
| /// from where relative to this pointer a read access could happen |
There was a problem hiding this comment.
"this pointer"/"this node" is confusing here since you don't actually identify a node here.
What you mean is "a node with this wildcard info" or so?
| /// this function calculates the siblings `max_child_access`, both of the other fields need to be passed as arguments | ||
| /// | ||
| /// * `other_factors`: we only ever change one of these values. The max value of the other fields we dont change should be passed through the `other_factors` parameter | ||
| /// * `old_access_type`,`access_type`: we change the parameter not covered by `other_factors` from `old_access_type` |
There was a problem hiding this comment.
"we change" seems to mean "the caller changed/changes" or so? It sounds like this function is doing the changing.
| /// pushes children onto the stack, if their `max_foreign_access` field needs to be updated | ||
| /// | ||
| /// the `max_foreign_access` fields is set based on the max of the parents `max_foreign_access`, | ||
| /// `exposed_as` and its siblings `max_child_access`. |
There was a problem hiding this comment.
2 of these aren't fields though...
| perms: &UniValMap<LocationState>, | ||
| wildcard_accesses: &mut UniValMap<WildcardAccessTracking>, | ||
| ) { | ||
| /// pushes children onto the stack, if their `max_foreign_access` field needs to be updated |
There was a problem hiding this comment.
This needs a much more extensive comment:
- on some node (say which!), one of these "fields" (properties? they aren't all fields) changed, from old_access_type to new_access type I think?
- the other two stay the same, and are stored in other_factors
- but then there's some more complicated stuff for siblings?
There was a problem hiding this comment.
Also, if there's three modes to call this function (depending on what changed), every caller needs to document which mode it is using and why the special requirements for that mode are upheld.
But somehow the function doesn't even know what the mode is so... is there some more uniform way to do this? Can the function be called with just the one info on how the foreign access mode that can come in via the parent edge changed?
| access_type: WildcardAccessLevel, | ||
| old_access_type: WildcardAccessLevel, | ||
| access: WildcardAccessTracking, | ||
| mut children: impl Iterator<Item = UniIndex>, |
There was a problem hiding this comment.
I guess all these have a common parent? Is it all children of that parent?
Is that parent the node that the main comment refers to, whose properties changed?
| /* other factors */ src_access.max_foreign_access, | ||
| access_type, | ||
| old_access_type, | ||
| src_access.clone(), |
There was a problem hiding this comment.
Maybe just pass a reference instead of cloning.
EDIT: Or maybe not, turns out that is not always the parent node info...
| other_factors: WildcardAccessLevel, | ||
| access_type: WildcardAccessLevel, | ||
| old_access_type: WildcardAccessLevel, | ||
| access: WildcardAccessTracking, |
There was a problem hiding this comment.
The comment should say what this is. Also maybe call it something involving parent in its name?
There was a problem hiding this comment.
In fact, just replace the entire thing by the read and write counts.
| // Read -> Write | ||
| // Write -> Read | ||
| // Write -> None | ||
| access.child_writes |
There was a problem hiding this comment.
Why is it okay to ignore child_reads here, given that the read permissions can also change?
| other_factors: WildcardAccessLevel, | ||
| access_type: WildcardAccessLevel, | ||
| old_access_type: WildcardAccessLevel, | ||
| access: WildcardAccessTracking, |
There was a problem hiding this comment.
In fact, just replace the entire thing by the read and write counts.
| old_access_type: WildcardAccessLevel, | ||
| access_type: WildcardAccessLevel, |
There was a problem hiding this comment.
Maybe call these old_exposed_as and new_exposed_as?
| // dont change (for parents child_permissions and for the other children foreign permissions) | ||
| { | ||
| // we need to keep track of how the previous permissions changed | ||
| let mut prev_old_access = old_access_type; |
There was a problem hiding this comment.
child_old_access? Also what exactly is the invariant on this field? It's instantiated based on an exposed_as but gets updated with max_child?
| { | ||
| // we need to keep track of how the previous permissions changed | ||
| let mut prev_old_access = old_access_type; | ||
| let mut prev = id; |
There was a problem hiding this comment.
child (the one we come from in our upwards traversal)?
| /// We do not know the accessed pointer, but we know that it is a child of this pointer | ||
| WildcardChildAccess, | ||
| /// We do not know the accessed pointer, but we know that it is foreign to this pointer | ||
| WildcardForeignAccess, |
There was a problem hiding this comment.
This could also be part of the traversal adjustment preparation PR.
| // is defined by this child. So we only need to update this one child | ||
| stack.push(( | ||
| children | ||
| .find(|id| { |
There was a problem hiding this comment.
This should give a unique node, right?
I'd say make this filter, call next once to get the node, then call it again to test that it is unique.
| ) { | ||
| // find root node | ||
| let mut root = id; | ||
| while let Some(parent) = nodes.get(root).and_then(|n| n.parent) { |
There was a problem hiding this comment.
| while let Some(parent) = nodes.get(root).and_then(|n| n.parent) { | |
| while let Some(parent) = nodes.get(root).unwrap().parent { |
| .map(|child| { | ||
| let node = nodes.get(child).unwrap(); | ||
| let perm = perms.get(child).map(LocationState::permission); | ||
| let access = wildcard_accesses.get(child).unwrap(); |
There was a problem hiding this comment.
This uses the data we are checking (wildcard_accesses) to check said data... doesn't that risk that we miss some inconsistencies?
For instance, what if we have a tree where no node is exposed, but there's a node somewhere that says "one of my children is exposed" and there's exactly one child that says "my parent is exposed"? Would we catch that?
There was a problem hiding this comment.
I should probably rename max_other_children to max_access_siblings to make this code clearer.
|
A
| \
B C
So in the example A has child_reads=1 and B has max_foreign_access=Read (everything else 0)?
This will fail, because B and C both have max_child_access()==None, therefore A should be child_reads=0.
It would also fail because for B the parents max_foreign_access, exposed_as and its siblings (C) max_child_access() are all None, meaning B's max_foreign_access should also be None
The invariants verify_consistency checks should be described in the WildcardAccessTracking struct definition.
There was a problem hiding this comment.
This will fail, because B and C both have max_child_access()==None, therefore A should be child_reads=0.
It would also fail because for B the parents max_foreign_access, exposed_as and its siblings (C) max_child_access() are all None, meaning B's max_foreign_access should also be None
Sounds good then, thanks!
|
@rustbot author |
rustbot
added
S-waiting-on-author
|
Reminder, once the PR becomes ready for a review, use |
| // What kind of access caused this error (read, write, reborrow, deallocation) | ||
| pub access_cause: AccessCause, | ||
| /// Which tag the access that caused this error was made through, i.e. | ||
| /// Which tag if any the access that caused this error was made through, i.e. |
There was a problem hiding this comment.
Should be something like (if any) or , if any,.
|
#4654 contains the updates to the TreeVisitor and AccessRelatedness |
|
@rustbot ready |
rustbot
added
S-waiting-on-review
| /// Represensts the maximum access level that is possible. | ||
| /// | ||
| /// Note that we derive Ord and PartialOrd, so the order in which variants are listed below matters: | ||
| /// None < Read < Write. Do not change that order. | ||
| #[derive(Clone, Copy, PartialEq, Eq, PartialOrd, Ord, Hash, Debug, Default)] | ||
| pub enum WildcardAccessLevel { | ||
| #[default] | ||
| None, | ||
| Read, | ||
| Write, | ||
| } |
There was a problem hiding this comment.
There exists an identical enum in foreign_access_skipping.rs called IdempotentForeignAccess.
I'm unsure if they should be combined into one single AccessLevel type.
Or maybe just rename WildcardAccessLevel to MaxAccessLevel as it isn't really specific to wildcard accesses.
There was a problem hiding this comment.
These enums serve different purposes, I think it's fine to have them be separate.
| Write, | ||
| } | ||
|
|
||
| /// Were relative to the node the access happened from. |
There was a problem hiding this comment.
| /// Were relative to the node the access happened from. | |
| /// Where the access happened relative to the current node. |
| /// that is foreign to this node. | ||
| /// | ||
| /// This is calculated as the `max()` of parents `max_foreign_access`, | ||
| /// `exposed_as` and its siblings `max_local_access()`. |
There was a problem hiding this comment.
| /// `exposed_as` and its siblings `max_local_access()`. | |
| /// `exposed_as` and the siblings' `max_local_access()`. |
| /// The maximum access level that could happen from an exposed node | ||
| /// that is foreign to this node. | ||
| /// | ||
| /// This is calculated as the `max()` of parents `max_foreign_access`, |
There was a problem hiding this comment.
| /// This is calculated as the `max()` of parents `max_foreign_access`, | |
| /// This is calculated as the `max()` of parent's `max_foreign_access`, |
| /// The maximum access level that could happen from an exposed | ||
| /// node that is a local to this node. |
There was a problem hiding this comment.
| /// The maximum access level that could happen from an exposed | |
| /// node that is a local to this node. | |
| /// The maximum access level that could happen from an exposed | |
| /// node that is local to this node. |
| // If the node is already protected, then it gets already visited | ||
| // through the protector. So we can assume `protected=false`. |
There was a problem hiding this comment.
What does it mean to get "visited through the protector"?
| // This happens because the protected_tags map still contains all protected_tags, they only get removed after | ||
| // `release_protector` got called on all the relevant tags. | ||
| // | ||
| // This is also why we dont call `WildcardState::verify_external_consistency` here. |
There was a problem hiding this comment.
Is there some other place we call it instead? Like after the protected_tags map got updated?
There was a problem hiding this comment.
Yes, we do call if after the map got updated. Will add this to the comment
| impl Tree { | ||
| /// Checks that the wildcard tracking datastructure is internally consistent and has | ||
| /// the correct `exposed_as` values. | ||
| pub fn verify_wildcard_consistency(&self, global: &GlobalState) { |
There was a problem hiding this comment.
Why do we sometimes call this, and sometimes only run one of the two checks?
There was a problem hiding this comment.
This is a convenience function, that checks all ranges of the allocation.
If we are checking consistency inside a tree traversal after updating some node, we only really need to check the consistency of the current range, as the other ranges remain the same, so this function would do unnecessary work (and have problems with the borrow checker).
As for only sometimes calling one of the functions:
The verify_internal_consistency function gets always run at the end of update_exposure as the invariants it checks always have to be upheld, for update_exposure to continue to work.
The verify_external_consistency functions invariants only actually needs to be upheld during perform_wildcard_access. Specifically it is not upheld while releasing protectors, which is why we only do the internal check (as part of update_exposure), while the external check gets only run after the tags got removed from the protected map.
There was a problem hiding this comment.
Please keep it simple. This is a debug check. There shouldn't be any complicated reasoning involved in figuring out when to invoke which sub-check.
There was a problem hiding this comment.
I would say make this a single check for the entire invariant, and call it at the top of perform_wildcard_access (which is the key place where we need the invariant).
|
@rustbot author |
rustbot
added
the
S-waiting-on-author
|
|
||
| /// Weather the datastructure has been allocated. | ||
| /// Does not mean the map contains any values. | ||
| pub fn is_initialized(&self) -> bool { |
There was a problem hiding this comment.
This exposes internal state in an odd way -- can't we have an is_empty instead?
This comment has been minimized.
This comment has been minimized.
royAmmerschuber
force-pushed
the
pull-request/wildcard-provenance
branch
from
d52c0fc to
43a9898
Compare
This comment has been minimized.
This comment has been minimized.
basic tests for wildcard provenance wildcard tracking data structure & expose_tag implementation basic wildcard accesses fix compilation errors & first working testcase comments & protector test update wildcard tracking when neccessary & fix ui tests remove either state move exposed_as to node & use own AccessLevel enum deallocation through wildcards wildcard reborrowing Location struct & comments test for correctly activating through wildcards & fix updating idempotent foreign access compelete verify function use check_nondet helper in a few more places
ptr_size=0 support remove unneccessary nativelib check use provenance extra instead of option unify perform_access
This makes strict consistency requirement between wildcard tracking datastructure and the rest of the tree looser, giving us more flexibility in how we update it.
royAmmerschuber
force-pushed
the
pull-request/wildcard-provenance
branch
from
4feed04 to
9d8bf0d
Compare
|
This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
| pub fn is_initialized(&self) -> bool { | ||
| self.data.capacity() != 0 | ||
| pub fn is_empty(&self) -> bool { | ||
| self.data.len() == 0 || self.data.iter().all(|v| v.is_none()) |
There was a problem hiding this comment.
No reason to check the len here, the all will do the right thing.
There was a problem hiding this comment.
Inspiration for more tests:
tests/pass/stacked_borrows/int-to-ptr.rs- tests/fail/stacked_borrows/exposed_only_ro.rs
- tests/fail/stacked_borrows/illegal_read_despite_exposed1.rs
- tests/fail/stacked_borrows/illegal_read_despite_exposed2.rs
- tests/fail/stacked_borrows/illegal_write_despite_exposed1.rs
| let parent_access = | ||
| max(parent_state.exposed_as, parent_state.max_foreign_access); | ||
|
|
||
| let sibling_reads = |
There was a problem hiding this comment.
New logic looks good, but needs a comment.
| let sibling_reads = | ||
| parent_state.child_reads - if new_child_access >= Read { 1 } else { 0 }; | ||
| let sibling_writes = | ||
| parent_state.child_writes - if new_child_access == Write { 1 } else { 0 }; |
There was a problem hiding this comment.
| parent_state.child_writes - if new_child_access == Write { 1 } else { 0 }; | |
| parent_state.child_writes - if new_child_access >= Write { 1 } else { 0 }; |
to make it more symmetric
| let node = self.nodes.get(id).unwrap(); | ||
| let protected_tags = &global.borrow().protected_tags; | ||
| let protected = protected_tags.contains_key(&tag); | ||
| // TODO: Only initialize neccessary ranges. |
There was a problem hiding this comment.
Is this comment worth keeping? Doesn't seem super useful to me. Better comment on what is happening.
| let mut stack = vec![self.root]; | ||
| let mut has_exposed = false; | ||
| while let Some(id) = stack.pop() { | ||
| let node = self.nodes.get(id).unwrap(); |
There was a problem hiding this comment.
This doesn't need a tree traversal, just walking the list in any order should suffice.
| /// Visit all tags through which a wilcard access could happen. | ||
| /// Used for GC. | ||
| pub(super) fn gc_visit_wildcards(&self, visit: &mut VisitWith<'_>) { | ||
| for (_, loc) in self.locations.iter_all() { |
There was a problem hiding this comment.
No need to make this location-sensitive... just visit all exposed nodes.
There was a problem hiding this comment.
I don't get the filename here either, we re not doing the proper thing after all...?
There was a problem hiding this comment.
Just put all the "should be UB but we don't catch it" into one file.
| // └────────────┘ | ||
|
|
||
| // Since ref3 is protected, we know that every write from outside it will be UB. | ||
| // This means we know that the access is through ref3, disabling ref2. |
There was a problem hiding this comment.
| // This means we know that the access is through ref3, disabling ref2. | |
| // This means we could know that the access is through ref3, disabling ref2. | |
| // However, we currently don't exploit this. |
| } | ||
|
|
||
| // We currently ignore, if a wildcard pointer has a protector | ||
| #[allow(unused_variables)] |
There was a problem hiding this comment.
Please avoid that, very easy to accidentally disable a test that way
3 participants
initial support for wildcard writes in tree borrows.