-
Notifications
You must be signed in to change notification settings - Fork 96
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Tracking Issue: Automatically Verify Memory Initialization #3300
Comments
The Rust reference mentions that reading padding bytes is not UB:
|
@zhassan-aws thanks for pointing that out -- I interpret the Rust reference a bit differently in this case. I take the words you quoted to mean that it is indeed not UB to read padding bytes and treat them as padding bytes. I.e. reading a mix of data bytes and padding bytes and then storing it in a struct with an appropriate layout is not UB. However, the example above reads padding bytes into the type without valid value restrictions, which should be UB. |
I see. Can you post the full example (e.g. the definition of |
Updated the example above, sorry for that! Here is the output from MIRI:
|
Got it. Thanks for the clarification. |
This PR enables automatic memory initialization proofs for raw pointers in Kani. This is done without any extra instrumentation from the user. Currently, due to high memory consumption and only partial support of pointee types for which memory initialization proofs work, this feature is gated behind `-Z uninit-checks` flag. Note that because it uses shadow memory under the hood, programs using this feature need to pass `-Z ghost-state` flag as well. This PR is a part of working towards #3300. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Celina G. Val <[email protected]>
…cks (#3313) This is a follow-up PR for #3264, a part of the larger work towards #3300. This PR introduces: - Use of demonic non-determinism (prophecy variables) to improve memory initialization checks performance; - Instead of keeping track of memory initialization of each possibly uninitialized byte pointed to by some pointer, one is chosen non-deterministically; - Tests for proper memory initialization checks injection for compiler intrinsics; - Separate functions for checking memory initialization of slice chunks. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Zyad Hassan <[email protected]>
… reinstrumentation (#3344) Recently added memory initialization checks (see #3300 for an overview) code suffers from re-instrumentation due to automatically added pointer checks to the instrumentation code. This PR adds an internal `kanitool::disable_checks` attribute to disable automatically generated CBMC checks inside internal instrumentation. This, in turn, relies on CBMC pragmas (https://www.cprover.org/cprover-manual/properties/#usinggotoinstrument). By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
) As #3324 mentioned, delayed UB triggered by accessing uninitialized memory was previously mitigated by injecting `assert!(false)` for every possible source of it; this PR adds all the necessary infrastructure and minimal support for detecting it properly. The process of detecting and instrumenting places is as follows: - Find all sources of delayed uninitialized memory UB (mutable pointer casts with different pointee padding and copy intrinsics); - Compute conservative aliasing graph between all memory places reachable from each harness; - Instrument all places pointed to by each source we found in step 1. Not all language constructs are currently supported -- see the tracking issue (#3300) for the full list of limitations. Resolves #3324 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses. --------- Co-authored-by: Celina G. Val <[email protected]>
This PR introduces very basic support for memory initialization checks for unions. As of now, the following is supported: - Unions can be created - Union fields can be assigned to - Union fields can be read from - Unions can be assigned directly to another union For more information about planned functionality, see #3300 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
This PR introduces support for memory initialization checks for unions passed across the function boundary. Whenever a union is passed as an argument, we need to make sure that its initialization state is preserved. Unlike pointers, unions do not have a stable memory address which could identify them in shadow memory. Hence, we need to pass extra information across function boundary since unions are passed “by value”. We introduce a global variable to store the previous address of unions passed as function arguments, which allows us to effectively tie the initialization state of unions passed between functions. This struct is written to by the caller and read from by the callee. For more information about planned functionality, see #3300 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.
Goal: Implement automated and efficient checks for memory initialization in Kani.
Motivation
Safe Rust guarantees that every variable is initialized, and every reference points to a properly allocated and initialized memory position. The same guarantees do not apply to raw pointers, transmute operations and unions, which are available in unsafe Rust. The safe usage of these constructs and operations must be upheld by the Rust developer.
Failures to uphold these safety properties can have unwanted consequences: it can affect the application behavior and even result in the application exposing critical data.
Kani should be able to detect uninitialized memory accesses automatically and efficiently.
Examples
Currently, Kani does not catch the following cases of UB due to accessing uninitialized memory:
Tasks
copy
andcopy_nonoverlapping
(Checking memory initialization in presence ofcopy
andcopy_nonoverlapping
produces false positives #3347, Implement memory initialization state copy functionality #3350)enum
s with variants that have different paddingunion
s (Add better support forMaybeUninit
#896)extern static
sThe text was updated successfully, but these errors were encountered: