Closed jonas-schievink closed 3 years ago
jamesmunns
commented
4 years ago Linking relevant issues so others can follow breadcrumbs:
We also need to reach out to tock-os, I'll open an issue there shortly.
Edit: Added tock-os issue
nagisa
commented
4 years ago 
jonas-schievink
commented
4 years ago Copying @RalfJung's comment from that Zulip thread:
This question is indeed well outside the usual abstract machine model, so I find it hard to say much. It quite clearly violates the aliasing rules, but also in some sense it happens before the abstract machine is even initialized and the aliasing rules start making sense. A compiler barrier is strongly advised, is unfortunately all I can say -- sorry.
I'd say the most practical way to continue is thus:
compiler_fences to r0 (done in https://github.com/rust-embedded/r0/pull/25), publish that as 1.0.1. We might want to yank 1.0.0, but we won't yank/deprecate the whole r0 crate.
RalfJung
commented
4 years ago Note that I was talking about the "writing to statics without actually going through the static" part in what you quote above.
The issue about out-of-bounds accesses is a separate one, for which I created a new UCG issue as this has come up before: https://github.com/rust-lang/unsafe-code-guidelines/issues/259.
https://github.com/rust-embedded/cortex-m-rt/blob/96525a64197049d11cfc8cb5cc2c4dc9b5240e42/src/lib.rs#L939-L959
This code uses a pointer to a single
u32, but writes an arbitrary amount of data beyond theu32. This is UB, as it violates the contract ofptr::offset, which is called by r0. Namely: