You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
#![allow(internal_features)]#![feature(core_intrinsics, custom_mir)]use std::intrinsics::mir::*;use std::ptr;// This function supposedly returns a char, but actually returns something invalid// in a way that never materializes a bad char value.#[custom_mir(dialect = "runtime", phase = "optimized")]fnf() -> char{mir!{{let tmp = ptr::addr_of_mut!(RET);let ptr = tmp as*mutu32;*ptr = u32::MAX;Return()}}}fnmain(){let f:fn() -> u32 = unsafe{ std::mem::transmute(f asfn() -> char)};// There's a char-to-u32 transmute happening heref();}
The return here is a char-to-u32 transmute, and we are only checking the target type, not the source type. We do have a test for checking the target type.
Something similar can happen for an argument:
#![allow(internal_features)]#![feature(core_intrinsics, custom_mir)]use std::intrinsics::mir::*;use std::ptr;fnf(_c:u32){}// Call that function in a bad way, with an invalid char, but without// ever materializing this as a char value outside the call itself.#[custom_mir(dialect = "runtime", phase = "optimized")]fncall(f:fn(char)){mir!{let res:();{let c = u32::MAX;let tmp = ptr::addr_of!(c);let ptr = tmp as*constchar;// The call site now is a char-to-u32 transmute.Call(res, retblock, f(*ptr))}
retblock = {Return()}}}fnmain(){let f:fn(char) = unsafe{ std::mem::transmute(f asfn(u32))};call(f);}
Again the source type of the argument transmute is not checked. We do have a test for checking the target type.
The text was updated successfully, but these errors were encountered:
miri: catch function calls where the argument is caller-invalid / the return value callee-invalid
When doing a type-changing copy, we must validate the data both at the old and new type.
Fixes#3017
This code should be UB, but is accepted by Miri:
The return here is a char-to-u32 transmute, and we are only checking the target type, not the source type. We do have a test for checking the target type.
Something similar can happen for an argument:
Again the source type of the argument transmute is not checked. We do have a test for checking the target type.
The text was updated successfully, but these errors were encountered: