Rust Remove SafeSliceAccess for Arrays, and fix miri. (#6592)

CasperN · Casper Neo · web-flow · commit c87179e73ed5 · 2021-04-26T19:28:25.000-04:00
* Fix Miri flag passing and bump Rust version.

* Fix Miri problems from Arrays PR.

SafeSliceAccess was removed for Arrays. It's kind of unsound.
It has two properties:
1. EndianSafe
2. Alignment 1

We only need 1. in create_vector_direct to memcpy data.
We both 1. and 2. for accessing things with slices as buffers are built on &amp;[u8]
which is unaligned. Conditional compilation implements
SafeSliceAccess for &gt;1byte scalars (like f32) on LittleEndian machines
which is wrong since they don't satisfy 2.

This UB is still accessible for Vectors (though not exercised our
tests) as it implements SafeSliceAccess. I'll fix this later by
splitting SafeSliceAccess into its 2 properties.

Co-authored-by: Casper Neo &lt;cneo@google.com&gt;
diff --git a/rust/flatbuffers/Cargo.toml b/rust/flatbuffers/Cargo.toml
@@ -1,6 +1,6 @@
 [package]
 name = "flatbuffers"
-version = "0.8.4"
+version = "0.8.5"
 edition = "2018"
 authors = ["Robert Winslow <hello@rwinslow.com>", "FlatBuffers Maintainers"]
 license = "Apache-2.0"
diff --git a/rust/flatbuffers/src/array.rs b/rust/flatbuffers/src/array.rs
@@ -54,6 +54,9 @@ impl<'a, T: 'a, const N: usize> Array<'a, T, N> {
     pub const fn len(&self) -> usize {
         N
     }
+    pub fn as_ptr(&self) -> *const u8 {
+        self.0.as_ptr()
+    }
 }
 
 impl<'a, T: Follow<'a> + 'a, const N: usize> Array<'a, T, N> {
@@ -77,14 +80,7 @@ impl<'a, T: Follow<'a> + Debug, const N: usize> Into<[T::Inner; N]> for Array<'a
     }
 }
 
-impl<'a, T: SafeSliceAccess + 'a, const N: usize> Array<'a, T, N> {
-    pub fn safe_slice(self) -> &'a [T] {
-        let sz = size_of::<T>();
-        debug_assert!(sz > 0);
-        let ptr = self.0.as_ptr() as *const T;
-        unsafe { from_raw_parts(ptr, N) }
-    }
-}
+// TODO(caspern): Implement some future safe version of SafeSliceAccess.
 
 /// Implement Follow for all possible Arrays that have Follow-able elements.
 impl<'a, T: Follow<'a> + 'a, const N: usize> Follow<'a> for Array<'a, T, N> {
@@ -100,12 +96,16 @@ pub fn emplace_scalar_array<T: EndianScalar, const N: usize>(
     loc: usize,
     src: &[T; N],
 ) {
-    let mut buf_ptr = buf[loc..].as_mut_ptr() as *mut T;
+    let mut buf_ptr = buf[loc..].as_mut_ptr();
     for item in src.iter() {
         let item_le = item.to_little_endian();
         unsafe {
-            buf_ptr.write(item_le);
-            buf_ptr = buf_ptr.add(1);
+            core::ptr::copy_nonoverlapping(
+                &item_le as *const T as *const u8,
+                buf_ptr,
+                size_of::<T>(),
+            );
+            buf_ptr = buf_ptr.add(size_of::<T>());
         }
     }
 }
diff --git a/tests/RustTest.sh b/tests/RustTest.sh
@@ -63,5 +63,5 @@ fi
 # RUST_NIGHTLY environment variable set in dockerfile.
 if [[ $RUST_NIGHTLY == 1 ]]; then
   rustup +nightly component add miri
-  cargo +nightly miri test -- -Zmiri-disable-isolation
+  MIRIFLAGS="-Zmiri-disable-isolation" cargo +nightly miri test
 fi
diff --git a/tests/rust_usage_test/tests/arrays_test.rs b/tests/rust_usage_test/tests/arrays_test.rs
@@ -225,8 +225,8 @@ fn verify_struct_array_alignment() {
     let array_table = root_as_array_table(buf).unwrap();
     let array_struct = array_table.a().unwrap();
     let struct_start_ptr = array_struct.0.as_ptr() as usize;
-    let b_start_ptr = array_struct.b().safe_slice().as_ptr() as usize;
-    let d_start_ptr = array_struct.d().safe_slice().as_ptr() as usize;
+    let b_start_ptr = array_struct.b().as_ptr() as usize;
+    let d_start_ptr = array_struct.d().as_ptr() as usize;
     // The T type of b
     let b_aln = ::std::mem::align_of::<i32>();
     assert_eq!((b_start_ptr - struct_start_ptr) % b_aln, 0);
@@ -272,8 +272,6 @@ mod array_fuzz {
                 let arr: flatbuffers::Array<$ty, ARRAY_SIZE> = flatbuffers::Array::follow(&test_buf, 0);
                 let got: [$ty; ARRAY_SIZE] = arr.into();
                 assert_eq!(got, xs.0);
-                #[cfg(target_endian = "little")]
-                assert_eq!(arr.safe_slice(), xs.0);
             }
             #[test]
             fn $test_name() { 
@@ -317,13 +315,10 @@ mod array_fuzz {
         let arr: flatbuffers::Array<NestedStruct, ARRAY_SIZE> = flatbuffers::Array::follow(&test_buf, 0);
         let got: [&NestedStruct; ARRAY_SIZE] = arr.into();
         assert_eq!(got, native_struct_array);
-        let arr_slice = arr.safe_slice();
-        for i in 0..ARRAY_SIZE {
-            assert_eq!(arr_slice[i], *native_struct_array[i]);
-        }
     }
 
     #[test]
+    #[cfg(not(miri))]  // slow.
     fn test_struct() { 
         quickcheck::QuickCheck::new().max_tests(MAX_TESTS).quickcheck(prop_struct as fn(FakeArray<NestedStructWrapper, ARRAY_SIZE>));
     }
diff --git a/tests/rust_usage_test/tests/integration_test.rs b/tests/rust_usage_test/tests/integration_test.rs
@@ -1115,6 +1115,7 @@ mod roundtrip_byteswap {
     // fn fuzz_f64() { quickcheck::QuickCheck::new().max_tests(N).quickcheck(prop_f64 as fn(f64)); }
 }
 
+#[cfg(not(miri))]
 quickcheck! {
   fn struct_of_structs(
     a_id: u32,

Original file line number	Diff line number	Diff line change
`@@ -54,6 +54,9 @@ impl<'a, T: 'a, const N: usize> Array<'a, T, N> {`
`54`	`54`	`pub const fn len(&self) -> usize {`
`55`	`55`	`N`
`56`	`56`	`}`
	`57`	`+ pub fn as_ptr(&self) -> *const u8 {`
	`58`	`+ self.0.as_ptr()`
	`59`	`+ }`
`57`	`60`	`}`
`58`	`61`
`59`	`62`	`impl<'a, T: Follow<'a> + 'a, const N: usize> Array<'a, T, N> {`
`@@ -77,14 +80,7 @@ impl<'a, T: Follow<'a> + Debug, const N: usize> Into<[T::Inner; N]> for Array<'a`
`77`	`80`	`}`
`78`	`81`	`}`
`79`	`82`
`80`		`-impl<'a, T: SafeSliceAccess + 'a, const N: usize> Array<'a, T, N> {`
`81`		`- pub fn safe_slice(self) -> &'a [T] {`
`82`		`- let sz = size_of::<T>();`
`83`		`- debug_assert!(sz > 0);`
`84`		`- let ptr = self.0.as_ptr() as *const T;`
`85`		`- unsafe { from_raw_parts(ptr, N) }`
`86`		`- }`
`87`		`-}`
	`83`	`+// TODO(caspern): Implement some future safe version of SafeSliceAccess.`
`88`	`84`
`89`	`85`	`/// Implement Follow for all possible Arrays that have Follow-able elements.`
`90`	`86`	`impl<'a, T: Follow<'a> + 'a, const N: usize> Follow<'a> for Array<'a, T, N> {`
`@@ -100,12 +96,16 @@ pub fn emplace_scalar_array<T: EndianScalar, const N: usize>(`
`100`	`96`	`loc: usize,`
`101`	`97`	`src: &[T; N],`
`102`	`98`	`) {`
`103`		`- let mut buf_ptr = buf[loc..].as_mut_ptr() as *mut T;`
	`99`	`+ let mut buf_ptr = buf[loc..].as_mut_ptr();`
`104`	`100`	`for item in src.iter() {`
`105`	`101`	`let item_le = item.to_little_endian();`
`106`	`102`	`unsafe {`
`107`		`- buf_ptr.write(item_le);`
`108`		`- buf_ptr = buf_ptr.add(1);`
	`103`	`+ core::ptr::copy_nonoverlapping(`
	`104`	`+ &item_le as const T as const u8,`
	`105`	`+ buf_ptr,`
	`106`	`+ size_of::<T>(),`
	`107`	`+ );`
	`108`	`+ buf_ptr = buf_ptr.add(size_of::<T>());`
`109`	`109`	`}`
`110`	`110`	`}`
`111`	`111`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1115,6 +1115,7 @@ mod roundtrip_byteswap {`
`1115`	`1115`	`// fn fuzz_f64() { quickcheck::QuickCheck::new().max_tests(N).quickcheck(prop_f64 as fn(f64)); }`
`1116`	`1116`	`}`
`1117`	`1117`
	`1118`	`+#[cfg(not(miri))]`
`1118`	`1119`	`quickcheck! {`
`1119`	`1120`	`fn struct_of_structs(`
`1120`	`1121`	`a_id: u32,`