Added -Z randomize-layout flag #87868
Conversation
| Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @eddyb (or someone else) soon. Please see the contribution instructions for more information. |
rust-highfive added the S-waiting-on-review 
| @rustbot label +A-layout +T-compiler |
rustbot added A-layout 
Kixiron force-pushed the packing-on-the-pounds branch from 0f14145 to c4a15ed Compare 
| So this makes structs bigger than the size of the sum of their fields? Particularly, this makes structs with a single field bigger than that one field? |
| I believe that's the intention of the flag, yes. Yes, this would break code that is incorrectly relying on the layout of repr(Rust) types. …On Thu, Aug 26, 2021 at 09:09 Lokathor ***@***.***> wrote: So this makes structs bigger than the size of the sum of their fields? Particularly, this makes structs with a single field bigger than that one field? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#87868 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGLD262YA5AJJVWQ3YLL2LT6Y4IBANCNFSM5BYVL2PQ> . |
| On the one hand yes, on the other hand this flies against the current best estimation of the UCG. I am aware it isn't RFC'd, but I'm not sure that part of field randomization is a good idea even if there's no RFC. |
| It could be limited to structs with more than 1 non-zst fields of different types. Of course that depends on what exactly the UCG mean by "homogenous structs", which is still an open question. |
| Primarily I'm mostly concerned about single field structs. People should be able to, in general, trust their newtypes. Like even if you forget to specifically write down repr(transparent), rust has no legitimate reason to break the layout of a single field struct. Secondarily I'm slightly concerned about situations with multi-field structs where this introduces padding bytes that were not present within the struct previously. Re-ordering fields so that the structure doesn't get bigger and have padding bytes added I'm all for, but if there is a Though ultimately this is a debug sort of flag so it's not the end of the world if turning it on makes things go wild, it's better if turning on the flag doesn't trigger UB and make the entire debug attempt pointless because there's UB in the program. |
| On Thu, Aug 26, 2021 at 10:38 Lokathor ***@***.***> wrote: Primarily I'm mostly concerned about single field structs <https://rust-lang.github.io/unsafe-code-guidelines/layout/structs-and-tuples.html#single-field-structs>. People should be able to, in general, trust their newtypes. Like even if you forget to specifically write down repr(transparent), rust has no legitimate reason to break the layout of a single field struct. Perhaps, perhaps not. What happens if you had a #[repr(Rust)] struct Foo(u8); on a platform that only has native 32-bit reads (and has to emulate smaller ones)? It would be more efficient to add 3 padding bytes to Foo, but if it becomes guaranteed that Foo is layed out like u8, now there is a potential layout optimization left on the table. Secondarily I'm slightly concerned about situations with multi-field structs where this introduces padding bytes that were not present within the struct previously. Re-ordering fields so that the structure doesn't get bigger and have padding bytes added I'm all for, but if there is a Point(i32,i32) people should be able to look at that and assume no padding in the structure. Though ultimately this is a debug sort of flag so it's not the end of the world if turning it on makes things go wild, it's better if turning on the flag doesn't trigger UB and make the entire debug attempt pointless because there's UB in the program. Well, at that point, transmute would error. You could also run the result through miri, where the UB will be trapped. … — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#87868 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGLD23KJRR7SBYCUHQ3EE3T6ZGVNANCNFSM5BYVL2PQ> . |
| Sure, |
| bytemuck can't be used with repr(Rust) types, can it? Pod requires the type be repr(C) or repr(transparent) explicitly. …On Thu, Aug 26, 2021 at 10:57 Lokathor ***@***.***> wrote: Sure, transmute itself will error, but other forms of transmutation will not. For example, the most popular crate for safe transmutation abstraction (bytemuck) doesn't even use the transmute function at all, because that function doesn't work with generics. — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#87868 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABGLD24AFSVHTDZZTUQYA5LT6ZI4HANCNFSM5BYVL2PQ> . |
| Yes, that is what's documented in Also, that's just one example to show that My general point is that while some field randomization is probably fine we should not do too much of it and give trouble to people who are living in a gray zone. |
| Well, the idea behind the flag is to find code that relies on something it shouldn't. It's designed to be opt-in, and I'm sure that someone was transmuting things (not via mem::transmute), and used this flag in conjunction with miri, they'd get a very loud error. |
Kixiron changed the title | @eddyb This is ready for review, compiler-team/#457 was accepted |
This comment has been minimized.
This comment has been minimized.
Kixiron force-pushed the packing-on-the-pounds branch from 8c4e116 to b3c3a3b Compare 
This comment has been minimized.
This comment has been minimized.
Kixiron force-pushed the packing-on-the-pounds branch from b3c3a3b to 0738a5b Compare This comment has been minimized.
This comment has been minimized.
Kixiron force-pushed the packing-on-the-pounds branch 2 times, most recently from 34d896d to b60afed Compare This comment has been minimized.
This comment has been minimized.
Kixiron force-pushed the packing-on-the-pounds branch from b60afed to 8b23a68 Compare 
Kixiron force-pushed the packing-on-the-pounds branch from 8b23a68 to 09f1542 Compare 
| Under the assumption that the MCP (rust-lang/compiler-team#457) was enough: |
| 📌 Commit 09f1542 has been approved by |
bors added S-waiting-on-bors 
Added -Z randomize-layout flag An implementation of rust-lang#77316, it currently randomly shuffles the fields of `repr(rust)` types based on their `DefPathHash` r? `@eddyb`
…arth Rollup of 6 pull requests Successful merges: - rust-lang#87868 (Added -Z randomize-layout flag) - rust-lang#88820 (Add `pie` as another `relocation-model` value) - rust-lang#89029 (feat(rustc_parse): recover from pre-RFC-2000 const generics syntax) - rust-lang#89322 (Reapply "Remove optimization_fuel_crate from Session") - rust-lang#89340 (Improve error message for `printf`-style format strings) - rust-lang#89415 (Correct caller/callsite confusion in inliner message) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
ghost mentioned this pull request 
13 participants
An implementation of #77316, it currently randomly shuffles the fields of
repr(rust)types based on theirDefPathHashr? @eddyb