Rollup merge of #138352 - RalfJung:miri-native-calls-exposed, r=oli-obk

matthiaskrgr · web-flow · commit 703fc32d646f · 2025-03-11T19:35:34.000+01:00
miri native_calls: ensure we actually expose *mutable* provenance to the memory FFI can access

In native call mode, the interpreter memory itself is accessed directly by external code via pointers created from integers and passed via libffi, so we have to ensure the provenance in Miri itself (on the meta level) is sufficiently exposed. So far we only exposed the provenance for read-only accesses. This may we enough as that may actually be the same provenance as for mutable accesses, but it's hard to be sure, and anyway there's no reason to do such a gambit -- we have this function, `prepare_for_native_call`, which iterates all memory the call can access. let's just also (re-)expose Miri's own allocations there. We expose the read-only provenance for all of them and the mutable provenance for the mutable allocations.

r? ``@oli-obk``
diff --git a/src/alloc_addresses/mod.rs b/src/alloc_addresses/mod.rs
@@ -198,8 +198,8 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
                 }
                 AllocKind::Dead => unreachable!(),
             };
-            // Ensure this pointer's provenance is exposed, so that it can be used by FFI code.
-            return interp_ok(base_ptr.expose_provenance().try_into().unwrap());
+            // We don't have to expose this pointer yet, we do that in `prepare_for_native_call`.
+            return interp_ok(base_ptr.addr().try_into().unwrap());
         }
         // We are not in native lib mode, so we control the addresses ourselves.
         if let Some((reuse_addr, clock)) = global_state.reuse.take_addr(
diff --git a/src/shims/native_lib.rs b/src/shims/native_lib.rs
@@ -266,7 +266,7 @@ fn imm_to_carg<'tcx>(v: &ImmTy<'tcx>, cx: &impl HasDataLayout) -> InterpResult<'
             CArg::USize(v.to_scalar().to_target_usize(cx)?.try_into().unwrap()),
         ty::RawPtr(..) => {
             let s = v.to_scalar().to_pointer(cx)?.addr();
-            // This relies on the `expose_provenance` in `addr_from_alloc_id`.
+            // This relies on the `expose_provenance` in `prepare_for_native_call`.
             CArg::RawPtr(std::ptr::with_exposed_provenance_mut(s.bytes_usize()))
         }
         _ => throw_unsup_format!("unsupported argument type for native call: {}", v.layout.ty),

Original file line number	Diff line number	Diff line change
`@@ -198,8 +198,8 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {`
`198`	`198`	`}`
`199`	`199`	`AllocKind::Dead => unreachable!(),`
`200`	`200`	`};`
`201`		`- // Ensure this pointer's provenance is exposed, so that it can be used by FFI code.`
`202`		`- return interp_ok(base_ptr.expose_provenance().try_into().unwrap());`
	`201`	+ // We don't have to expose this pointer yet, we do that in `prepare_for_native_call`.
	`202`	`+ return interp_ok(base_ptr.addr().try_into().unwrap());`
`203`	`203`	`}`
`204`	`204`	`// We are not in native lib mode, so we control the addresses ourselves.`
`205`	`205`	`if let Some((reuse_addr, clock)) = global_state.reuse.take_addr(`
Original file line number	Diff line number	Diff line change
`@@ -266,7 +266,7 @@ fn imm_to_carg<'tcx>(v: &ImmTy<'tcx>, cx: &impl HasDataLayout) -> InterpResult<'`
`266`	`266`	`CArg::USize(v.to_scalar().to_target_usize(cx)?.try_into().unwrap()),`
`267`	`267`	`ty::RawPtr(..) => {`
`268`	`268`	`let s = v.to_scalar().to_pointer(cx)?.addr();`
`269`		- // This relies on the `expose_provenance` in `addr_from_alloc_id`.
	`269`	+ // This relies on the `expose_provenance` in `prepare_for_native_call`.
`270`	`270`	`CArg::RawPtr(std::ptr::with_exposed_provenance_mut(s.bytes_usize()))`
`271`	`271`	`}`
`272`	`272`	`_ => throw_unsup_format!("unsupported argument type for native call: {}", v.layout.ty),`