Potential unsoundness on non-embedded targets: safe APIs dereference a fixed pointer #619
Description
Hi, thanks for maintaining cortex-m.
While running some automated checks under Miri/Kani on a host environment, we found that calling the safe APIs cortex_m::peripheral::DWT::num_comp() can trigger a Miri UB error due to dereferencing a fixed MMIO address (no allocation / no provenance). I understand this crate is designed for Cortex-M, so this may be an “expected outside target” limitation rather than a soundness bug.
Our tool also flagged many similar occurrences across the crate, such as DWT::has_external_match(), cortex_m::peripheral::SCB::set_pendsv().
Example PoC
#[test]
fn test_57() {
cortex_m::peripheral::DWT::num_comp();
}Condensed Miri Report
error: Undefined Behavior: pointer not dereferenceable: pointer must be dereferenceable for 4 bytes, but got 0xe0001000[noalloc] which is a dangling pointer (it has no provenance)
--> cortex-m-0.7.7/src/peripheral/dwt.rs:80:19
|
80 | unsafe { ((*Self::PTR).ctrl.read() >> NUMCOMP_OFFSET) as u8 }
| ^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further informationNotes / what I’m unsure about
- This seems to stem from dereferencing the fixed register base address (
Self::PTR, e.g.0xE000_1000) which is not a valid/provenanced pointer in Miri’s host execution model. - It might be totally expected that this safe API is only valid on Cortex-M targets with the corresponding peripheral present and enabled.
If you think this is worth addressing, cfg/feature gating could be considered to restrict modules/APIs so they are only available on the intended targets.
We would appreciate your confirmation.