-
Notifications
You must be signed in to change notification settings - Fork 57
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
What are the special magic rules around malloc
?
#535
Comments
The issue with this magic that I see is if you implement malloc itself in Rust.
Another issue is LTO or even cross-language LTO. |
I agree that this magic is potentially problematic. I don't know if LLVM has a way to disable it though. |
Fair enough. But I do believe rust / llvm need an answer for how to properly handle the above scenarios. How do I do these things soundly in Rust? Can I or can I not use LTO when making a libc for example? Also, as I understand it, any soundness issues that cannot be traced to an unsafe block (or unsafe attribute, unsafe command line flags (though I don't think those exist yet?), etc) are compiler bugs? Though in this case I guess the unsafe bit is the no-mangle export of a function called |
Could I dig a bit more into why this is important? Could we avoid such issues by having the malloc implementation explicitly "carve out" an existing allocation and give it back to the Abstract Machine, minting a new allocation? I imagine this "carving out" would come with significant limitations, such as no access being allowed to that region of memory until it is returned. In this model, the |
Taken from #534:
Currently, LLVM doesn't do the second optimization. However, it does perform it if you manually set
System
to be the global allocator: https://rust.godbolt.org/z/a77PWjeKE 1. This is due to this line, which is used by their GVN pass.There are clearly special magic rules applying specifically for
malloc
that mean that its memory must be truly fresh for the Abstract Machine, and cannot be part of any previously existing stack/heap/other allocation. This is "fine" as long asmalloc
is called via FFI and all the state it works in is completely hidden from the current compilation unit. It becomes rather incoherent if there is ever a chance ofmalloc
itself being inlined into surrounding code, or exchanging data with surrounding code via global state -- so we better have rules in place against things like that. I think we should say thatmalloc
is reserved to be provided by the underlying runtime system, and it must be called via FFI in a way that no inlining is possible.Note that this is separate from Rust's
#[global_allocator]
attribute, which does not get all the same magic thatmalloc
gets. See #442 for discussion of the semantics of that attribute.Footnotes
You also get the
malloc
->calloc
transformation for types other than these hardcoded ones if you setSystem
to be the global allocator manually. ↩The text was updated successfully, but these errors were encountered: