throw an error if a synchronization object is read/written while threads are queued

RalfJung · RalfJung · commit 818642ef677d · 2025-11-08T14:53:40.000+01:00
diff --git a/src/borrow_tracker/mod.rs b/src/borrow_tracker/mod.rs
@@ -115,15 +115,6 @@ impl VisitProvenance for GlobalStateInner {
 /// We need interior mutable access to the global state.
 pub type GlobalState = RefCell<GlobalStateInner>;
 
-impl fmt::Display for AccessKind {
-    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
-        match self {
-            AccessKind::Read => write!(f, "read access"),
-            AccessKind::Write => write!(f, "write access"),
-        }
-    }
-}
-
 /// Policy on whether to recurse into fields to retag
 #[derive(Copy, Clone, Debug)]
 pub enum RetagFields {
diff --git a/src/concurrency/init_once.rs b/src/concurrency/init_once.rs
@@ -57,6 +57,10 @@ impl InitOnceRef {
     pub fn begin(&self) {
         self.0.borrow_mut().begin();
     }
+
+    pub fn queue_is_empty(&self) -> bool {
+        self.0.borrow().waiters.is_empty()
+    }
 }
 
 impl VisitProvenance for InitOnceRef {
diff --git a/src/concurrency/sync.rs b/src/concurrency/sync.rs
@@ -16,6 +16,11 @@ use crate::*;
 
 /// A trait for the synchronization metadata that can be attached to a memory location.
 pub trait SyncObj: Any {
+    /// Determines whether reads/writes to this object's location are currently permitted.
+    fn on_access<'tcx>(&self, _access_kind: AccessKind) -> InterpResult<'tcx> {
+        interp_ok(())
+    }
+
     /// Determines whether this object's metadata shall be deleted when a write to its
     /// location occurs.
     fn delete_on_write(&self) -> bool {
@@ -62,6 +67,10 @@ impl MutexRef {
     pub fn owner(&self) -> Option<ThreadId> {
         self.0.borrow().owner
     }
+
+    pub fn queue_is_empty(&self) -> bool {
+        self.0.borrow().queue.is_empty()
+    }
 }
 
 impl VisitProvenance for MutexRef {
@@ -138,6 +147,11 @@ impl RwLockRef {
     pub fn is_write_locked(&self) -> bool {
         self.0.borrow().is_write_locked()
     }
+
+    pub fn queue_is_empty(&self) -> bool {
+        let inner = self.0.borrow();
+        inner.reader_queue.is_empty() && inner.writer_queue.is_empty()
+    }
 }
 
 impl VisitProvenance for RwLockRef {
@@ -165,8 +179,8 @@ impl CondvarRef {
         Self(Default::default())
     }
 
-    pub fn is_awaited(&self) -> bool {
-        !self.0.borrow().waiters.is_empty()
+    pub fn queue_is_empty(&self) -> bool {
+        self.0.borrow().waiters.is_empty()
     }
 }
 
diff --git a/src/helpers.rs b/src/helpers.rs
@@ -1,7 +1,7 @@
 use std::num::NonZero;
 use std::sync::Mutex;
 use std::time::Duration;
-use std::{cmp, iter};
+use std::{cmp, fmt, iter};
 
 use rand::RngCore;
 use rustc_abi::{Align, ExternAbi, FieldIdx, FieldsShape, Size, Variants};
@@ -29,6 +29,15 @@ pub enum AccessKind {
     Write,
 }
 
+impl fmt::Display for AccessKind {
+    fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
+        match self {
+            AccessKind::Read => write!(f, "read access"),
+            AccessKind::Write => write!(f, "write access"),
+        }
+    }
+}
+
 /// Gets an instance for a path.
 ///
 /// A `None` namespace indicates we are looking for a module.
diff --git a/src/machine.rs b/src/machine.rs
@@ -1547,6 +1547,11 @@ impl<'tcx> Machine<'tcx> for MiriMachine<'tcx> {
         if let Some(borrow_tracker) = &alloc_extra.borrow_tracker {
             borrow_tracker.before_memory_read(alloc_id, prov_extra, range, machine)?;
         }
+        // Check if there are any sync objects that would like to prevent reading this memory.
+        for (_offset, obj) in alloc_extra.sync_objs.range(range.start..range.end()) {
+            obj.on_access(AccessKind::Read)?;
+        }
+
         interp_ok(())
     }
 
@@ -1590,11 +1595,13 @@ impl<'tcx> Machine<'tcx> for MiriMachine<'tcx> {
         // Delete sync objects that don't like writes.
         // Most of the time, we can just skip this.
         if !alloc_extra.sync_objs.is_empty() {
-            let to_delete = alloc_extra
-                .sync_objs
-                .range(range.start..range.end())
-                .filter_map(|(offset, obj)| obj.delete_on_write().then_some(*offset))
-                .collect::<Vec<_>>();
+            let mut to_delete = vec![];
+            for (offset, obj) in alloc_extra.sync_objs.range(range.start..range.end()) {
+                obj.on_access(AccessKind::Write)?;
+                if obj.delete_on_write() {
+                    to_delete.push(*offset);
+                }
+            }
             for offset in to_delete {
                 alloc_extra.sync_objs.remove(&offset);
             }
diff --git a/src/shims/unix/macos/sync.rs b/src/shims/unix/macos/sync.rs
@@ -25,6 +25,17 @@ enum MacOsUnfairLock {
 }
 
 impl SyncObj for MacOsUnfairLock {
+    fn on_access<'tcx>(&self, access_kind: AccessKind) -> InterpResult<'tcx> {
+        if let MacOsUnfairLock::Active { mutex_ref } = self
+            && !mutex_ref.queue_is_empty()
+        {
+            throw_ub_format!(
+                "{access_kind} to `os_unfair_lock` is forbidden while the queue is non-empty"
+            );
+        }
+        interp_ok(())
+    }
+
     fn delete_on_write(&self) -> bool {
         true
     }
@@ -81,10 +92,10 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
                     // This is a lock that got copied while it is initialized. We de-initialize
                     // locks when they get released, so it got copied while locked. Unfortunately
                     // that is something `std` needs to support (the guard could have been leaked).
-                    // So we behave like a futex-based lock whose wait queue got pruned: any attempt
-                    // to acquire the lock will just wait forever.
-                    // In practice there actually could be a wait queue there, if someone moves a
-                    // lock *while threads are queued*; this is UB we will not detect.
+                    // On the plus side, we know nobody was queued for the lock while it got copied;
+                    // that would have been rejected by our `on_access`. So we behave like a
+                    // futex-based lock would in this case: any attempt to acquire the lock will
+                    // just wait forever, since there's nobody to wake us up.
                     interp_ok(MacOsUnfairLock::PermanentlyLocked)
                 } else {
                     throw_ub_format!("`os_unfair_lock` was not properly initialized at this location, or it got overwritten");
diff --git a/src/shims/unix/sync.rs b/src/shims/unix/sync.rs
@@ -110,6 +110,15 @@ struct PthreadMutex {
 }
 
 impl SyncObj for PthreadMutex {
+    fn on_access<'tcx>(&self, access_kind: AccessKind) -> InterpResult<'tcx> {
+        if !self.mutex_ref.queue_is_empty() {
+            throw_ub_format!(
+                "{access_kind} to `pthread_mutex_t` is forbidden while the queue is non-empty"
+            );
+        }
+        interp_ok(())
+    }
+
     fn delete_on_write(&self) -> bool {
         true
     }
@@ -230,6 +239,15 @@ struct PthreadRwLock {
 }
 
 impl SyncObj for PthreadRwLock {
+    fn on_access<'tcx>(&self, access_kind: AccessKind) -> InterpResult<'tcx> {
+        if !self.rwlock_ref.queue_is_empty() {
+            throw_ub_format!(
+                "{access_kind} to `pthread_rwlock_t` is forbidden while the queue is non-empty"
+            );
+        }
+        interp_ok(())
+    }
+
     fn delete_on_write(&self) -> bool {
         true
     }
@@ -361,6 +379,15 @@ struct PthreadCondvar {
 }
 
 impl SyncObj for PthreadCondvar {
+    fn on_access<'tcx>(&self, access_kind: AccessKind) -> InterpResult<'tcx> {
+        if !self.condvar_ref.queue_is_empty() {
+            throw_ub_format!(
+                "{access_kind} to `pthread_cond_t` is forbidden while the queue is non-empty"
+            );
+        }
+        interp_ok(())
+    }
+
     fn delete_on_write(&self) -> bool {
         true
     }
@@ -900,7 +927,7 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
         // Reading the field also has the side-effect that we detect double-`destroy`
         // since we make the field uninit below.
         let condvar = &cond_get_data(this, cond_op)?.condvar_ref;
-        if condvar.is_awaited() {
+        if !condvar.queue_is_empty() {
             throw_ub_format!("destroying an awaited conditional variable");
         }
 
diff --git a/src/shims/windows/sync.rs b/src/shims/windows/sync.rs
@@ -12,6 +12,15 @@ struct WindowsInitOnce {
 }
 
 impl SyncObj for WindowsInitOnce {
+    fn on_access<'tcx>(&self, access_kind: AccessKind) -> InterpResult<'tcx> {
+        if !self.init_once.queue_is_empty() {
+            throw_ub_format!(
+                "{access_kind} to `INIT_ONCE` is forbidden while the queue is non-empty"
+            );
+        }
+        interp_ok(())
+    }
+
     fn delete_on_write(&self) -> bool {
         true
     }
diff --git a/tests/fail-dep/concurrency/apple_os_unfair_lock_move_with_queue.rs b/tests/fail-dep/concurrency/apple_os_unfair_lock_move_with_queue.rs
@@ -0,0 +1,29 @@
+//@only-target: darwin
+#![feature(sync_unsafe_cell)]
+
+use std::cell::SyncUnsafeCell;
+use std::sync::atomic::*;
+use std::thread;
+
+fn main() {
+    let lock = SyncUnsafeCell::new(libc::OS_UNFAIR_LOCK_INIT);
+
+    thread::scope(|s| {
+        // First thread: grabs the lock.
+        s.spawn(|| {
+            unsafe { libc::os_unfair_lock_lock(lock.get()) };
+            thread::yield_now();
+            unreachable!();
+        });
+        // Second thread: queues for the lock.
+        s.spawn(|| {
+            unsafe { libc::os_unfair_lock_lock(lock.get()) };
+            unreachable!();
+        });
+        // Third thread: tries to read the lock while second thread is queued.
+        s.spawn(|| {
+            let atomic_ref = unsafe { &*lock.get().cast::<AtomicU32>() };
+            let _val = atomic_ref.load(Ordering::Relaxed); //~ERROR: read access to `os_unfair_lock` is forbidden while the queue is non-empty
+        });
+    });
+}
diff --git a/tests/fail-dep/concurrency/apple_os_unfair_lock_move_with_queue.stderr b/tests/fail-dep/concurrency/apple_os_unfair_lock_move_with_queue.stderr
@@ -0,0 +1,13 @@
+error: Undefined Behavior: read access to `os_unfair_lock` is forbidden while the queue is non-empty
+  --> tests/fail-dep/concurrency/apple_os_unfair_lock_move_with_queue.rs:LL:CC
+   |
+LL | ...   let _val = atomic_ref.load(Ordering::Relaxed);
+   |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+
diff --git a/tests/fail-dep/concurrency/libc_pthread_mutex_read_while_queued.rs b/tests/fail-dep/concurrency/libc_pthread_mutex_read_while_queued.rs
@@ -0,0 +1,41 @@
+//@ignore-target: windows # No pthreads on Windows
+//@compile-flags: -Zmiri-fixed-schedule
+
+use std::cell::UnsafeCell;
+use std::sync::atomic::*;
+use std::thread;
+
+struct Mutex(UnsafeCell<libc::pthread_mutex_t>);
+impl Mutex {
+    fn get(&self) -> *mut libc::pthread_mutex_t {
+        self.0.get()
+    }
+}
+
+unsafe impl Send for Mutex {}
+unsafe impl Sync for Mutex {}
+
+// The offset to the "sensitive" part of the mutex (that Miri attaches the metadata to).
+const OFFSET: usize = if cfg!(target_os = "macos") { 4 } else { 0 };
+
+fn main() {
+    let m = Mutex(UnsafeCell::new(libc::PTHREAD_MUTEX_INITIALIZER));
+    thread::scope(|s| {
+        // First thread: grabs the lock.
+        s.spawn(|| {
+            assert_eq!(unsafe { libc::pthread_mutex_lock(m.get()) }, 0);
+            thread::yield_now();
+            unreachable!();
+        });
+        // Second thread: queues for the lock.
+        s.spawn(|| {
+            assert_eq!(unsafe { libc::pthread_mutex_lock(m.get()) }, 0);
+            unreachable!();
+        });
+        // Third thread: tries to read the lock while second thread is queued.
+        s.spawn(|| {
+            let atomic_ref = unsafe { &*m.get().byte_add(OFFSET).cast::<AtomicU32>() };
+            let _val = atomic_ref.load(Ordering::Relaxed); //~ERROR: read access to `pthread_mutex_t` is forbidden while the queue is non-empty
+        });
+    });
+}
diff --git a/tests/fail-dep/concurrency/libc_pthread_mutex_read_while_queued.stderr b/tests/fail-dep/concurrency/libc_pthread_mutex_read_while_queued.stderr
@@ -0,0 +1,13 @@
+error: Undefined Behavior: read access to `pthread_mutex_t` is forbidden while the queue is non-empty
+  --> tests/fail-dep/concurrency/libc_pthread_mutex_read_while_queued.rs:LL:CC
+   |
+LL | ...   let _val = atomic_ref.load(Ordering::Relaxed);
+   |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+
diff --git a/tests/fail-dep/concurrency/libc_pthread_mutex_write_while_queued.rs b/tests/fail-dep/concurrency/libc_pthread_mutex_write_while_queued.rs
@@ -0,0 +1,41 @@
+//@ignore-target: windows # No pthreads on Windows
+//@compile-flags: -Zmiri-fixed-schedule
+
+use std::cell::UnsafeCell;
+use std::sync::atomic::*;
+use std::thread;
+
+struct Mutex(UnsafeCell<libc::pthread_mutex_t>);
+impl Mutex {
+    fn get(&self) -> *mut libc::pthread_mutex_t {
+        self.0.get()
+    }
+}
+
+unsafe impl Send for Mutex {}
+unsafe impl Sync for Mutex {}
+
+// The offset to the "sensitive" part of the mutex (that Miri attaches the metadata to).
+const OFFSET: usize = if cfg!(target_os = "macos") { 4 } else { 0 };
+
+fn main() {
+    let m = Mutex(UnsafeCell::new(libc::PTHREAD_MUTEX_INITIALIZER));
+    thread::scope(|s| {
+        // First thread: grabs the lock.
+        s.spawn(|| {
+            assert_eq!(unsafe { libc::pthread_mutex_lock(m.get()) }, 0);
+            thread::yield_now();
+            unreachable!();
+        });
+        // Second thread: queues for the lock.
+        s.spawn(|| {
+            assert_eq!(unsafe { libc::pthread_mutex_lock(m.get()) }, 0);
+            unreachable!();
+        });
+        // Third thread: tries to overwrite the lock while second thread is queued.
+        s.spawn(|| {
+            let atomic_ref = unsafe { &*m.get().byte_add(OFFSET).cast::<AtomicU32>() };
+            atomic_ref.store(0, Ordering::Relaxed); //~ERROR: write access to `pthread_mutex_t` is forbidden while the queue is non-empty
+        });
+    });
+}
diff --git a/tests/fail-dep/concurrency/libc_pthread_mutex_write_while_queued.stderr b/tests/fail-dep/concurrency/libc_pthread_mutex_write_while_queued.stderr
@@ -0,0 +1,13 @@
+error: Undefined Behavior: write access to `pthread_mutex_t` is forbidden while the queue is non-empty
+  --> tests/fail-dep/concurrency/libc_pthread_mutex_write_while_queued.rs:LL:CC
+   |
+LL | ...   atomic_ref.store(0, Ordering::Relaxed);
+   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+

Original file line number	Diff line number	Diff line change
`@@ -57,6 +57,10 @@ impl InitOnceRef {`
`57`	`57`	`pub fn begin(&self) {`
`58`	`58`	`self.0.borrow_mut().begin();`
`59`	`59`	`}`
	`60`	`+`
	`61`	`+ pub fn queue_is_empty(&self) -> bool {`
	`62`	`+ self.0.borrow().waiters.is_empty()`
	`63`	`+ }`
`60`	`64`	`}`
`61`	`65`
`62`	`66`	`impl VisitProvenance for InitOnceRef {`
Original file line number	Diff line number	Diff line change
`@@ -16,6 +16,11 @@ use crate::*;`
`16`	`16`
`17`	`17`	`/// A trait for the synchronization metadata that can be attached to a memory location.`
`18`	`18`	`pub trait SyncObj: Any {`
	`19`	`+ /// Determines whether reads/writes to this object's location are currently permitted.`
	`20`	`+ fn on_access<'tcx>(&self, _access_kind: AccessKind) -> InterpResult<'tcx> {`
	`21`	`+ interp_ok(())`
	`22`	`+ }`
	`23`	`+`
`19`	`24`	`/// Determines whether this object's metadata shall be deleted when a write to its`
`20`	`25`	`/// location occurs.`
`21`	`26`	`fn delete_on_write(&self) -> bool {`
`@@ -62,6 +67,10 @@ impl MutexRef {`
`62`	`67`	`pub fn owner(&self) -> Option<ThreadId> {`
`63`	`68`	`self.0.borrow().owner`
`64`	`69`	`}`
	`70`	`+`
	`71`	`+ pub fn queue_is_empty(&self) -> bool {`
	`72`	`+ self.0.borrow().queue.is_empty()`
	`73`	`+ }`
`65`	`74`	`}`
`66`	`75`
`67`	`76`	`impl VisitProvenance for MutexRef {`
`@@ -138,6 +147,11 @@ impl RwLockRef {`
`138`	`147`	`pub fn is_write_locked(&self) -> bool {`
`139`	`148`	`self.0.borrow().is_write_locked()`
`140`	`149`	`}`
	`150`	`+`
	`151`	`+ pub fn queue_is_empty(&self) -> bool {`
	`152`	`+ let inner = self.0.borrow();`
	`153`	`+ inner.reader_queue.is_empty() && inner.writer_queue.is_empty()`
	`154`	`+ }`
`141`	`155`	`}`
`142`	`156`
`143`	`157`	`impl VisitProvenance for RwLockRef {`
`@@ -165,8 +179,8 @@ impl CondvarRef {`
`165`	`179`	`Self(Default::default())`
`166`	`180`	`}`
`167`	`181`
`168`		`- pub fn is_awaited(&self) -> bool {`
`169`		`- !self.0.borrow().waiters.is_empty()`
	`182`	`+ pub fn queue_is_empty(&self) -> bool {`
	`183`	`+ self.0.borrow().waiters.is_empty()`
`170`	`184`	`}`
`171`	`185`	`}`
`172`	`186`