cg_llvm: Assert that LLVM range-attribute values don't exceed 128 bits #145867
+30
−11
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The underlying implementation of `LLVMCreateConstantRangeAttribute` assumes that each of `LowerWords` and `UpperWords` points to enough u64 values to define an integer of the specified bit-length, and will encounter UB if that is not the case. Our safe wrapper function always passes pointers to `[u64; 2]` arrays, regardless of the bit-length specified. That's fine in practice, because scalar primitives never exceed 128 bits, but it is technically a soundness hole in a safe function. We can close the soundness hole by explicitly asserting `size_bits <= 128`. This is effectively just a stricter version of the existing check that the value must be small enough to fit in `c_uint`.
rustbot
added
A-LLVM
|
cc @nikic |
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
bors
added a commit
that referenced
this pull request
Aug 26, 2025
Rollup of 11 pull requests Successful merges: - #144373 (remove deprecated Error::description in impls) - #144551 (Add aarch64_be-unknown-linux-musl target) - #145076 (Add new Tier-3 target: riscv64a23-unknown-linux-gnu) - #145481 (Add parentheses for closure when suggesting calling closure) - #145596 (Losslessly optimize PNG files) - #145615 (Fix doc of `std::os::windows::io::BorrowedSocket::borrow_raw`) - #145841 (Always build miri for the host in `x run miri`) - #145861 (bootstrap: vendor `clippy_test_deps` too) - #145863 (formatting_options: Make all methods `const`) - #145867 (cg_llvm: Assert that LLVM range-attribute values don't exceed 128 bits) - #145875 (Make bootstrap command caching opt-in) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
that referenced
this pull request
Aug 26, 2025
Rollup merge of #145867 - Zalathar:range-attr, r=nikic cg_llvm: Assert that LLVM range-attribute values don't exceed 128 bits The underlying implementation of `LLVMCreateConstantRangeAttribute` assumes that each of `LowerWords` and `UpperWords` points to enough u64 values to define an integer of the specified bit-length, and will encounter UB if that is not the case. Our safe wrapper function always passes pointers to `[u64; 2]` arrays, regardless of the bit-length specified. That's fine in practice, because scalar primitives never exceed 128 bits, but it is technically a soundness hole in a safe function. We can close the soundness hole by explicitly asserting `size_bits <= 128`. This is effectively just a stricter version of the existing check that the value must be small enough to fit in `c_uint`. --- This is a narrower version of the fix in #145846.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The underlying implementation of
LLVMCreateConstantRangeAttributeassumes that each ofLowerWordsandUpperWordspoints to enough u64 values to define an integer of the specified bit-length, and will encounter UB if that is not the case.Our safe wrapper function always passes pointers to
[u64; 2]arrays, regardless of the bit-length specified. That's fine in practice, because scalar primitives never exceed 128 bits, but it is technically a soundness hole in a safe function.We can close the soundness hole by explicitly asserting
size_bits <= 128. This is effectively just a stricter version of the existing check that the value must be small enough to fit inc_uint.This is a narrower version of the fix in #145846.