Skip to content

Allow volatile access to non-Rust memory, including address 0 #141260

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Allow volatile access to non-Rust memory, including address 0 #141260

wants to merge 12 commits into from
+115 −82

Conversation

LuigiPiucco
Copy link
Contributor

@LuigiPiucco LuigiPiucco commented May 19, 2025
edited by RalfJung
Loading

This PR relaxes the ub_check in the read_volatile/write_volatile pointer operations to allow passing null. This is needed to support processors which hard-code peripheral registers on address 0, like the AVR chip ATtiny1626. LLVM understands this as valid and handles it correctly, as tested in my PR to add a note about it (rustc generates the same LLVM IR as expected there when this PR is applied, and consequently the same AVR assembly).

Follow-up and implementation of the discussions in:

r? @RalfJung

Also fixes rust-lang/unsafe-code-guidelines#29 (about as good as it'll get, null will likely never be a "normal" address in Rust)

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels May 19, 2025
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@LuigiPiucco
fix: don't panic on volatile access to null
0559f50 
According to
https://discourse.llvm.org/t/rfc-volatile-access-to-non-dereferenceable-memory-may-be-well-defined/86303/4,
LLVM allows volatile operations on null and handles it correctly. This
should be allowed in Rust as well, because I/O memory may be hard-coded
to address 0 in some cases, like the AVR chip ATtiny1626.
@rust-log-analyzer

This comment has been minimized.

Sign in to view
@RalfJung
Copy link
Member

RalfJung commented May 20, 2025
edited
Loading

Cc @rust-lang/opsem @nikic

RalfJung
RalfJung reviewed May 20, 2025
View reviewed changes
@LuigiPiucco LuigiPiucco requested a review from RalfJung May 22, 2025 17:02
RalfJung
RalfJung reviewed May 23, 2025
View reviewed changes
Copy link
Member

@RalfJung RalfJung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I added a question, and I also pushed a commit where I did an edit pass over the read_volatile docs. If you agree with what I did there, could you apply the same edits to write_volatile?

@rust-log-analyzer

This comment has been minimized.

Sign in to view
@RalfJung
Copy link
Member

@rustbot author

@rustbot rustbot removed the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label May 23, 2025
@rustbot
Copy link
Collaborator

rustbot commented May 23, 2025

Reminder, once the PR becomes ready for a review, use @rustbot ready.

@rustbot rustbot added the S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. label May 23, 2025
LuigiPiucco and others added 3 commits May 23, 2025 12:50
@LuigiPiucco
docs: revise restrictions on volatile operations
36574d9 
A distinction between usage on Rust memory vs. non-Rust memory was
introduced. Documentation was reworded to explain what that means, and
make explicit that:

- No trapping must occur from volatile operations;
- On Rust memory, all safety rules must be respected;
- On Rust memory, the primary difference from regular access is that
  volatile always involves a memory dereference;
- On Rust memory, the only data affected by an operation is the one
  pointed to in the argument(s) of the function;
- On non-Rust memory, any address known to not contain Rust memory is
  valid (including 0 and usize::MAX);
- On non-Rust memory, no Rust memory may be affected (it is implicit
  that any other non-Rust memory may be affected, though, even if not
  referenced by the pointer). This should be relevant when, for example,
  reading register A causes a flag to change in register B, or writing
  to A causes B to change in some way. Everything affected mustn't be
  inside an allocation.
@LuigiPiucco
fix: remove tests for null failure in volatile
4b3ce76
@RalfJung @LuigiPiucco
docs: further revision on read_volatile
5a52202
@RalfJung
Copy link
Member

RalfJung commented May 23, 2025
edited
Loading

It'd help if you didn't amend and force-push my commit, then I could much easier see what you changed on top of my changes...

Now I guess I'll have to download your PR and compare locally against my commit (which was 3ea26bd).

In general, please do not force-push while review is still in progress. Github is terrible at dealing with force-pushes. The reviewer will ask you to squash the commits before approval.

RalfJung
RalfJung reviewed May 23, 2025
View reviewed changes
@LuigiPiucco
Copy link
Contributor Author

Sorry, I'll add new commits instead of amending from now on.

Other projects I worked on seemed to prefer amending, that's why I was doing it like that.

@RalfJung
Copy link
Member

RalfJung commented May 23, 2025
edited
Loading

Yeah, every project finds their own way to work around github's deficiencies. :/ I've not yet seen a good way to deal with github's abysmal treatment of force-pushes, though. I often have to pretty much re-review a PR as github provides 0 support for figuring out what actually changes in a series of pushes and force-pushes.

When you create your first PR here, a bot posts a message telling you about our PR workflow. But it's probably easy to forget that...

@LuigiPiucco
Copy link
Contributor Author

@rustbot ready

If the PR needs further revision, would you prefer to run the author/ready sequence every time, or to avoid it if we're both replying quickly? I don't mind the pings, but if you do I can adjust.

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. and removed S-waiting-on-author Status: This is awaiting some action (such as code changes or more information) from the author. labels May 23, 2025
@RalfJung
Copy link
Member

An explicit "ready for review" signal is always a good idea. :)

RalfJung
RalfJung reviewed May 23, 2025
View reviewed changes
Copy link
Member

@RalfJung RalfJung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point about the inter-thread synchronization, let's repeat that in the function-level docs. As usual, my read comments apply to write as well.

@RalfJung RalfJung added T-lang Relevant to the language team, which will review and decide on the PR/issue. T-opsem Relevant to the opsem team and removed T-libs Relevant to the library team, which will review and decide on the PR/issue. labels May 23, 2025
@RalfJung
Copy link
Member

This sounds good to me apart from minor nits, thanks. :)
Since I wrote parts of it, someone else should do the final review.
r? @JakobDegen maybe?

Also, let's get the process started of formally approving this:
@rfcbot merge

@rfcbot
Copy link
Collaborator

rfcbot commented May 23, 2025
edited by CAD97
Loading

Team member @RalfJung has proposed to merge this. The next step is review by the rest of the tagged team members:

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns.
See this document for info about what commands tagged team members can give me.

@rfcbot rfcbot added proposed-final-comment-period Proposed to merge/close by relevant subteam, see T-<team> label. Will enter FCP once signed off. disposition-merge This issue / PR is in PFCP or FCP with a disposition to merge it. labels May 23, 2025
@RalfJung RalfJung changed the title Allow volatile access to address 0 Allow volatile access to non-Rust memory, including address 0 May 23, 2025
traviscross
traviscross reviewed May 23, 2025
View reviewed changes
JakobDegen
JakobDegen approved these changes May 23, 2025
View reviewed changes
Copy link
Contributor

@JakobDegen JakobDegen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just nits

RalfJung
RalfJung reviewed May 23, 2025
View reviewed changes
@LuigiPiucco
Copy link
Contributor Author

@rustbot ready

I tried to apply all comments and make this PR not conflict with the one changing to allocation. They should be able to apply regardless of order now.

@rust-log-analyzer

This comment has been minimized.

Sign in to view
RalfJung
RalfJung reviewed May 24, 2025
View reviewed changes
Copy link
Member

@RalfJung RalfJung left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

On top of these comments, maybe we should also say something about provenance for the "access address outside the machine" case. After all, we probably don't want to permit that when using a pointer that has a well-defined provenance. Such a pointer pretty much has to be created with with_exposed_provenance, right?

@RalfJung RalfJung mentioned this pull request May 24, 2025
Open
@LuigiPiucco
Copy link
Contributor Author

About provenance, I'll do some reading to try and propose a comment on its interaction with volatile, but it may be something I'm not fully qualified to do. I'll first push the other requested changes.

@LuigiPiucco
Revert "make changes compatible with rust-lang#141224"
282f2d0 
This reverts commit aa975c6.

"Allocations" in line 116 in library/core/src/ptr/mod.rs was kept,
however, because it was added as part of this commit series in
rust-lang@5a52202#diff-c175d4e27676febf62c061d31cf9756d256b46e2e44cc6b3177d4ff75e932567R116-R118
@LuigiPiucco
docs: enhance wording
80cb937
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nikic nikic nikic left review comments

@RalfJung RalfJung RalfJung left review comments

@traviscross traviscross traviscross left review comments

@workingjubilee workingjubilee workingjubilee left review comments

@JakobDegen JakobDegen JakobDegen approved these changes

Assignees

@JakobDegen JakobDegen

Labels
disposition-merge This issue / PR is in PFCP or FCP with a disposition to merge it. proposed-final-comment-period Proposed to merge/close by relevant subteam, see T-<team> label. Will enter FCP once signed off. S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-lang Relevant to the language team, which will review and decide on the PR/issue. T-opsem Relevant to the opsem team
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

What about: Targets where NULL is a valid pointer
9 participants
@LuigiPiucco @rust-log-analyzer @RalfJung @rustbot @rfcbot @nikic @traviscross @workingjubilee @JakobDegen