mmap/munmap/mremamp shims

Author: saethlin

src/concurrency/data_race.rs

@@ -707,7 +707,10 @@ impl VClockAlloc {
         let (alloc_timestamp, alloc_index) = match kind {
             // User allocated and stack memory should track allocation.
             MemoryKind::Machine(
-                MiriMemoryKind::Rust | MiriMemoryKind::C | MiriMemoryKind::WinHeap,
+                MiriMemoryKind::Rust
+                | MiriMemoryKind::C
+                | MiriMemoryKind::WinHeap
+                | MiriMemoryKind::Mmap,
             )
             | MemoryKind::Stack => {
                 let (alloc_index, clocks) = global.current_thread_state(thread_mgr);

src/machine.rs

@@ -88,6 +88,8 @@ pub enum MiriMemoryKind {
     /// Memory for thread-local statics.
     /// This memory may leak.
     Tls,
+    /// Memory mapped directly by the program
+    Mmap,
 }
 
 impl From<MiriMemoryKind> for MemoryKind<MiriMemoryKind> {
@@ -102,7 +104,7 @@ impl MayLeak for MiriMemoryKind {
     fn may_leak(self) -> bool {
         use self::MiriMemoryKind::*;
         match self {
-            Rust | C | WinHeap | Runtime => false,
+            Rust | C | WinHeap | Runtime | Mmap => false,
             Machine | Global | ExternStatic | Tls => true,
         }
     }
@@ -120,6 +122,7 @@ impl fmt::Display for MiriMemoryKind {
             Global => write!(f, "global (static or const)"),
             ExternStatic => write!(f, "extern static"),
             Tls => write!(f, "thread-local static"),
+            Mmap => write!(f, "mmap"),
         }
     }
 }
@@ -290,6 +293,14 @@ impl<'mir, 'tcx: 'mir> PrimitiveLayouts<'tcx> {
     }
 }
 
+pub struct Mapping {
+    pub ptr: Pointer<Option<Provenance>>,
+    pub alloc_id: AllocId,
+    pub len: u64,
+    pub can_read: bool,
+    pub can_write: bool,
+}
+
 /// The machine itself.
 pub struct Evaluator<'mir, 'tcx> {
     pub stacked_borrows: Option<stacked_borrows::GlobalState>,
@@ -310,6 +321,9 @@ pub struct Evaluator<'mir, 'tcx> {
     /// TLS state.
     pub(crate) tls: TlsData<'tcx>,
 
+    /// Mappings established through mmap
+    pub(crate) mappings: Vec<Mapping>,
+
     /// What should Miri do when an op requires communicating with the host,
     /// such as accessing host env vars, random number generation, and
     /// file system access.
@@ -428,6 +442,7 @@ impl<'mir, 'tcx> Evaluator<'mir, 'tcx> {
             argv: None,
             cmd_line: None,
             tls: TlsData::default(),
+            mappings: Vec::new(),
             isolated_op: config.isolated_op,
             validate: config.validate,
             enforce_abi: config.check_abi,
@@ -573,6 +588,10 @@ impl<'mir, 'tcx> Evaluator<'mir, 'tcx> {
         let def_id = frame.instance.def_id();
         def_id.is_local() || self.local_crates.contains(&def_id.krate)
     }
+
+    pub(crate) fn get_mapping(&self, alloc_id: AllocId) -> Option<&Mapping> {
+        self.mappings.iter().find(|m| m.alloc_id == alloc_id)
+    }
 }
 
 /// A rustc InterpCx for Miri.
@@ -872,6 +891,11 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
         (alloc_id, prov_extra): (AllocId, Self::ProvenanceExtra),
         range: AllocRange,
     ) -> InterpResult<'tcx> {
+        if let Some(map) = machine.get_mapping(alloc_id) {
+            if !map.can_read {
+                throw_ub_format!("{alloc_id:?} is a mapping that does not allow reads");
+            }
+        }
         if let Some(data_race) = &alloc_extra.data_race {
             data_race.read(
                 alloc_id,
@@ -904,6 +928,11 @@ impl<'mir, 'tcx> Machine<'mir, 'tcx> for Evaluator<'mir, 'tcx> {
         (alloc_id, prov_extra): (AllocId, Self::ProvenanceExtra),
         range: AllocRange,
     ) -> InterpResult<'tcx> {
+        if let Some(map) = machine.get_mapping(alloc_id) {
+            if !map.can_write {
+                throw_ub_format!("{alloc_id:?} is a mapping that does not allow writes");
+            }
+        }
         if let Some(data_race) = &mut alloc_extra.data_race {
             data_race.write(
                 alloc_id,

src/shims/unix/foreign_items.rs

@@ -10,6 +10,7 @@ use rustc_target::spec::abi::Abi;
 use crate::*;
 use shims::foreign_items::EmulateByNameResult;
 use shims::unix::fs::EvalContextExt as _;
+use shims::unix::mem::EvalContextExt as _;
 use shims::unix::sync::EvalContextExt as _;
 use shims::unix::thread::EvalContextExt as _;
 
@@ -207,6 +208,22 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
                 }
             }
 
+            "mmap" => {
+                let [addr, length, prot, flags, fd, offset] = this.check_shim(abi, Abi::C {unwind: false}, link_name, args)?;
+                let result = this.mmap(addr, length, prot, flags, fd, offset)?;
+                this.write_pointer(result, dest)?;
+            }
+            "mremap" => {
+                let [old_address, old_size, new_size, flags] = this.check_shim(abi, Abi::C {unwind: false}, link_name, args)?;
+                let result = this.mremap(old_address, old_size, new_size, flags)?;
+                this.write_pointer(result, dest)?;
+            }
+            "munmap" => {
+                let [addr, length] = this.check_shim(abi, Abi::C {unwind: false}, link_name, args)?;
+                let result = this.munmap(addr, length)?;
+                this.write_scalar(Scalar::from_i32(result), dest)?;
+            }
+
             // Dynamic symbol loading
             "dlsym" => {
                 let [handle, symbol] = this.check_shim(abi, Abi::C { unwind: false }, link_name, args)?;

src/shims/unix/mem.rs

@@ -0,0 +1,192 @@
+use crate::machine::{Mapping, PAGE_SIZE};
+use crate::*;
+use rustc_target::abi::{Align, Size};
+
+fn round_up_to_multiple_of_page_size(length: u64) -> Option<u64> {
+    #[allow(clippy::integer_arithmetic)] // PAGE_SIZE is nonzero
+    (length.checked_add(PAGE_SIZE - 1)? / PAGE_SIZE).checked_mul(PAGE_SIZE)
+}
+
+impl<'mir, 'tcx: 'mir> EvalContextExt<'mir, 'tcx> for crate::MiriEvalContext<'mir, 'tcx> {}
+pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx> {
+    fn mmap(
+        &mut self,
+        addr: &OpTy<'tcx, Provenance>,
+        length: &OpTy<'tcx, Provenance>,
+        prot: &OpTy<'tcx, Provenance>,
+        flags: &OpTy<'tcx, Provenance>,
+        fd: &OpTy<'tcx, Provenance>,
+        offset: &OpTy<'tcx, Provenance>,
+    ) -> InterpResult<'tcx, Pointer<Option<Provenance>>> {
+        let this = self.eval_context_mut();
+
+        let addr = this.read_pointer(addr)?;
+        let length = this.read_scalar(length)?.to_machine_usize(this)?;
+        let prot = this.read_scalar(prot)?.to_i32()?;
+        let flags = this.read_scalar(flags)?.to_i32()?;
+        let fd = this.read_scalar(fd)?.to_i32()?;
+        let offset = this.read_scalar(offset)?.to_machine_usize(this)?;
+
+        let prot_read = this.eval_libc_i32("PROT_READ")?;
+        let prot_write = this.eval_libc_i32("PROT_WRITE")?;
+        let map_private = this.eval_libc_i32("MAP_PRIVATE")?;
+        let map_anonymous = this.eval_libc_i32("MAP_ANONYMOUS")?;
+
+        // Only one of MAP_PRIVATE, MAP_SHARED, or MAP_SHARED_VALIDATE may be passed
+        if flags & this.eval_libc_i32("MAP_PRIVATE")? == 0 {
+            throw_unsup_format!("Miri does not support MAP_SHARED or MAP_SHARED_VALIDATE");
+        }
+
+        if flags & this.eval_libc_i32("MAP_STACK")? > 0 {
+            throw_unsup_format!("Miri does not support MAP_STACK");
+        }
+
+        if prot & this.eval_libc_i32("PROT_EXEC")? > 0 {
+            throw_unsup_format!("Miri does not support mapping executable pages");
+        }
+
+        if offset != 0 {
+            throw_unsup_format!("Miri does not support non-zero offsets to mmap (yet)");
+        }
+
+        if !this.ptr_is_null(addr)? {
+            throw_unsup_format!("Miri does not support non-null pointers to mmap");
+        }
+
+        if fd != -1 {
+            throw_unsup_format!("Miri does not support file-backed memory mappings");
+        }
+
+        if length == 0 {
+            this.set_last_error(Scalar::from_i32(this.eval_libc_i32("EINVAL")?))?;
+            return Ok(Pointer::null());
+        }
+
+        let align = Align::from_bytes(PAGE_SIZE).unwrap();
+        let map_length = round_up_to_multiple_of_page_size(length).unwrap_or(u64::MAX);
+
+        if (flags == map_private | map_anonymous) || (flags == map_private && fd != -1) {
+            // mmap as a memory allocator
+            let ptr = this.allocate_ptr(
+                Size::from_bytes(map_length),
+                align,
+                MiriMemoryKind::Mmap.into(),
+            )?;
+            // We just allocated this, the access is definitely in-bounds and fits into our address space.
+            // mmap guarantees new mappings are zero-init.
+            this.write_bytes_ptr(
+                ptr.into(),
+                std::iter::repeat(0u8).take(usize::try_from(map_length).unwrap()),
+            )
+            .unwrap();
+            let (prov, offset) = ptr.into_parts();
+            let ptr = Pointer::new(Some(prov), offset);
+
+            this.machine.mappings.push(Mapping {
+                ptr,
+                alloc_id: match prov {
+                    Provenance::Concrete { alloc_id, .. } => alloc_id,
+                    Provenance::Wildcard =>
+                        unreachable!("allocate_ptr should not return a Wildcard pointer"),
+                },
+                len: map_length,
+                can_read: prot & prot_read > 0,
+                can_write: prot & prot_write > 0,
+            });
+
+            Ok(ptr)
+        } else {
+            throw_unsup_format!(
+                "mmap is not supported with arguments: (addr: {addr}, length: {length}, prot: {prot:x}, flags: {flags:0x}, fd: {fd}, offset: {offset})"
+            );
+        }
+    }
+
+    fn mremap(
+        &mut self,
+        old_address: &OpTy<'tcx, Provenance>,
+        old_size: &OpTy<'tcx, Provenance>,
+        new_size: &OpTy<'tcx, Provenance>,
+        flags: &OpTy<'tcx, Provenance>,
+    ) -> InterpResult<'tcx, Pointer<Option<Provenance>>> {
+        let this = self.eval_context_mut();
+
+        let old_address = this.read_pointer(old_address)?;
+        let _old_size = this.read_scalar(old_size)?.to_machine_usize(this)?;
+        let new_size = this.read_scalar(new_size)?.to_machine_usize(this)?;
+        let flags = this.read_scalar(flags)?.to_i32()?;
+
+        if flags & this.eval_libc_i32("MREMAP_FIXED")? > 0 {
+            throw_unsup_format!("Miri does not support mremap wth MREMAP_FIXED");
+        }
+
+        if flags & this.eval_libc_i32("MREMAP_DONTUNMAP")? > 0 {
+            throw_unsup_format!("Miri does not support mremap wth MREMAP_DONTUNMAP");
+        }
+
+        if flags & this.eval_libc_i32("MREMAP_MAYMOVE")? == 0 {
+            // We only support MREMAP_MAYMOVE, so not passing the flag is just a failure
+            this.set_last_error(Scalar::from_i32(this.eval_libc_i32("EINVAL")?))?;
+            return Ok(Pointer::null());
+        }
+
+        let map_idx = this.machine.mappings.iter_mut().position(|map| map.ptr == old_address);
+
+        if let Some(i) = map_idx {
+            let pointer = this.realloc(old_address, new_size, MiriMemoryKind::Mmap)?;
+            let map = &mut this.machine.mappings[i];
+            map.ptr = pointer;
+            map.len = new_size;
+            map.alloc_id = match pointer.into_parts().0.unwrap() {
+                Provenance::Concrete { alloc_id, .. } => alloc_id,
+                Provenance::Wildcard =>
+                    unreachable!("allocate_ptr should not return a Wildcard pointer"),
+            };
+            Ok(pointer)
+        } else {
+            // This isn't a previous mapping
+            this.set_last_error(Scalar::from_i32(this.eval_libc_i32("EINVAL")?))?;
+            Ok(Pointer::null())
+        }
+    }
+
+    fn munmap(
+        &mut self,
+        addr: &OpTy<'tcx, Provenance>,
+        length: &OpTy<'tcx, Provenance>,
+    ) -> InterpResult<'tcx, i32> {
+        let this = self.eval_context_mut();
+
+        let addr = this.read_pointer(addr)?;
+        let length = this.read_scalar(length)?.to_machine_usize(this)?;
+
+        // The address addr must be a multiple of the page size (but length need not be).
+        #[allow(clippy::integer_arithmetic)] // PAGE_SIZE is nonzero
+        if addr.addr().bytes() % PAGE_SIZE != 0 {
+            this.set_last_error(Scalar::from_i32(this.eval_libc_i32("EINVAL")?))?;
+            return Ok(-1);
+        }
+
+        // All pages containing a part of the indicated range are unmapped.
+        // TODO: That means we can actually alter multiple mappings with munmap :/
+        let length = round_up_to_multiple_of_page_size(length).unwrap_or(u64::MAX);
+
+        let map_idx = this.machine.mappings.iter_mut().position(|map| {
+            let start = map.ptr.addr();
+            let end = map.ptr.addr() + Size::from_bytes(map.len);
+            addr.addr() >= start && addr.addr() < end
+        });
+
+        if let Some(i) = map_idx {
+            let map = &this.machine.mappings[i];
+            if map.ptr.addr() == addr.addr() && map.len == length {
+                this.machine.mappings.remove(i);
+                this.free(addr, MiriMemoryKind::Mmap)?;
+            } else {
+                throw_unsup_format!("Miri does not support partial munmap");
+            }
+        }
+        Ok(0)
+        // It is not an error if the indicated range does not contain any mapped pages.
+    }
+}

src/shims/unix/mod.rs

@@ -2,6 +2,7 @@ pub mod dlsym;
 pub mod foreign_items;
 
 mod fs;
+mod mem;
 mod sync;
 mod thread;
 

tests/fail/mmap_invalid_dealloc.rs

@@ -0,0 +1,18 @@
+//@compile-flags: -Zmiri-disable-isolation
+//@ignore-target-windows: No libc on Windows
+
+#![feature(rustc_private)]
+
+fn main() {
+    unsafe {
+        let ptr = libc::mmap(
+            std::ptr::null_mut(),
+            4096,
+            libc::PROT_READ | libc::PROT_WRITE,
+            libc::MAP_PRIVATE | libc::MAP_ANONYMOUS,
+            -1,
+            0,
+        );
+        libc::free(ptr); //~ ERROR: which is mmap memory, using C heap deallocation operation
+    }
+}

tests/fail/mmap_invalid_dealloc.stderr

@@ -0,0 +1,15 @@
+error: Undefined Behavior: deallocating ALLOC, which is mmap memory, using C heap deallocation operation
+  --> $DIR/mmap_invalid_dealloc.rs:LL:CC
+   |
+LL |         libc::free(ptr);
+   |         ^^^^^^^^^^^^^^^ deallocating ALLOC, which is mmap memory, using C heap deallocation operation
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `main` at $DIR/mmap_invalid_dealloc.rs:LL:CC
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to previous error
+

tests/fail/mmap_prot_none.rs

@@ -0,0 +1,18 @@
+//@compile-flags: -Zmiri-disable-isolation
+//@ignore-target-windows: No libc on Windows
+
+#![feature(rustc_private)]
+
+fn main() {
+    unsafe {
+        let ptr = libc::mmap(
+            std::ptr::null_mut(),
+            4096,
+            libc::PROT_NONE,
+            libc::MAP_PRIVATE | libc::MAP_ANONYMOUS,
+            -1,
+            0,
+        ) as *mut u8;
+        let _byte = *ptr; //~ ERROR: is a mapping that does not allow reads
+    }
+}