New Lints for run time analysis for raw pointer referencing

[saarshah]

I want to write new lints for run time Raw pointer referencing errors. But I need a mentor and detailed guidance material. Although, i have already followed and implemented This and this, but i could not found enough detailed helping material (documentation) for newcomers. For example, to analyse some rust wrong code using clippy lints. I am confused as there are lot functions/method in syntax::ast and other related crates, which function is useful for which scenario. For instance, if i want to detect that is there any unsafe or *mut or variable name “x”, so on so forth. So, how to detect this matter. I think ident.name = “unsafe” would not work.

[Manishearth]

What do you mean "runtime raw pointer referencing errors"?

[saarshah]

I want to write lint to detect Mutating an immutable variable using raw pointers , which clippy could not detect. But I am newbie in this field, therefore, need detailed documentation with examples. I want to detect and capture from given code myfile.rsas given below, for instance unsafe, *mut, variable, function arguments, etc.

unsafe {
    let p: *const i32 = &x;
    let q: *mut i32 = p as *mut i32;
    *q = 12;
}

So which functions/methods are used to detect/capture such statements, expressions, variables, function arguments, etc. using syntax::ast/hir, ?

[oli-obk]

Ah, I believe you're looking at the wrong tool, what you want is miri. clippy is for compile-time analysis, miri is for runtime analysis. You can use miri directly on the playground: https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=1df09fa26c48b909873fef8a5a057ab5 (click "Tools" on the right top side and then "Miri").

If you want to detect such things statically, that is nearly impossible with enough indirection. While it would be possible to detect your simple case, most likely the raw pointer would come from e.g. a struct field that isn't written in the current function. This kind of static analysis is something that I don't know how to do correctly, that would require some extensive research, and that I would expect to be need at least 3-6 months of full time work.

If you just want a local funciton analysis to ensure it doesn't happen within a single function, then you probably would want to look into implementing a MirPass and not an AST or HIR analysis. Although this gets very close to symbolic execution, which is a big topic on its own.

All in all, I suggest to go with miri for now and run your test suite via miri.

[saarshah]

thanks for your detailed answer.. If i still want to add such features in Clippy and also want to contribute by working on it for six months (as I am PhD first year student and in phase of finding thesis topic !) Then could you suggest me that should i delve into this topic or SOMETHING else ?

By the way, I run cargo miri test (on my project to be tested) with no errosr (and also got zero test passed and zero test failed) .. but when i run cargo miri run on my project (of blockchain) then mirigives me following error ..

error[E0080]: Miri evaluation error: miri does not support gathering system entropy in deterministic mode! Use '-Zmiri-seed=' to enable random number generation. WARNING: Miri does not generate cryptographically secure entropy - do not use Miri to run any program that needs secure random number generation

[oli-obk]

as the error message says, you need to pass -Zmiri-seed=018308 or some other number. Miri itself is deterministic.

Not sure why your tests aren't being run, can you open an issue in the miri repo with a link to the repo where the tests aren't being run?

Then could you suggest me that should i delve into this topic or SOMETHING else ?

Oh, now that is awesome!

So... symbolic execution of Rust code (and then running the result through SAT solvers) is something @christianpoveda has just finished their master thesis on (see also their SIRE project). It's totally doable, but you'll probably need to do a global analysis over the entire program to catch all such bugs. You can probably start with one just for a single function and scale up from there.

[pvdrz]

I'm just a humble student but I think raising SIRE to be able to do proper symbolic execution for a greater subset of MIR would produce interesting questions for a PhD. Currently SIRE can only handle functions without side effects, so no mutation nor panics can be evaluated, so it is in a "proof of concept" state.

[saarshah]

thanks for your prompt reply @oli-obk .. I will give time for symbolic execution (as i am new in this field) on rust @christianpoveda thanks for your efforts. It would be nice if you give me step by step details how to run/configure/test your tools to analyse its effectiveness. my email is saarshah@gmail.com

[pvdrz]

You can find all relevant info about sire in its repo, I added instructions of how to run sire. If you want to get into the formal details and implications of this you can check my thesis document. And of course if you want to talk about this in more detail you can reach me (and Oliver) in discord and zulip, our usernames are consistent across platforms :)

[saarshah]

I am very thankful to you @christianpoveda for such support I have followed your instruction , but it give this error... BTW.. should i fire this issue to your repo..

[pvdrz]

Ok that's not a bug. It's just that SIRE cannot execute the whole set of mir functions (check readme)