[go: up one dir, main page]
More Web Proxy on the site http://driver.im/
|
|
Subscribe / Log in / New account

Insulating layer?

Insulating layer?

Posted Oct 14, 2024 19:45 UTC (Mon) by dezgeg (subscriber, #92243)
In reply to: Insulating layer? by Wol
Parent article: On Rust in enterprise kernels

See https://devblogs.microsoft.com/oldnewthing/20040119-00 for example of a real architecture where attempting to use an uninitialized register variable might cause an exception.

to post comments

Insulating layer?

Posted Oct 14, 2024 20:32 UTC (Mon) by Wol (subscriber, #4433) [Link] (2 responses)

Interesting.

But I'm not arguing that attempting to dereference garbage is okay. That post explicitly says the programmer chose to return garbage. No problem there. The problem comes when you attempt to USE the garbage as if it was valid. Rust would - I assume - have marked the return value as "could be garbage", and when the caller attempted to dereference it without checking, Rust would have barfed with "compile error - you can't unconditionally dereference possible garbage".

The point is, the programmer can reason about it because Rust would force them to track the fact that the return value could be garbage.

Cheers,
Wol

Insulating layer?

Posted Oct 14, 2024 20:43 UTC (Mon) by khim (subscriber, #9252) [Link]

> Rust would - I assume - have marked the return value as "could be garbage"

Nope. Rust doesn't do that. Rust developer may use MaybeUninit<bool> to signal to the compiler that value may be uninitialized. And then Rust developer (and not compiler!) would decide when to go from MaybeUninit<bool> to bool (which would tell the compiler that at this point value is initialized).

If I lie to the compiler (like I did) at that point – that's an instant UB.

IOW: Rust does the exact same thing C/C++ does but mitigates the issue by making transition from “could be uninitialized” type to “I believe it's initialized now” type explicit.

> Rust would have barfed with "compile error - you can't unconditionally dereference possible garbage".

This couldn't be a compiler error, but sure enough, if you violate these rules and compiler can recognize it then there would be a warning. It's warning, not an error, because compiler may recognize this situation it but is not obliged to do that, it's something that it does on “best effort” basis.

Insulating layer?

Posted Oct 14, 2024 22:03 UTC (Mon) by dezgeg (subscriber, #92243) [Link]

The linked Itanium example doesn't dereference uninitialized pointers anywhere - it demonstrates that just attempting to store an uninitialized register value might fault. In essence, this could blow up:

int global;
void f() {
int uninitialized;
global = uninitialized;
}

Ie. direct example of an architecture where what you wrote ("But padding, uninitialised variables, etc etc are perfectly valid to dereference. You can reason about it, you're going to get random garbage back.") doesn't apply.


Copyright © 2025, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds