|
| 1 | +# Null and enum-discriminant runtime checks in debug builds |
| 2 | + |
| 3 | +| Metadata | | |
| 4 | +| -------- | ------------------------------------------------------------ | |
| 5 | +| Owner(s) | @1c3t3a | |
| 6 | +| Teams | lang, opsem | |
| 7 | +| Status | Proposed | |
| 8 | + |
| 9 | +## Summary |
| 10 | + |
| 11 | +Add runtime checks to rustc that check for null pointers on pointer access and |
| 12 | +invalid enum discriminants. Similar to integer overflow and pointer alignment |
| 13 | +checks, this will only be enabled in debug builds. |
| 14 | + |
| 15 | +## Motivation |
| 16 | + |
| 17 | +While safe Rust prevents access to null references, unsafe Rust allows you to |
| 18 | +access null pointers and create null references. It hands over responsibility to |
| 19 | +the programmer to assure validity of the underlying memory. Especially when |
| 20 | +interacting with values that cross the language boundary (FFI, e.g. passing a |
| 21 | +C++ created pointer to Rust), the reasoning about such values is not always |
| 22 | +straightforward. |
| 23 | + |
| 24 | +At the same time, undefined behavior (UB) is triggered quickly when interacting |
| 25 | +with invalid pointers. E.g. [just the existence](https://lwn.net/Articles/985717/) |
| 26 | +of a null reference is UB, it doesn't even have to be dereferenced. |
| 27 | + |
| 28 | +Similar goes for enums. An enum must have a valid discriminant, and all fields |
| 29 | +of the variant indicated by that discriminant must be valid at their respective |
| 30 | +type ([source](https://doc.rust-lang.org/reference/behavior-considered-undefined.html#invalid-values)). |
| 31 | +Again, FFI could potentially pass an invalid enum value to Rust and thus cause |
| 32 | +undefined behavior. |
| 33 | + |
| 34 | +In general, for `unsafe` code, the responsibility of ensuring the various |
| 35 | +invariants of the Rust compiler are with the programmer. They have to make sure |
| 36 | +the value is not accidentally null, misaligned, violates Rust's pointer aliasing |
| 37 | +rules or any [other invariant](https://doc.rust-lang.org/reference/behavior-considered-undefined.html). |
| 38 | +The access happens inside an `unsafe` block. |
| 39 | + |
| 40 | +### The status quo |
| 41 | + |
| 42 | +While [Miri](https://github.com/rust-lang/miri) exists and does a great job at |
| 43 | +catching various types of UB in unsafe Rust code, it has the downside of only |
| 44 | +working on pure Rust code. Extern functions can not be called and a mixed |
| 45 | +language binary is unable to be executed in Miri. |
| 46 | + |
| 47 | +[Kani](https://github.com/model-checking/kani), which verifies unsafe Rust via |
| 48 | +model checking has similar limitations. |
| 49 | + |
| 50 | +### The next 6 months |
| 51 | + |
| 52 | +Within the next half a year, the plan is to start with null and enum |
| 53 | +discriminant checks to verify the code is upholding these invariants. Since |
| 54 | +these checks obviously pose a runtime overhead, we only insert them |
| 55 | +(optionally?) in debug builds. This is similar to the integer overflow and |
| 56 | +alignment checks that trigger a panic when observing an overflow and terminate |
| 57 | +the program. |
| 58 | + |
| 59 | +### The "shiny future" we are working towards |
| 60 | + |
| 61 | +Similar to how [UBSan](https://clang.llvm.org/docs/UndefinedBehaviorSanitizer.html) |
| 62 | +exists in Clang, we would like to see an option to detect undefined behavior at |
| 63 | +runtime. As mentioned above, this is critical for cross-language |
| 64 | +interoperability and can help to catch UB before it reaches production. |
| 65 | + |
| 66 | +The extension of these checks can be done step-by-step, keeping in mind the |
| 67 | +runtime overhead. Eventually we would like to check (sanitize) most items |
| 68 | +listed as [UB in Rust](https://doc.rust-lang.org/reference/behavior-considered-undefined.html). |
| 69 | + |
| 70 | +Particularly as next steps we would like to check for UB when: |
| 71 | + |
| 72 | +- Calling a function with the wrong call ABI or unwinding from a function with |
| 73 | + the wrong unwind ABI. |
| 74 | +- Performing a place projection that violates the requirements of in-bounds pointer arithmetic. |
| 75 | +- Eventually check the Rust pointer aliasing model (stacked borrows check). |
| 76 | + |
| 77 | +## Ownership and team asks |
| 78 | + |
| 79 | +**Owner:** @1c3t3a |
| 80 | + |
| 81 | +| Subgoal | Owner(s) or team(s) | Notes | |
| 82 | +| ---------------------------------------------- | ------------------------------------ | ----- | |
| 83 | +| Discussion and moral support | ![Team][], [lang], [opsem] | | |
| 84 | +| ↳ Implementation | @1c3t3a, @vabr-g | | |
| 85 | +| ↳ Standard reviews | ![Team][] [compiler], [opsem] | | |
| 86 | +| ↳ Design meeting | ![Team][] [lang], [opsem] | | |
| 87 | +| Nightly experiment for unsafe checks | ![Team][] [lang] | | |
| 88 | +| ↳ Lang-team experiment | ![Team][] [lang] | | |
| 89 | + |
| 90 | +### Definitions |
| 91 | + |
| 92 | +Definitions for terms used above: |
| 93 | + |
| 94 | +* *Discussion and moral support* is the lowest level offering, basically committing the team to nothing but good vibes and general support for this endeavor. |
| 95 | +* *Author RFC* and *Implementation* means actually writing the code, document, whatever. |
| 96 | +* *Design meeting* means holding a synchronous meeting to review a proposal and provide feedback (no decision expected). |
| 97 | +* *RFC decisions* means reviewing an RFC and deciding whether to accept. |
| 98 | +* *Org decisions* means reaching a decision on an organizational or policy matter. |
| 99 | +* *Secondary review* of an RFC means that the team is "tangentially" involved in the RFC and should be expected to briefly review. |
| 100 | +* *Stabilizations* means reviewing a stabilization and report and deciding whether to stabilize. |
| 101 | +* *Standard reviews* refers to reviews for PRs against the repository; these PRs are not expected to be unduly large or complicated. |
| 102 | +* *Prioritized nominations* refers to prioritized lang-team response to nominated issues, with the expectation that there will be *some* response from the next weekly triage meeting. |
| 103 | +* *Dedicated review* means identifying an individual (or group of individuals) who will review the changes, as they're expected to require significant context. |
| 104 | +* Other kinds of decisions: |
| 105 | + * [Lang team experiments](https://lang-team.rust-lang.org/how_to/experiment.html) are used to add nightly features that do not yet have an RFC. They are limited to trusted contributors and are used to resolve design details such that an RFC can be written. |
| 106 | + * Compiler [Major Change Proposal (MCP)](https://forge.rust-lang.org/compiler/mcp.html) is used to propose a 'larger than average' change and get feedback from the compiler team. |
| 107 | + * Library [API Change Proposal (ACP)](https://std-dev-guide.rust-lang.org/development/feature-lifecycle.html) describes a change to the standard library. |
| 108 | + |
| 109 | +## Frequently asked questions |
| 110 | + |
| 111 | +None yet. |
0 commit comments