Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

struct AlignedVec: Verify alignment for T #1369

Merged
merged 1 commit into from
Nov 11, 2024

Conversation

HeroicKatora
Copy link
Contributor

Turning the pointer of an aligned chunk into a reference to the overlay element type requires us to verify the element type's alignment invariant on the address. This check need not happen dynamically if we can provide a stronger static assertion.

The use of AlignedVec is over-aligning the storage with regards to the elements. This guarantees that all aligned block addresses are at least as aligned as required for elements. With this commit we validate that only vectors with appropriate element types can be instantiated. This verifies the constructor instead of the type parameters due to simplicity. Turning the violation into a compile error may be beneficial during development but should not be strictly necessary. Passing through a constructor is a dominator code path of the creation of a reference from its storage (at least right now).

@HeroicKatora
Copy link
Contributor Author

HeroicKatora commented Nov 10, 2024

Note that I have not verified if any element type/chunk type combinations could fail the requirement in practice beyond a cursory review of some instantiations. Among them, u8 and RefMvsBlock and RefMvsTemporalBlock all use the highly over-aligned 64 variant and are absolutely sound. As documented it wouldn't be useful, so it's unlikely. This new code just validates the technical requirement.

@kkysen kkysen self-requested a review November 10, 2024 23:31
@kkysen kkysen changed the title Verify alignment for AlignedVec struct AlignedVec: Verify alignment for T Nov 10, 2024
Copy link
Collaborator

@kkysen kkysen left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks for finding this! I guess we forgot to check that alignment requirement. Could you just adjust the comments a bit and fix that typo in sufficiently?

Also, verifying this in the constructor is indeed fine. We already do that for a similar size/alignment check.

src/align.rs Outdated Show resolved Hide resolved
Turning the pointer of an aligned chunk into a reference to the overlay
element type requires us to verify the element type's alignment
invariant on the address. This check need not happen dynamically if we
can provide a stronger static assertion.

The use of `AlignedVec` is over-aligning the storage with regards to the
elements. This guarantees that all aligned block addresses are at least
as aligned as required for elements. With this commit we validate that
only vectors with appropriate element types can be instantiated. This
verifies the constructor instead of the type parameters due to
simplicity. Turning the violation into a compile error may be beneficial
during development but should not be strictly necessary. Passing through
a constructor is a dominator code path of the creation of a reference
from its storage (at least right now).
@kkysen kkysen merged commit 8e1a34e into memorysafety:main Nov 11, 2024
28 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants