Progress on defeating lifetime-end pointer zapping
2 days ago
- #memory safety
- #multithreading
- #undefined behavior
- Paul McKenney discusses the lifetime-end-pointer-zapping problem in multithreaded code, which is technically undefined behavior in C and C++.
- Common patterns like atomic LIFO stacks can create pointers with valid bit patterns but invalid provenance, leading to undefined behavior.
- McKenney proposes changes to C and C++ specifications to address this issue, which could also affect unsafe Rust code, such as kernel Rust bindings.
- The problem involves scenarios where memory allocators reuse the same memory location for different objects, causing compare-and-swap operations to succeed incorrectly.
- Davis Herring's 'angelic provenance' proposal was considered but rejected due to potential optimization issues.
- McKenney's proposal includes treating loads through atomic types as integer-to-pointer conversions to apply angelic provenance rules.
- The discussion highlights the need for compilers to handle invalid pointers gracefully, ensuring bits are written even if provenance is unusable.
- Rust's handling of analogous issues was discussed, including the challenges of reordering angelic and demonic choices.
- McKenney praised Rust's approach to pointer arithmetic, noting its advantages over C and C++.
- The article concludes with optimism about near-term solutions and ongoing work to address these issues in C and C++.