From 987ef4c9221e792614a015a39b78f7d6a156c2f2 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 17 Mar 2024 10:12:25 +0100 Subject: [PATCH 1/2] move assert_unsafe_preconditions to its own file These macros and functions are not intrinsics, after all. --- compiler/rustc_codegen_cranelift/src/base.rs | 2 +- library/core/src/char/convert.rs | 2 +- library/core/src/hint.rs | 5 +- library/core/src/intrinsics.rs | 145 ++---------------- library/core/src/lib.rs | 1 + library/core/src/num/nonzero.rs | 5 +- library/core/src/ops/index_range.rs | 5 +- library/core/src/ptr/alignment.rs | 4 +- library/core/src/ptr/const_ptr.rs | 2 +- library/core/src/ptr/mod.rs | 33 ++-- library/core/src/ptr/non_null.rs | 2 +- library/core/src/slice/index.rs | 2 +- library/core/src/slice/mod.rs | 2 +- library/core/src/slice/raw.rs | 16 +- library/core/src/str/traits.rs | 2 +- library/core/src/ub_checks.rs | 131 ++++++++++++++++ .../clippy_utils/src/qualify_min_const_fn.rs | 2 +- 17 files changed, 184 insertions(+), 177 deletions(-) create mode 100644 library/core/src/ub_checks.rs diff --git a/compiler/rustc_codegen_cranelift/src/base.rs b/compiler/rustc_codegen_cranelift/src/base.rs index 047dc56a32ead..dbce6d165d2d3 100644 --- a/compiler/rustc_codegen_cranelift/src/base.rs +++ b/compiler/rustc_codegen_cranelift/src/base.rs @@ -780,7 +780,7 @@ fn codegen_stmt<'tcx>( NullOp::OffsetOf(fields) => { layout.offset_of_subfield(fx, fields.iter()).bytes() } - NullOp::UbCheck(_) => { + NullOp::UbChecks => { let val = fx.tcx.sess.opts.debug_assertions; let val = CValue::by_val( fx.bcx.ins().iconst(types::I8, i64::try_from(val).unwrap()), diff --git a/library/core/src/char/convert.rs b/library/core/src/char/convert.rs index 70b9e89f9ea93..8f61292911030 100644 --- a/library/core/src/char/convert.rs +++ b/library/core/src/char/convert.rs @@ -4,9 +4,9 @@ use crate::char::TryFromCharError; use crate::convert::TryFrom; use crate::error::Error; use crate::fmt; -use crate::intrinsics::assert_unsafe_precondition; use crate::mem::transmute; use crate::str::FromStr; +use crate::ub_checks::assert_unsafe_precondition; /// Converts a `u32` to a `char`. See [`char::from_u32`]. #[must_use] diff --git a/library/core/src/hint.rs b/library/core/src/hint.rs index ffe059bf65cad..b27d0db461917 100644 --- a/library/core/src/hint.rs +++ b/library/core/src/hint.rs @@ -4,6 +4,7 @@ //! Hints may be compile time or runtime. use crate::intrinsics; +use crate::ub_checks; /// Informs the compiler that the site which is calling this function is not /// reachable, possibly enabling further optimizations. @@ -98,7 +99,7 @@ use crate::intrinsics; #[rustc_const_stable(feature = "const_unreachable_unchecked", since = "1.57.0")] #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces pub const unsafe fn unreachable_unchecked() -> ! { - intrinsics::assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "hint::unreachable_unchecked must never be reached", () => false @@ -148,7 +149,7 @@ pub const unsafe fn unreachable_unchecked() -> ! { pub const unsafe fn assert_unchecked(cond: bool) { // SAFETY: The caller promised `cond` is true. unsafe { - intrinsics::assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "hint::assert_unchecked must never be called when the condition is false", (cond: bool = cond) => cond, diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index a0d5e220b865b..af83a8d8fa4d3 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -67,6 +67,7 @@ use crate::marker::DiscriminantKind; use crate::marker::Tuple; use crate::mem::align_of; use crate::ptr; +use crate::ub_checks; pub mod mir; pub mod simd; @@ -2755,132 +2756,6 @@ pub unsafe fn vtable_align(_ptr: *const ()) -> usize { // (`transmute` also falls into this category, but it cannot be wrapped due to the // check that `T` and `U` have the same size.) -/// Check that the preconditions of an unsafe function are followed. The check is enabled at -/// runtime if debug assertions are enabled when the caller is monomorphized. In const-eval/Miri -/// checks implemented with this macro for language UB are always ignored. -/// -/// This macro should be called as -/// `assert_unsafe_precondition!(check_{library,lang}_ub, "message", (ident: type = expr, ident: type = expr) => check_expr)` -/// where each `expr` will be evaluated and passed in as function argument `ident: type`. Then all -/// those arguments are passed to a function with the body `check_expr`. -/// Pick `check_language_ub` when this is guarding a violation of language UB, i.e., immediate UB -/// according to the Rust Abstract Machine. Pick `check_library_ub` when this is guarding a violation -/// of a documented library precondition that does not *immediately* lead to language UB. -/// -/// If `check_library_ub` is used but the check is actually guarding language UB, the check will -/// slow down const-eval/Miri and we'll get the panic message instead of the interpreter's nice -/// diagnostic, but our ability to detect UB is unchanged. -/// But if `check_language_ub` is used when the check is actually for library UB, the check is -/// omitted in const-eval/Miri and thus if we eventually execute language UB which relies on the -/// library UB, the backtrace Miri reports may be far removed from original cause. -/// -/// These checks are behind a condition which is evaluated at codegen time, not expansion time like -/// [`debug_assert`]. This means that a standard library built with optimizations and debug -/// assertions disabled will have these checks optimized out of its monomorphizations, but if a -/// caller of the standard library has debug assertions enabled and monomorphizes an expansion of -/// this macro, that monomorphization will contain the check. -/// -/// Since these checks cannot be optimized out in MIR, some care must be taken in both call and -/// implementation to mitigate their compile-time overhead. Calls to this macro always expand to -/// this structure: -/// ```ignore (pseudocode) -/// if ::core::intrinsics::check_language_ub() { -/// precondition_check(args) -/// } -/// ``` -/// where `precondition_check` is monomorphic with the attributes `#[rustc_nounwind]`, `#[inline]` and -/// `#[rustc_no_mir_inline]`. This combination of attributes ensures that the actual check logic is -/// compiled only once and generates a minimal amount of IR because the check cannot be inlined in -/// MIR, but *can* be inlined and fully optimized by a codegen backend. -/// -/// Callers should avoid introducing any other `let` bindings or any code outside this macro in -/// order to call it. Since the precompiled standard library is built with full debuginfo and these -/// variables cannot be optimized out in MIR, an innocent-looking `let` can produce enough -/// debuginfo to have a measurable compile-time impact on debug builds. -#[allow_internal_unstable(ub_checks)] // permit this to be called in stably-const fn -macro_rules! assert_unsafe_precondition { - ($kind:ident, $message:expr, ($($name:ident:$ty:ty = $arg:expr),*$(,)?) => $e:expr $(,)?) => { - { - // This check is inlineable, but not by the MIR inliner. - // The reason for this is that the MIR inliner is in an exceptionally bad position - // to think about whether or not to inline this. In MIR, this call is gated behind `debug_assertions`, - // which will codegen to `false` in release builds. Inlining the check would be wasted work in that case and - // would be bad for compile times. - // - // LLVM on the other hand sees the constant branch, so if it's `false`, it can immediately delete it without - // inlining the check. If it's `true`, it can inline it and get significantly better performance. - #[rustc_no_mir_inline] - #[inline] - #[rustc_nounwind] - #[rustc_const_unstable(feature = "ub_checks", issue = "none")] - const fn precondition_check($($name:$ty),*) { - if !$e { - ::core::panicking::panic_nounwind( - concat!("unsafe precondition(s) violated: ", $message) - ); - } - } - - if ::core::intrinsics::$kind() { - precondition_check($($arg,)*); - } - } - }; -} -pub(crate) use assert_unsafe_precondition; - -/// Checks whether `ptr` is properly aligned with respect to -/// `align_of::()`. -/// -/// In `const` this is approximate and can fail spuriously. It is primarily intended -/// for `assert_unsafe_precondition!` with `check_language_ub`, in which case the -/// check is anyway not executed in `const`. -#[inline] -pub(crate) const fn is_aligned_and_not_null(ptr: *const (), align: usize) -> bool { - !ptr.is_null() && ptr.is_aligned_to(align) -} - -#[inline] -pub(crate) const fn is_valid_allocation_size(size: usize, len: usize) -> bool { - let max_len = if size == 0 { usize::MAX } else { isize::MAX as usize / size }; - len <= max_len -} - -/// Checks whether the regions of memory starting at `src` and `dst` of size -/// `count * size` do *not* overlap. -/// -/// Note that in const-eval this function just returns `true` and therefore must -/// only be used with `assert_unsafe_precondition!`, similar to `is_aligned_and_not_null`. -#[inline] -pub(crate) const fn is_nonoverlapping( - src: *const (), - dst: *const (), - size: usize, - count: usize, -) -> bool { - #[inline] - fn runtime(src: *const (), dst: *const (), size: usize, count: usize) -> bool { - let src_usize = src.addr(); - let dst_usize = dst.addr(); - let Some(size) = size.checked_mul(count) else { - crate::panicking::panic_nounwind( - "is_nonoverlapping: `size_of::() * count` overflows a usize", - ) - }; - let diff = src_usize.abs_diff(dst_usize); - // If the absolute distance between the ptrs is at least as big as the size of the buffer, - // they do not overlap. - diff >= size - } - - #[inline] - const fn comptime(_: *const (), _: *const (), _: usize, _: usize) -> bool { - true - } - - const_eval_select((src, dst, size, count), comptime, runtime) -} - /// Copies `count * size_of::()` bytes from `src` to `dst`. The source /// and destination must *not* overlap. /// @@ -2979,7 +2854,7 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us pub fn copy_nonoverlapping(src: *const T, dst: *mut T, count: usize); } - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \ and the specified memory ranges do not overlap", @@ -2990,9 +2865,9 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us align: usize = align_of::(), count: usize = count, ) => - is_aligned_and_not_null(src, align) - && is_aligned_and_not_null(dst, align) - && is_nonoverlapping(src, dst, size, count) + ub_checks::is_aligned_and_not_null(src, align) + && ub_checks::is_aligned_and_not_null(dst, align) + && ub_checks::is_nonoverlapping(src, dst, size, count) ); // SAFETY: the safety contract for `copy_nonoverlapping` must be @@ -3083,7 +2958,7 @@ pub const unsafe fn copy(src: *const T, dst: *mut T, count: usize) { // SAFETY: the safety contract for `copy` must be upheld by the caller. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::copy_nonoverlapping requires that both pointer arguments are aligned and non-null \ and the specified memory ranges do not overlap", @@ -3092,8 +2967,8 @@ pub const unsafe fn copy(src: *const T, dst: *mut T, count: usize) { dst: *mut () = dst as *mut (), align: usize = align_of::(), ) => - is_aligned_and_not_null(src, align) - && is_aligned_and_not_null(dst, align) + ub_checks::is_aligned_and_not_null(src, align) + && ub_checks::is_aligned_and_not_null(dst, align) ); copy(src, dst, count) } @@ -3164,13 +3039,13 @@ pub const unsafe fn write_bytes(dst: *mut T, val: u8, count: usize) { // SAFETY: the safety contract for `write_bytes` must be upheld by the caller. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::write_bytes requires that the destination pointer is aligned and non-null", ( addr: *const () = dst as *const (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); write_bytes(dst, val, count) } diff --git a/library/core/src/lib.rs b/library/core/src/lib.rs index ded8f4ba84101..8f292bf155103 100644 --- a/library/core/src/lib.rs +++ b/library/core/src/lib.rs @@ -367,6 +367,7 @@ pub mod hint; pub mod intrinsics; pub mod mem; pub mod ptr; +mod ub_checks; /* Core language traits */ diff --git a/library/core/src/num/nonzero.rs b/library/core/src/num/nonzero.rs index a8f637280df67..c65ffbb98f2ff 100644 --- a/library/core/src/num/nonzero.rs +++ b/library/core/src/num/nonzero.rs @@ -9,6 +9,7 @@ use crate::ops::{BitOr, BitOrAssign, Div, DivAssign, Neg, Rem, RemAssign}; use crate::panic::{RefUnwindSafe, UnwindSafe}; use crate::ptr; use crate::str::FromStr; +use crate::ub_checks; use super::from_str_radix; use super::{IntErrorKind, ParseIntError}; @@ -369,7 +370,7 @@ where None => { // SAFETY: The caller guarantees that `n` is non-zero, so this is unreachable. unsafe { - intrinsics::assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "NonZero::new_unchecked requires the argument to be non-zero", () => false, @@ -409,7 +410,7 @@ where None => { // SAFETY: The caller guarantees that `n` references a value that is non-zero, so this is unreachable. unsafe { - intrinsics::assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_library_ub, "NonZero::from_mut_unchecked requires the argument to dereference as non-zero", () => false, diff --git a/library/core/src/ops/index_range.rs b/library/core/src/ops/index_range.rs index b28d88fa5bfc2..65bda9177c7be 100644 --- a/library/core/src/ops/index_range.rs +++ b/library/core/src/ops/index_range.rs @@ -1,6 +1,7 @@ -use crate::intrinsics::{assert_unsafe_precondition, unchecked_add, unchecked_sub}; +use crate::intrinsics::{unchecked_add, unchecked_sub}; use crate::iter::{FusedIterator, TrustedLen}; use crate::num::NonZero; +use crate::ub_checks; /// Like a `Range`, but with a safety invariant that `start <= end`. /// @@ -19,7 +20,7 @@ impl IndexRange { /// - `start <= end` #[inline] pub const unsafe fn new_unchecked(start: usize, end: usize) -> Self { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_library_ub, "IndexRange::new_unchecked requires `start <= end`", (start: usize = start, end: usize = end) => start <= end, diff --git a/library/core/src/ptr/alignment.rs b/library/core/src/ptr/alignment.rs index 8f44b7eb7c28d..bc84fb5ccb0d7 100644 --- a/library/core/src/ptr/alignment.rs +++ b/library/core/src/ptr/alignment.rs @@ -1,7 +1,7 @@ use crate::convert::{TryFrom, TryInto}; -#[cfg(debug_assertions)] -use crate::intrinsics::assert_unsafe_precondition; use crate::num::NonZero; +#[cfg(debug_assertions)] +use crate::ub_checks::assert_unsafe_precondition; use crate::{cmp, fmt, hash, mem, num}; /// A type storing a `usize` which is a power of two, and thus diff --git a/library/core/src/ptr/const_ptr.rs b/library/core/src/ptr/const_ptr.rs index 69c61602073ac..a6c00ff28d427 100644 --- a/library/core/src/ptr/const_ptr.rs +++ b/library/core/src/ptr/const_ptr.rs @@ -818,7 +818,7 @@ impl *const T { intrinsics::const_eval_select((this, origin), comptime, runtime) } - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::sub_ptr requires `self >= origin`", ( diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 0662dfe9a15f8..56378b437e7ee 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -388,10 +388,9 @@ use crate::cmp::Ordering; use crate::fmt; use crate::hash; -use crate::intrinsics::{ - self, assert_unsafe_precondition, is_aligned_and_not_null, is_nonoverlapping, -}; +use crate::intrinsics; use crate::marker::FnPtr; +use crate::ub_checks; use crate::mem::{self, align_of, size_of, MaybeUninit}; @@ -1019,7 +1018,7 @@ pub const unsafe fn swap_nonoverlapping(x: *mut T, y: *mut T, count: usize) { }; } - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::swap_nonoverlapping requires that both pointer arguments are aligned and non-null \ and the specified memory ranges do not overlap", @@ -1030,9 +1029,9 @@ pub const unsafe fn swap_nonoverlapping(x: *mut T, y: *mut T, count: usize) { align: usize = align_of::(), count: usize = count, ) => - is_aligned_and_not_null(x, align) - && is_aligned_and_not_null(y, align) - && is_nonoverlapping(x, y, size, count) + ub_checks::is_aligned_and_not_null(x, align) + && ub_checks::is_aligned_and_not_null(y, align) + && ub_checks::is_nonoverlapping(x, y, size, count) ); // Split up the slice into small power-of-two-sized chunks that LLVM is able @@ -1135,13 +1134,13 @@ pub const unsafe fn replace(dst: *mut T, src: T) -> T { // and cannot overlap `src` since `dst` must point to a distinct // allocated object. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::replace requires that the pointer argument is aligned and non-null", ( addr: *const () = dst as *const (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); mem::replace(&mut *dst, src) } @@ -1287,13 +1286,13 @@ pub const unsafe fn read(src: *const T) -> T { // SAFETY: the caller must guarantee that `src` is valid for reads. unsafe { #[cfg(debug_assertions)] // Too expensive to always enable (for now?) - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::read requires that the pointer argument is aligned and non-null", ( addr: *const () = src as *const (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); crate::intrinsics::read_via_copy(src) } @@ -1496,13 +1495,13 @@ pub const unsafe fn write(dst: *mut T, src: T) { // to `dst` while `src` is owned by this function. unsafe { #[cfg(debug_assertions)] // Too expensive to always enable (for now?) - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::write requires that the pointer argument is aligned and non-null", ( addr: *mut () = dst as *mut (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); intrinsics::write_via_move(dst, src) } @@ -1668,13 +1667,13 @@ pub const unsafe fn write_unaligned(dst: *mut T, src: T) { pub unsafe fn read_volatile(src: *const T) -> T { // SAFETY: the caller must uphold the safety contract for `volatile_load`. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::read_volatile requires that the pointer argument is aligned and non-null", ( addr: *const () = src as *const (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); intrinsics::volatile_load(src) } @@ -1747,13 +1746,13 @@ pub unsafe fn read_volatile(src: *const T) -> T { pub unsafe fn write_volatile(dst: *mut T, src: T) { // SAFETY: the caller must uphold the safety contract for `volatile_store`. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "ptr::write_volatile requires that the pointer argument is aligned and non-null", ( addr: *mut () = dst as *mut (), align: usize = align_of::(), - ) => is_aligned_and_not_null(addr, align) + ) => ub_checks::is_aligned_and_not_null(addr, align) ); intrinsics::volatile_store(dst, src); } diff --git a/library/core/src/ptr/non_null.rs b/library/core/src/ptr/non_null.rs index 2ac42e20d43b2..e9488917acc14 100644 --- a/library/core/src/ptr/non_null.rs +++ b/library/core/src/ptr/non_null.rs @@ -2,7 +2,6 @@ use crate::cmp::Ordering; use crate::fmt; use crate::hash; use crate::intrinsics; -use crate::intrinsics::assert_unsafe_precondition; use crate::marker::Unsize; use crate::mem::{MaybeUninit, SizedTypeProperties}; use crate::num::NonZero; @@ -10,6 +9,7 @@ use crate::ops::{CoerceUnsized, DispatchFromDyn}; use crate::ptr; use crate::ptr::Unique; use crate::slice::{self, SliceIndex}; +use crate::ub_checks::assert_unsafe_precondition; /// `*mut T` but non-zero and [covariant]. /// diff --git a/library/core/src/slice/index.rs b/library/core/src/slice/index.rs index 210118817ab06..127a407dae5d4 100644 --- a/library/core/src/slice/index.rs +++ b/library/core/src/slice/index.rs @@ -1,10 +1,10 @@ //! Indexing implementations for `[T]`. -use crate::intrinsics::assert_unsafe_precondition; use crate::intrinsics::const_eval_select; use crate::intrinsics::unchecked_sub; use crate::ops; use crate::ptr; +use crate::ub_checks::assert_unsafe_precondition; #[stable(feature = "rust1", since = "1.0.0")] impl ops::Index for [T] diff --git a/library/core/src/slice/mod.rs b/library/core/src/slice/mod.rs index 4a574bf034745..92080c5020ad8 100644 --- a/library/core/src/slice/mod.rs +++ b/library/core/src/slice/mod.rs @@ -9,7 +9,6 @@ use crate::cmp::Ordering::{self, Equal, Greater, Less}; use crate::fmt; use crate::hint; -use crate::intrinsics::assert_unsafe_precondition; use crate::intrinsics::exact_div; use crate::mem::{self, SizedTypeProperties}; use crate::num::NonZero; @@ -17,6 +16,7 @@ use crate::ops::{Bound, OneSidedRange, Range, RangeBounds}; use crate::ptr; use crate::simd::{self, Simd}; use crate::slice; +use crate::ub_checks::assert_unsafe_precondition; #[unstable( feature = "slice_internals", diff --git a/library/core/src/slice/raw.rs b/library/core/src/slice/raw.rs index 2199614ce27e4..29a12f106c5ed 100644 --- a/library/core/src/slice/raw.rs +++ b/library/core/src/slice/raw.rs @@ -1,12 +1,10 @@ //! Free functions to create `&[T]` and `&mut [T]`. use crate::array; -use crate::intrinsics::{ - assert_unsafe_precondition, is_aligned_and_not_null, is_valid_allocation_size, -}; use crate::mem::{align_of, size_of}; use crate::ops::Range; use crate::ptr; +use crate::ub_checks; /// Forms a slice from a pointer and a length. /// @@ -95,7 +93,7 @@ use crate::ptr; pub const unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] { // SAFETY: the caller must uphold the safety contract for `from_raw_parts`. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`", ( @@ -104,8 +102,8 @@ pub const unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] align: usize = align_of::(), len: usize = len, ) => - is_aligned_and_not_null(data, align) - && is_valid_allocation_size(size, len) + ub_checks::is_aligned_and_not_null(data, align) + && ub_checks::is_valid_allocation_size(size, len) ); &*ptr::slice_from_raw_parts(data, len) } @@ -149,7 +147,7 @@ pub const unsafe fn from_raw_parts<'a, T>(data: *const T, len: usize) -> &'a [T] pub const unsafe fn from_raw_parts_mut<'a, T>(data: *mut T, len: usize) -> &'a mut [T] { // SAFETY: the caller must uphold the safety contract for `from_raw_parts_mut`. unsafe { - assert_unsafe_precondition!( + ub_checks::assert_unsafe_precondition!( check_language_ub, "slice::from_raw_parts_mut requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`", ( @@ -158,8 +156,8 @@ pub const unsafe fn from_raw_parts_mut<'a, T>(data: *mut T, len: usize) -> &'a m align: usize = align_of::(), len: usize = len, ) => - is_aligned_and_not_null(data, align) - && is_valid_allocation_size(size, len) + ub_checks::is_aligned_and_not_null(data, align) + && ub_checks::is_valid_allocation_size(size, len) ); &mut *ptr::slice_from_raw_parts_mut(data, len) } diff --git a/library/core/src/str/traits.rs b/library/core/src/str/traits.rs index ec81fd095d530..672af75214936 100644 --- a/library/core/src/str/traits.rs +++ b/library/core/src/str/traits.rs @@ -1,10 +1,10 @@ //! Trait implementations for `str`. use crate::cmp::Ordering; -use crate::intrinsics::assert_unsafe_precondition; use crate::ops; use crate::ptr; use crate::slice::SliceIndex; +use crate::ub_checks::assert_unsafe_precondition; use super::ParseBoolError; diff --git a/library/core/src/ub_checks.rs b/library/core/src/ub_checks.rs new file mode 100644 index 0000000000000..2c5b4699806b3 --- /dev/null +++ b/library/core/src/ub_checks.rs @@ -0,0 +1,131 @@ +//! Provides the [`assert_unsafe_precondition`] macro as well as some utility functions that cover +//! common preconditions. + +use crate::intrinsics::const_eval_select; + +/// Check that the preconditions of an unsafe function are followed. The check is enabled at +/// runtime if debug assertions are enabled when the caller is monomorphized. In const-eval/Miri +/// checks implemented with this macro for language UB are always ignored. +/// +/// This macro should be called as +/// `assert_unsafe_precondition!(check_{library,lang}_ub, "message", (ident: type = expr, ident: type = expr) => check_expr)` +/// where each `expr` will be evaluated and passed in as function argument `ident: type`. Then all +/// those arguments are passed to a function with the body `check_expr`. +/// Pick `check_language_ub` when this is guarding a violation of language UB, i.e., immediate UB +/// according to the Rust Abstract Machine. Pick `check_library_ub` when this is guarding a violation +/// of a documented library precondition that does not *immediately* lead to language UB. +/// +/// If `check_library_ub` is used but the check is actually guarding language UB, the check will +/// slow down const-eval/Miri and we'll get the panic message instead of the interpreter's nice +/// diagnostic, but our ability to detect UB is unchanged. +/// But if `check_language_ub` is used when the check is actually for library UB, the check is +/// omitted in const-eval/Miri and thus if we eventually execute language UB which relies on the +/// library UB, the backtrace Miri reports may be far removed from original cause. +/// +/// These checks are behind a condition which is evaluated at codegen time, not expansion time like +/// [`debug_assert`]. This means that a standard library built with optimizations and debug +/// assertions disabled will have these checks optimized out of its monomorphizations, but if a +/// caller of the standard library has debug assertions enabled and monomorphizes an expansion of +/// this macro, that monomorphization will contain the check. +/// +/// Since these checks cannot be optimized out in MIR, some care must be taken in both call and +/// implementation to mitigate their compile-time overhead. Calls to this macro always expand to +/// this structure: +/// ```ignore (pseudocode) +/// if ::core::intrinsics::check_language_ub() { +/// precondition_check(args) +/// } +/// ``` +/// where `precondition_check` is monomorphic with the attributes `#[rustc_nounwind]`, `#[inline]` and +/// `#[rustc_no_mir_inline]`. This combination of attributes ensures that the actual check logic is +/// compiled only once and generates a minimal amount of IR because the check cannot be inlined in +/// MIR, but *can* be inlined and fully optimized by a codegen backend. +/// +/// Callers should avoid introducing any other `let` bindings or any code outside this macro in +/// order to call it. Since the precompiled standard library is built with full debuginfo and these +/// variables cannot be optimized out in MIR, an innocent-looking `let` can produce enough +/// debuginfo to have a measurable compile-time impact on debug builds. +#[allow_internal_unstable(ub_checks)] // permit this to be called in stably-const fn +macro_rules! assert_unsafe_precondition { + ($kind:ident, $message:expr, ($($name:ident:$ty:ty = $arg:expr),*$(,)?) => $e:expr $(,)?) => { + { + // This check is inlineable, but not by the MIR inliner. + // The reason for this is that the MIR inliner is in an exceptionally bad position + // to think about whether or not to inline this. In MIR, this call is gated behind `debug_assertions`, + // which will codegen to `false` in release builds. Inlining the check would be wasted work in that case and + // would be bad for compile times. + // + // LLVM on the other hand sees the constant branch, so if it's `false`, it can immediately delete it without + // inlining the check. If it's `true`, it can inline it and get significantly better performance. + #[rustc_no_mir_inline] + #[inline] + #[rustc_nounwind] + #[rustc_const_unstable(feature = "ub_checks", issue = "none")] + const fn precondition_check($($name:$ty),*) { + if !$e { + ::core::panicking::panic_nounwind( + concat!("unsafe precondition(s) violated: ", $message) + ); + } + } + + if ::core::intrinsics::$kind() { + precondition_check($($arg,)*); + } + } + }; +} +pub(crate) use assert_unsafe_precondition; + +/// Checks whether `ptr` is properly aligned with respect to +/// `align_of::()`. +/// +/// In `const` this is approximate and can fail spuriously. It is primarily intended +/// for `assert_unsafe_precondition!` with `check_language_ub`, in which case the +/// check is anyway not executed in `const`. +#[inline] +pub(crate) const fn is_aligned_and_not_null(ptr: *const (), align: usize) -> bool { + !ptr.is_null() && ptr.is_aligned_to(align) +} + +#[inline] +pub(crate) const fn is_valid_allocation_size(size: usize, len: usize) -> bool { + let max_len = if size == 0 { usize::MAX } else { isize::MAX as usize / size }; + len <= max_len +} + +/// Checks whether the regions of memory starting at `src` and `dst` of size +/// `count * size` do *not* overlap. +/// +/// Note that in const-eval this function just returns `true` and therefore must +/// only be used with `assert_unsafe_precondition!`, similar to `is_aligned_and_not_null`. +#[inline] +pub(crate) const fn is_nonoverlapping( + src: *const (), + dst: *const (), + size: usize, + count: usize, +) -> bool { + #[inline] + fn runtime(src: *const (), dst: *const (), size: usize, count: usize) -> bool { + let src_usize = src.addr(); + let dst_usize = dst.addr(); + let Some(size) = size.checked_mul(count) else { + crate::panicking::panic_nounwind( + "is_nonoverlapping: `size_of::() * count` overflows a usize", + ) + }; + let diff = src_usize.abs_diff(dst_usize); + // If the absolute distance between the ptrs is at least as big as the size of the buffer, + // they do not overlap. + diff >= size + } + + #[inline] + const fn comptime(_: *const (), _: *const (), _: usize, _: usize) -> bool { + true + } + + // This is just for safety checks so we can const_eval_select. + const_eval_select((src, dst, size, count), comptime, runtime) +} diff --git a/src/tools/clippy/clippy_utils/src/qualify_min_const_fn.rs b/src/tools/clippy/clippy_utils/src/qualify_min_const_fn.rs index dadb0d662ce8f..cabebf89becc8 100644 --- a/src/tools/clippy/clippy_utils/src/qualify_min_const_fn.rs +++ b/src/tools/clippy/clippy_utils/src/qualify_min_const_fn.rs @@ -174,7 +174,7 @@ fn check_rvalue<'tcx>( )) } }, - Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(_) | NullOp::UbCheck(_), _) + Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(_) | NullOp::UbChecks, _) | Rvalue::ShallowInitBox(_, _) => Ok(()), Rvalue::UnaryOp(_, operand) => { let ty = operand.ty(body, tcx); From 61775304200826b412f18fc87218161fb8a0dc5c Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 17 Mar 2024 10:29:02 +0100 Subject: [PATCH 2/2] refactor check_{lang,library}_ub: use a single intrinsic, put policy into library --- compiler/rustc_borrowck/src/type_check/mod.rs | 2 +- compiler/rustc_codegen_ssa/src/mir/rvalue.rs | 3 +- .../rustc_const_eval/src/interpret/step.rs | 12 +---- .../src/transform/check_consts/check.rs | 2 +- .../src/transform/validate.rs | 2 +- .../rustc_hir_analysis/src/check/intrinsic.rs | 5 +-- compiler/rustc_middle/src/mir/mod.rs | 2 +- compiler/rustc_middle/src/mir/pretty.rs | 2 +- compiler/rustc_middle/src/mir/syntax.rs | 13 ++---- compiler/rustc_middle/src/mir/tcx.rs | 2 +- .../src/move_paths/builder.rs | 2 +- compiler/rustc_mir_transform/src/gvn.rs | 2 +- .../src/known_panics_lint.rs | 2 +- .../src/lower_intrinsics.rs | 21 +-------- .../rustc_mir_transform/src/promote_consts.rs | 2 +- .../rustc_smir/src/rustc_smir/convert/mir.rs | 8 +--- compiler/rustc_span/src/symbol.rs | 3 +- compiler/stable_mir/src/mir/body.rs | 10 +---- library/core/src/intrinsics.rs | 44 ++++++------------- library/core/src/lib.rs | 1 + library/core/src/ub_checks.rs | 35 +++++++++++++-- ...n.DataflowConstProp.32bit.panic-abort.diff | 6 ++- ....DataflowConstProp.32bit.panic-unwind.diff | 6 ++- ...n.DataflowConstProp.64bit.panic-abort.diff | 6 ++- ....DataflowConstProp.64bit.panic-unwind.diff | 6 ++- ...oxed_slice.main.GVN.32bit.panic-abort.diff | 6 ++- ...xed_slice.main.GVN.32bit.panic-unwind.diff | 6 ++- ...oxed_slice.main.GVN.64bit.panic-abort.diff | 6 ++- ...xed_slice.main.GVN.64bit.panic-unwind.diff | 6 ++- ...d.unwrap_unchecked.Inline.panic-abort.diff | 6 ++- ....unwrap_unchecked.Inline.panic-unwind.diff | 6 ++- ...unchecked.PreCodegen.after.panic-abort.mir | 6 ++- ...nchecked.PreCodegen.after.panic-unwind.mir | 6 ++- ...witch_targets.ub_if_b.PreCodegen.after.mir | 6 ++- 34 files changed, 134 insertions(+), 119 deletions(-) diff --git a/compiler/rustc_borrowck/src/type_check/mod.rs b/compiler/rustc_borrowck/src/type_check/mod.rs index 700b5e13dec90..a206aac0467f4 100644 --- a/compiler/rustc_borrowck/src/type_check/mod.rs +++ b/compiler/rustc_borrowck/src/type_check/mod.rs @@ -2000,7 +2000,7 @@ impl<'a, 'tcx> TypeChecker<'a, 'tcx> { ConstraintCategory::SizedBound, ); } - &Rvalue::NullaryOp(NullOp::UbCheck(_), _) => {} + &Rvalue::NullaryOp(NullOp::UbChecks, _) => {} Rvalue::ShallowInitBox(operand, ty) => { self.check_operand(operand, location); diff --git a/compiler/rustc_codegen_ssa/src/mir/rvalue.rs b/compiler/rustc_codegen_ssa/src/mir/rvalue.rs index 15f2e0e56d86d..0e8c4abf21264 100644 --- a/compiler/rustc_codegen_ssa/src/mir/rvalue.rs +++ b/compiler/rustc_codegen_ssa/src/mir/rvalue.rs @@ -680,8 +680,7 @@ impl<'a, 'tcx, Bx: BuilderMethods<'a, 'tcx>> FunctionCx<'a, 'tcx, Bx> { let val = layout.offset_of_subfield(bx.cx(), fields.iter()).bytes(); bx.cx().const_usize(val) } - mir::NullOp::UbCheck(_) => { - // In codegen, we want to check for language UB and library UB + mir::NullOp::UbChecks => { let val = bx.tcx().sess.opts.debug_assertions; bx.cx().const_bool(val) } diff --git a/compiler/rustc_const_eval/src/interpret/step.rs b/compiler/rustc_const_eval/src/interpret/step.rs index 54bac70da3881..9114ffff6fde9 100644 --- a/compiler/rustc_const_eval/src/interpret/step.rs +++ b/compiler/rustc_const_eval/src/interpret/step.rs @@ -258,17 +258,7 @@ impl<'mir, 'tcx: 'mir, M: Machine<'mir, 'tcx>> InterpCx<'mir, 'tcx, M> { let val = layout.offset_of_subfield(self, fields.iter()).bytes(); Scalar::from_target_usize(val, self) } - mir::NullOp::UbCheck(kind) => { - // We want to enable checks for library UB, because the interpreter doesn't - // know about those on its own. - // But we want to disable checks for language UB, because the interpreter - // has its own better checks for that. - let should_check = match kind { - mir::UbKind::LibraryUb => self.tcx.sess.opts.debug_assertions, - mir::UbKind::LanguageUb => false, - }; - Scalar::from_bool(should_check) - } + mir::NullOp::UbChecks => Scalar::from_bool(self.tcx.sess.opts.debug_assertions), }; self.write_scalar(val, &dest)?; } diff --git a/compiler/rustc_const_eval/src/transform/check_consts/check.rs b/compiler/rustc_const_eval/src/transform/check_consts/check.rs index a93e8138aa412..da8e28d02982e 100644 --- a/compiler/rustc_const_eval/src/transform/check_consts/check.rs +++ b/compiler/rustc_const_eval/src/transform/check_consts/check.rs @@ -558,7 +558,7 @@ impl<'tcx> Visitor<'tcx> for Checker<'_, 'tcx> { Rvalue::Cast(_, _, _) => {} Rvalue::NullaryOp( - NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(_) | NullOp::UbCheck(_), + NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(_) | NullOp::UbChecks, _, ) => {} Rvalue::ShallowInitBox(_, _) => {} diff --git a/compiler/rustc_const_eval/src/transform/validate.rs b/compiler/rustc_const_eval/src/transform/validate.rs index 4bc49f906070d..c8eeaa4a45e32 100644 --- a/compiler/rustc_const_eval/src/transform/validate.rs +++ b/compiler/rustc_const_eval/src/transform/validate.rs @@ -1168,7 +1168,7 @@ impl<'a, 'tcx> Visitor<'tcx> for TypeChecker<'a, 'tcx> { Rvalue::Repeat(_, _) | Rvalue::ThreadLocalRef(_) | Rvalue::AddressOf(_, _) - | Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::UbCheck(_), _) + | Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::UbChecks, _) | Rvalue::Discriminant(_) => {} } self.super_rvalue(rvalue, location); diff --git a/compiler/rustc_hir_analysis/src/check/intrinsic.rs b/compiler/rustc_hir_analysis/src/check/intrinsic.rs index 1d5d4a3205ce8..f482ae4f5fa07 100644 --- a/compiler/rustc_hir_analysis/src/check/intrinsic.rs +++ b/compiler/rustc_hir_analysis/src/check/intrinsic.rs @@ -127,8 +127,7 @@ pub fn intrinsic_operation_unsafety(tcx: TyCtxt<'_>, intrinsic_id: LocalDefId) - | sym::variant_count | sym::is_val_statically_known | sym::ptr_mask - | sym::check_language_ub - | sym::check_library_ub + | sym::ub_checks | sym::fadd_algebraic | sym::fsub_algebraic | sym::fmul_algebraic @@ -571,7 +570,7 @@ pub fn check_intrinsic_type( (0, 0, vec![Ty::new_imm_ptr(tcx, Ty::new_unit(tcx))], tcx.types.usize) } - sym::check_language_ub | sym::check_library_ub => (0, 1, Vec::new(), tcx.types.bool), + sym::ub_checks => (0, 1, Vec::new(), tcx.types.bool), sym::simd_eq | sym::simd_ne diff --git a/compiler/rustc_middle/src/mir/mod.rs b/compiler/rustc_middle/src/mir/mod.rs index 48edbde68e507..e4dce2bdc9e80 100644 --- a/compiler/rustc_middle/src/mir/mod.rs +++ b/compiler/rustc_middle/src/mir/mod.rs @@ -796,7 +796,7 @@ impl<'tcx> Body<'tcx> { } match rvalue { - Rvalue::NullaryOp(NullOp::UbCheck(_), _) => { + Rvalue::NullaryOp(NullOp::UbChecks, _) => { Some((tcx.sess.opts.debug_assertions as u128, targets)) } Rvalue::Use(Operand::Constant(constant)) => { diff --git a/compiler/rustc_middle/src/mir/pretty.rs b/compiler/rustc_middle/src/mir/pretty.rs index 94751c4476157..fbee4a9366fb3 100644 --- a/compiler/rustc_middle/src/mir/pretty.rs +++ b/compiler/rustc_middle/src/mir/pretty.rs @@ -944,7 +944,7 @@ impl<'tcx> Debug for Rvalue<'tcx> { NullOp::SizeOf => write!(fmt, "SizeOf({t})"), NullOp::AlignOf => write!(fmt, "AlignOf({t})"), NullOp::OffsetOf(fields) => write!(fmt, "OffsetOf({t}, {fields:?})"), - NullOp::UbCheck(kind) => write!(fmt, "UbCheck({kind:?})"), + NullOp::UbChecks => write!(fmt, "UbChecks()"), } } ThreadLocalRef(did) => ty::tls::with(|tcx| { diff --git a/compiler/rustc_middle/src/mir/syntax.rs b/compiler/rustc_middle/src/mir/syntax.rs index 752f5845afb2e..36b7a48b2a2b8 100644 --- a/compiler/rustc_middle/src/mir/syntax.rs +++ b/compiler/rustc_middle/src/mir/syntax.rs @@ -1367,16 +1367,9 @@ pub enum NullOp<'tcx> { AlignOf, /// Returns the offset of a field OffsetOf(&'tcx List<(VariantIdx, FieldIdx)>), - /// Returns whether we want to check for library UB or language UB at monomorphization time. - /// Both kinds of UB evaluate to `true` in codegen, and only library UB evalutes to `true` in - /// const-eval/Miri, because the interpreter has its own better checks for language UB. - UbCheck(UbKind), -} - -#[derive(Clone, Copy, Debug, PartialEq, Eq, TyEncodable, TyDecodable, Hash, HashStable)] -pub enum UbKind { - LanguageUb, - LibraryUb, + /// Returns whether we want to check for UB. + /// This returns the value of `cfg!(debug_assertions)` at monomorphization time. + UbChecks, } #[derive(Copy, Clone, Debug, PartialEq, Eq, PartialOrd, Ord, Hash)] diff --git a/compiler/rustc_middle/src/mir/tcx.rs b/compiler/rustc_middle/src/mir/tcx.rs index ac41b6c5732d1..56a0a62339700 100644 --- a/compiler/rustc_middle/src/mir/tcx.rs +++ b/compiler/rustc_middle/src/mir/tcx.rs @@ -194,7 +194,7 @@ impl<'tcx> Rvalue<'tcx> { Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(..), _) => { tcx.types.usize } - Rvalue::NullaryOp(NullOp::UbCheck(_), _) => tcx.types.bool, + Rvalue::NullaryOp(NullOp::UbChecks, _) => tcx.types.bool, Rvalue::Aggregate(ref ak, ref ops) => match **ak { AggregateKind::Array(ty) => Ty::new_array(tcx, ty, ops.len() as u64), AggregateKind::Tuple => { diff --git a/compiler/rustc_mir_dataflow/src/move_paths/builder.rs b/compiler/rustc_mir_dataflow/src/move_paths/builder.rs index 3ca0eb4acd43e..e73d945e0bb7b 100644 --- a/compiler/rustc_mir_dataflow/src/move_paths/builder.rs +++ b/compiler/rustc_mir_dataflow/src/move_paths/builder.rs @@ -433,7 +433,7 @@ impl<'b, 'a, 'tcx, F: Fn(Ty<'tcx>) -> bool> Gatherer<'b, 'a, 'tcx, F> { | Rvalue::Discriminant(..) | Rvalue::Len(..) | Rvalue::NullaryOp( - NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(..) | NullOp::UbCheck(_), + NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(..) | NullOp::UbChecks, _, ) => {} } diff --git a/compiler/rustc_mir_transform/src/gvn.rs b/compiler/rustc_mir_transform/src/gvn.rs index fdc81c0a99eee..59d6d89cf1fec 100644 --- a/compiler/rustc_mir_transform/src/gvn.rs +++ b/compiler/rustc_mir_transform/src/gvn.rs @@ -487,7 +487,7 @@ impl<'body, 'tcx> VnState<'body, 'tcx> { NullOp::OffsetOf(fields) => { layout.offset_of_subfield(&self.ecx, fields.iter()).bytes() } - NullOp::UbCheck(_) => return None, + NullOp::UbChecks => return None, }; let usize_layout = self.ecx.layout_of(self.tcx.types.usize).unwrap(); let imm = ImmTy::try_from_uint(val, usize_layout)?; diff --git a/compiler/rustc_mir_transform/src/known_panics_lint.rs b/compiler/rustc_mir_transform/src/known_panics_lint.rs index 6b13725b386a1..a20958e74dffe 100644 --- a/compiler/rustc_mir_transform/src/known_panics_lint.rs +++ b/compiler/rustc_mir_transform/src/known_panics_lint.rs @@ -639,7 +639,7 @@ impl<'mir, 'tcx> ConstPropagator<'mir, 'tcx> { NullOp::OffsetOf(fields) => { op_layout.offset_of_subfield(self, fields.iter()).bytes() } - NullOp::UbCheck(_) => return None, + NullOp::UbChecks => return None, }; ImmTy::from_scalar(Scalar::from_target_usize(val, self), layout).into() } diff --git a/compiler/rustc_mir_transform/src/lower_intrinsics.rs b/compiler/rustc_mir_transform/src/lower_intrinsics.rs index 1bab240ef50f2..7d4c1b9c21a62 100644 --- a/compiler/rustc_mir_transform/src/lower_intrinsics.rs +++ b/compiler/rustc_mir_transform/src/lower_intrinsics.rs @@ -20,30 +20,13 @@ impl<'tcx> MirPass<'tcx> for LowerIntrinsics { sym::unreachable => { terminator.kind = TerminatorKind::Unreachable; } - sym::check_language_ub => { + sym::ub_checks => { let target = target.unwrap(); block.statements.push(Statement { source_info: terminator.source_info, kind: StatementKind::Assign(Box::new(( *destination, - Rvalue::NullaryOp( - NullOp::UbCheck(UbKind::LanguageUb), - tcx.types.bool, - ), - ))), - }); - terminator.kind = TerminatorKind::Goto { target }; - } - sym::check_library_ub => { - let target = target.unwrap(); - block.statements.push(Statement { - source_info: terminator.source_info, - kind: StatementKind::Assign(Box::new(( - *destination, - Rvalue::NullaryOp( - NullOp::UbCheck(UbKind::LibraryUb), - tcx.types.bool, - ), + Rvalue::NullaryOp(NullOp::UbChecks, tcx.types.bool), ))), }); terminator.kind = TerminatorKind::Goto { target }; diff --git a/compiler/rustc_mir_transform/src/promote_consts.rs b/compiler/rustc_mir_transform/src/promote_consts.rs index 202ea57198561..2951897ebd697 100644 --- a/compiler/rustc_mir_transform/src/promote_consts.rs +++ b/compiler/rustc_mir_transform/src/promote_consts.rs @@ -446,7 +446,7 @@ impl<'tcx> Validator<'_, 'tcx> { NullOp::SizeOf => {} NullOp::AlignOf => {} NullOp::OffsetOf(_) => {} - NullOp::UbCheck(_) => {} + NullOp::UbChecks => {} }, Rvalue::ShallowInitBox(_, _) => return Err(Unpromotable), diff --git a/compiler/rustc_smir/src/rustc_smir/convert/mir.rs b/compiler/rustc_smir/src/rustc_smir/convert/mir.rs index c0876adf90509..b6a722da602e0 100644 --- a/compiler/rustc_smir/src/rustc_smir/convert/mir.rs +++ b/compiler/rustc_smir/src/rustc_smir/convert/mir.rs @@ -251,19 +251,13 @@ impl<'tcx> Stable<'tcx> for mir::NullOp<'tcx> { type T = stable_mir::mir::NullOp; fn stable(&self, tables: &mut Tables<'_>) -> Self::T { use rustc_middle::mir::NullOp::*; - use rustc_middle::mir::UbKind; match self { SizeOf => stable_mir::mir::NullOp::SizeOf, AlignOf => stable_mir::mir::NullOp::AlignOf, OffsetOf(indices) => stable_mir::mir::NullOp::OffsetOf( indices.iter().map(|idx| idx.stable(tables)).collect(), ), - UbCheck(UbKind::LanguageUb) => { - stable_mir::mir::NullOp::UbCheck(stable_mir::mir::UbKind::LanguageUb) - } - UbCheck(UbKind::LibraryUb) => { - stable_mir::mir::NullOp::UbCheck(stable_mir::mir::UbKind::LibraryUb) - } + UbChecks => stable_mir::mir::NullOp::UbChecks, } } } diff --git a/compiler/rustc_span/src/symbol.rs b/compiler/rustc_span/src/symbol.rs index cae860cf2f70f..73fcd2a76dfc0 100644 --- a/compiler/rustc_span/src/symbol.rs +++ b/compiler/rustc_span/src/symbol.rs @@ -518,8 +518,6 @@ symbols! { cfi, cfi_encoding, char, - check_language_ub, - check_library_ub, client, clippy, clobber_abi, @@ -1867,6 +1865,7 @@ symbols! { u8_legacy_fn_max_value, u8_legacy_fn_min_value, u8_legacy_mod, + ub_checks, unaligned_volatile_load, unaligned_volatile_store, unboxed_closures, diff --git a/compiler/stable_mir/src/mir/body.rs b/compiler/stable_mir/src/mir/body.rs index e4a012d8c4774..7c536a3e91402 100644 --- a/compiler/stable_mir/src/mir/body.rs +++ b/compiler/stable_mir/src/mir/body.rs @@ -621,7 +621,7 @@ impl Rvalue { Rvalue::NullaryOp(NullOp::SizeOf | NullOp::AlignOf | NullOp::OffsetOf(..), _) => { Ok(Ty::usize_ty()) } - Rvalue::NullaryOp(NullOp::UbCheck(_), _) => Ok(Ty::bool_ty()), + Rvalue::NullaryOp(NullOp::UbChecks, _) => Ok(Ty::bool_ty()), Rvalue::Aggregate(ak, ops) => match *ak { AggregateKind::Array(ty) => Ty::try_new_array(ty, ops.len() as u64), AggregateKind::Tuple => Ok(Ty::new_tuple( @@ -989,13 +989,7 @@ pub enum NullOp { /// Returns the offset of a field. OffsetOf(Vec<(VariantIdx, FieldIdx)>), /// cfg!(debug_assertions), but at codegen time - UbCheck(UbKind), -} - -#[derive(Clone, Debug, Eq, PartialEq)] -pub enum UbKind { - LanguageUb, - LibraryUb, + UbChecks, } impl Operand { diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index af83a8d8fa4d3..76e387d54d8a7 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -2661,38 +2661,22 @@ pub const unsafe fn typed_swap(x: *mut T, y: *mut T) { unsafe { ptr::swap_nonoverlapping(x, y, 1) }; } -/// Returns whether we should check for library UB. This evaluate to the value of `cfg!(debug_assertions)` -/// during monomorphization. -/// -/// This intrinsic is evaluated after monomorphization, and therefore branching on this value can -/// be used to implement debug assertions that are included in the precompiled standard library, -/// but can be optimized out by builds that monomorphize the standard library code with debug -/// assertions disabled. This intrinsic is primarily used by [`assert_unsafe_precondition`]. -/// -/// We have separate intrinsics for library UB and language UB because checkers like the const-eval -/// interpreter and Miri already implement checks for language UB. Since such checkers do not know -/// about library preconditions, checks guarded by this intrinsic let them find more UB. -#[rustc_const_unstable(feature = "ub_checks", issue = "none")] +/// Returns whether we should perform some UB-checking at runtime. This evaluate to the value of +/// `cfg!(debug_assertions)` during monomorphization. +/// +/// This intrinsic is evaluated after monomorphization, which is relevant when mixing crates +/// compiled with and without debug_assertions. The common case here is a user program built with +/// debug_assertions linked against the distributed sysroot which is built without debug_assertions. +/// For code that gets monomorphized in the user crate (i.e., generic functions and functions with +/// `#[inline]`), gating assertions on `ub_checks()` rather than `cfg!(debug_assertions)` means that +/// assertions are enabled whenever the *user crate* has debug assertions enabled. However if the +/// user has debug assertions disabled, the checks will still get optimized out. This intrinsic is +/// primarily used by [`ub_checks::assert_unsafe_precondition`]. +#[rustc_const_unstable(feature = "const_ub_checks", issue = "none")] #[unstable(feature = "core_intrinsics", issue = "none")] #[inline(always)] -#[rustc_intrinsic] -pub(crate) const fn check_library_ub() -> bool { - cfg!(debug_assertions) -} - -/// Returns whether we should check for language UB. This evaluate to the value of `cfg!(debug_assertions)` -/// during monomorphization. -/// -/// Since checks implemented at the source level must come strictly before the operation that -/// executes UB, if we enabled language UB checks in const-eval/Miri we would miss out on the -/// interpreter's improved diagnostics for the cases that our source-level checks catch. -/// -/// See `check_library_ub` for more information. -#[rustc_const_unstable(feature = "ub_checks", issue = "none")] -#[unstable(feature = "core_intrinsics", issue = "none")] -#[inline(always)] -#[rustc_intrinsic] -pub(crate) const fn check_language_ub() -> bool { +#[cfg_attr(not(bootstrap), rustc_intrinsic)] // just make it a regular fn in bootstrap +pub(crate) const fn ub_checks() -> bool { cfg!(debug_assertions) } diff --git a/library/core/src/lib.rs b/library/core/src/lib.rs index 8f292bf155103..0c95ecafc7cdc 100644 --- a/library/core/src/lib.rs +++ b/library/core/src/lib.rs @@ -171,6 +171,7 @@ #![feature(const_type_id)] #![feature(const_type_name)] #![feature(const_typed_swap)] +#![feature(const_ub_checks)] #![feature(const_unicode_case_lookup)] #![feature(const_unsafecell_get_mut)] #![feature(const_waker)] diff --git a/library/core/src/ub_checks.rs b/library/core/src/ub_checks.rs index 2c5b4699806b3..ff6b2d3053956 100644 --- a/library/core/src/ub_checks.rs +++ b/library/core/src/ub_checks.rs @@ -1,7 +1,7 @@ //! Provides the [`assert_unsafe_precondition`] macro as well as some utility functions that cover //! common preconditions. -use crate::intrinsics::const_eval_select; +use crate::intrinsics::{self, const_eval_select}; /// Check that the preconditions of an unsafe function are followed. The check is enabled at /// runtime if debug assertions are enabled when the caller is monomorphized. In const-eval/Miri @@ -45,7 +45,7 @@ use crate::intrinsics::const_eval_select; /// order to call it. Since the precompiled standard library is built with full debuginfo and these /// variables cannot be optimized out in MIR, an innocent-looking `let` can produce enough /// debuginfo to have a measurable compile-time impact on debug builds. -#[allow_internal_unstable(ub_checks)] // permit this to be called in stably-const fn +#[allow_internal_unstable(const_ub_checks)] // permit this to be called in stably-const fn macro_rules! assert_unsafe_precondition { ($kind:ident, $message:expr, ($($name:ident:$ty:ty = $arg:expr),*$(,)?) => $e:expr $(,)?) => { { @@ -60,7 +60,7 @@ macro_rules! assert_unsafe_precondition { #[rustc_no_mir_inline] #[inline] #[rustc_nounwind] - #[rustc_const_unstable(feature = "ub_checks", issue = "none")] + #[rustc_const_unstable(feature = "const_ub_checks", issue = "none")] const fn precondition_check($($name:$ty),*) { if !$e { ::core::panicking::panic_nounwind( @@ -69,7 +69,7 @@ macro_rules! assert_unsafe_precondition { } } - if ::core::intrinsics::$kind() { + if ::core::ub_checks::$kind() { precondition_check($($arg,)*); } } @@ -77,6 +77,33 @@ macro_rules! assert_unsafe_precondition { } pub(crate) use assert_unsafe_precondition; +/// Checking library UB is always enabled when UB-checking is done +/// (and we use a reexport so that there is no unnecessary wrapper function). +pub(crate) use intrinsics::ub_checks as check_library_ub; + +/// Determines whether we should check for language UB. +/// +/// The intention is to not do that when running in the interpreter, as that one has its own +/// language UB checks which generally produce better errors. +#[rustc_const_unstable(feature = "const_ub_checks", issue = "none")] +#[inline] +pub(crate) const fn check_language_ub() -> bool { + #[inline] + fn runtime() -> bool { + // Disable UB checks in Miri. + !cfg!(miri) + } + + #[inline] + const fn comptime() -> bool { + // Always disable UB checks. + false + } + + // Only used for UB checks so we may const_eval_select. + intrinsics::ub_checks() && const_eval_select((), comptime, runtime) +} + /// Checks whether `ptr` is properly aligned with respect to /// `align_of::()`. /// diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-abort.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-abort.diff index a958e5541fadb..21cf745b680ae 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-abort.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-abort.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -60,7 +64,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb4, otherwise: bb2]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-unwind.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-unwind.diff index b073e27729e20..ee58a97448055 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-unwind.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.32bit.panic-unwind.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -60,7 +64,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb5, otherwise: bb3]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-abort.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-abort.diff index 0a9f339ddbacb..9fc9c8ed409cf 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-abort.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-abort.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -60,7 +64,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb4, otherwise: bb2]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-unwind.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-unwind.diff index bbc791148af1f..30d93347afdc5 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-unwind.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.DataflowConstProp.64bit.panic-unwind.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -60,7 +64,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb5, otherwise: bb3]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-abort.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-abort.diff index 3a11677f6f036..3a46edbc84968 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-abort.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-abort.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -62,7 +66,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb4, otherwise: bb2]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-unwind.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-unwind.diff index 9e7e08866b9d9..3c71214c35ff1 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-unwind.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.32bit.panic-unwind.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -62,7 +66,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb5, otherwise: bb3]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-abort.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-abort.diff index beadfbc07b6ee..4557e7b26d61b 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-abort.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-abort.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -62,7 +66,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb4, otherwise: bb2]; } diff --git a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-unwind.diff b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-unwind.diff index 9ea86956b833c..5ab2d5e0fdc06 100644 --- a/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-unwind.diff +++ b/tests/mir-opt/dataflow-const-prop/default_boxed_slice.main.GVN.64bit.panic-unwind.diff @@ -28,6 +28,10 @@ let mut _10: *mut (); let mut _11: *const [bool; 0]; scope 13 { + scope 14 (inlined core::ub_checks::check_language_ub) { + scope 15 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -62,7 +66,7 @@ StorageDead(_7); StorageLive(_11); StorageLive(_8); - _8 = UbCheck(LanguageUb); + _8 = UbChecks(); switchInt(move _8) -> [0: bb5, otherwise: bb3]; } diff --git a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-abort.diff b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-abort.diff index 6f7853a3e97f5..028040edc856a 100644 --- a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-abort.diff +++ b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-abort.diff @@ -17,6 +17,10 @@ + let _5: (); + scope 5 { + } ++ scope 6 (inlined core::ub_checks::check_language_ub) { ++ scope 7 (inlined core::ub_checks::check_language_ub::runtime) { ++ } ++ } + } + } + } @@ -37,7 +41,7 @@ + + bb2: { + StorageLive(_4); -+ _4 = UbCheck(LanguageUb); ++ _4 = UbChecks(); + assume(_4); + _5 = unreachable_unchecked::precondition_check() -> [return: bb1, unwind unreachable]; + } diff --git a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-unwind.diff b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-unwind.diff index cac06d4af088f..484fd37248c62 100644 --- a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-unwind.diff +++ b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-unwind.diff @@ -17,6 +17,10 @@ + let _5: (); + scope 5 { + } ++ scope 6 (inlined core::ub_checks::check_language_ub) { ++ scope 7 (inlined core::ub_checks::check_language_ub::runtime) { ++ } ++ } + } + } + } @@ -41,7 +45,7 @@ - resume; + bb2: { + StorageLive(_4); -+ _4 = UbCheck(LanguageUb); ++ _4 = UbChecks(); + assume(_4); + _5 = unreachable_unchecked::precondition_check() -> [return: bb1, unwind unreachable]; + } diff --git a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-abort.mir b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-abort.mir index 5c6116501548d..9cd7053871e56 100644 --- a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-abort.mir +++ b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-abort.mir @@ -15,6 +15,10 @@ fn unwrap_unchecked(_1: Option) -> T { let _4: (); scope 5 { } + scope 6 (inlined core::ub_checks::check_language_ub) { + scope 7 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -27,7 +31,7 @@ fn unwrap_unchecked(_1: Option) -> T { bb1: { StorageLive(_3); - _3 = UbCheck(LanguageUb); + _3 = UbChecks(); assume(_3); _4 = unreachable_unchecked::precondition_check() -> [return: bb3, unwind unreachable]; } diff --git a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-unwind.mir b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-unwind.mir index 5c6116501548d..9cd7053871e56 100644 --- a/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-unwind.mir +++ b/tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.PreCodegen.after.panic-unwind.mir @@ -15,6 +15,10 @@ fn unwrap_unchecked(_1: Option) -> T { let _4: (); scope 5 { } + scope 6 (inlined core::ub_checks::check_language_ub) { + scope 7 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } } } @@ -27,7 +31,7 @@ fn unwrap_unchecked(_1: Option) -> T { bb1: { StorageLive(_3); - _3 = UbCheck(LanguageUb); + _3 = UbChecks(); assume(_3); _4 = unreachable_unchecked::precondition_check() -> [return: bb3, unwind unreachable]; } diff --git a/tests/mir-opt/pre-codegen/duplicate_switch_targets.ub_if_b.PreCodegen.after.mir b/tests/mir-opt/pre-codegen/duplicate_switch_targets.ub_if_b.PreCodegen.after.mir index 0597e453e2218..455e4ba724411 100644 --- a/tests/mir-opt/pre-codegen/duplicate_switch_targets.ub_if_b.PreCodegen.after.mir +++ b/tests/mir-opt/pre-codegen/duplicate_switch_targets.ub_if_b.PreCodegen.after.mir @@ -9,6 +9,10 @@ fn ub_if_b(_1: Thing) -> Thing { let _4: (); scope 2 { } + scope 3 (inlined core::ub_checks::check_language_ub) { + scope 4 (inlined core::ub_checks::check_language_ub::runtime) { + } + } } bb0: { @@ -23,7 +27,7 @@ fn ub_if_b(_1: Thing) -> Thing { bb2: { StorageLive(_3); - _3 = UbCheck(LanguageUb); + _3 = UbChecks(); assume(_3); _4 = unreachable_unchecked::precondition_check() -> [return: bb3, unwind unreachable]; }