From 0ab2c91a2d8fe770d9fc47f06545367bab8ea302 Mon Sep 17 00:00:00 2001 From: Arthur Cohen Date: Wed, 17 Aug 2022 13:43:59 +0200 Subject: [PATCH 1/4] attributes: Add #[rustc_safe_intrinsic] builtin --- compiler/rustc_feature/src/builtin_attrs.rs | 1 + .../rustc_hir_analysis/src/check/intrinsic.rs | 57 +++---------------- compiler/rustc_hir_analysis/src/collect.rs | 2 +- compiler/rustc_span/src/symbol.rs | 1 + src/librustdoc/clean/types.rs | 2 +- src/test/rustdoc/safe-intrinsic.rs | 2 + src/test/ui/error-codes/E0308.rs | 2 + src/test/ui/error-codes/E0308.stderr | 2 +- src/test/ui/intrinsics/intrinsics-integer.rs | 6 ++ 9 files changed, 24 insertions(+), 51 deletions(-) diff --git a/compiler/rustc_feature/src/builtin_attrs.rs b/compiler/rustc_feature/src/builtin_attrs.rs index 700d9dab64be7..5ee6c9f238770 100644 --- a/compiler/rustc_feature/src/builtin_attrs.rs +++ b/compiler/rustc_feature/src/builtin_attrs.rs @@ -499,6 +499,7 @@ pub const BUILTIN_ATTRIBUTES: &[BuiltinAttribute] = &[ ), ungated!(rustc_const_unstable, Normal, template!(List: r#"feature = "name""#), DuplicatesOk), ungated!(rustc_const_stable, Normal, template!(List: r#"feature = "name""#), DuplicatesOk), + ungated!(rustc_safe_intrinsic, Normal, template!(Word), DuplicatesOk), ungated!( rustc_default_body_unstable, Normal, template!(List: r#"feature = "name", reason = "...", issue = "N""#), DuplicatesOk diff --git a/compiler/rustc_hir_analysis/src/check/intrinsic.rs b/compiler/rustc_hir_analysis/src/check/intrinsic.rs index ae484b4fedaf9..b43d492eb7aad 100644 --- a/compiler/rustc_hir_analysis/src/check/intrinsic.rs +++ b/compiler/rustc_hir_analysis/src/check/intrinsic.rs @@ -7,6 +7,7 @@ use crate::errors::{ }; use crate::require_same_types; +use hir::def_id::DefId; use rustc_errors::struct_span_err; use rustc_hir as hir; use rustc_middle::traits::{ObligationCause, ObligationCauseCode}; @@ -61,51 +62,10 @@ fn equate_intrinsic_type<'tcx>( } /// Returns the unsafety of the given intrinsic. -pub fn intrinsic_operation_unsafety(intrinsic: Symbol) -> hir::Unsafety { - match intrinsic { - // When adding a new intrinsic to this list, - // it's usually worth updating that intrinsic's documentation - // to note that it's safe to call, since - // safe extern fns are otherwise unprecedented. - sym::abort - | sym::assert_inhabited - | sym::assert_zero_valid - | sym::assert_uninit_valid - | sym::size_of - | sym::min_align_of - | sym::needs_drop - | sym::caller_location - | sym::add_with_overflow - | sym::sub_with_overflow - | sym::mul_with_overflow - | sym::wrapping_add - | sym::wrapping_sub - | sym::wrapping_mul - | sym::saturating_add - | sym::saturating_sub - | sym::rotate_left - | sym::rotate_right - | sym::ctpop - | sym::ctlz - | sym::cttz - | sym::bswap - | sym::bitreverse - | sym::discriminant_value - | sym::type_id - | sym::likely - | sym::unlikely - | sym::ptr_guaranteed_cmp - | sym::minnumf32 - | sym::minnumf64 - | sym::maxnumf32 - | sym::rustc_peek - | sym::maxnumf64 - | sym::type_name - | sym::forget - | sym::black_box - | sym::variant_count - | sym::ptr_mask => hir::Unsafety::Normal, - _ => hir::Unsafety::Unsafe, +pub fn intrinsic_operation_unsafety(tcx: TyCtxt<'_>, intrinsic_id: DefId) -> hir::Unsafety { + match tcx.has_attr(intrinsic_id, sym::rustc_safe_intrinsic) { + true => hir::Unsafety::Normal, + false => hir::Unsafety::Unsafe, } } @@ -113,7 +73,8 @@ pub fn intrinsic_operation_unsafety(intrinsic: Symbol) -> hir::Unsafety { /// and in `library/core/src/intrinsics.rs`. pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem<'_>) { let param = |n| tcx.mk_ty_param(n, Symbol::intern(&format!("P{}", n))); - let intrinsic_name = tcx.item_name(it.def_id.to_def_id()); + let intrinsic_id = it.def_id.to_def_id(); + let intrinsic_name = tcx.item_name(intrinsic_id); let name_str = intrinsic_name.as_str(); let bound_vars = tcx.mk_bound_variable_kinds( @@ -160,7 +121,7 @@ pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem<'_>) { }; (n_tps, 0, inputs, output, hir::Unsafety::Unsafe) } else { - let unsafety = intrinsic_operation_unsafety(intrinsic_name); + let unsafety = intrinsic_operation_unsafety(tcx, intrinsic_id); let (n_tps, inputs, output) = match intrinsic_name { sym::abort => (0, Vec::new(), tcx.types.never), sym::unreachable => (0, Vec::new(), tcx.types.never), @@ -351,7 +312,7 @@ pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem<'_>) { ( 1, vec![ - tcx.mk_imm_ref(tcx.mk_region(ty::ReLateBound(ty::INNERMOST, br)), param(0)), + tcx.mk_imm_ref(tcx.mk_region(ty::ReLateBound(ty::INNERMOST, br)), param(0)) ], tcx.mk_projection(discriminant_def_id, tcx.mk_substs([param(0).into()].iter())), ) diff --git a/compiler/rustc_hir_analysis/src/collect.rs b/compiler/rustc_hir_analysis/src/collect.rs index e7deae2b557cd..315a2763c760b 100644 --- a/compiler/rustc_hir_analysis/src/collect.rs +++ b/compiler/rustc_hir_analysis/src/collect.rs @@ -2544,7 +2544,7 @@ fn compute_sig_of_foreign_fn_decl<'tcx>( abi: abi::Abi, ) -> ty::PolyFnSig<'tcx> { let unsafety = if abi == abi::Abi::RustIntrinsic { - intrinsic_operation_unsafety(tcx.item_name(def_id)) + intrinsic_operation_unsafety(tcx, def_id) } else { hir::Unsafety::Unsafe }; diff --git a/compiler/rustc_span/src/symbol.rs b/compiler/rustc_span/src/symbol.rs index 502ef67fc6767..c6eff27b9885e 100644 --- a/compiler/rustc_span/src/symbol.rs +++ b/compiler/rustc_span/src/symbol.rs @@ -1282,6 +1282,7 @@ symbols! { rustc_reallocator, rustc_regions, rustc_reservation_impl, + rustc_safe_intrinsic, rustc_serialize, rustc_skip_array_during_method_dispatch, rustc_specialization_trait, diff --git a/src/librustdoc/clean/types.rs b/src/librustdoc/clean/types.rs index e53e93c4defb1..80bf2f2fd9042 100644 --- a/src/librustdoc/clean/types.rs +++ b/src/librustdoc/clean/types.rs @@ -689,7 +689,7 @@ impl Item { let abi = tcx.fn_sig(self.item_id.as_def_id().unwrap()).abi(); hir::FnHeader { unsafety: if abi == Abi::RustIntrinsic { - intrinsic_operation_unsafety(self.name.unwrap()) + intrinsic_operation_unsafety(tcx, self.item_id.as_def_id().unwrap()) } else { hir::Unsafety::Unsafe }, diff --git a/src/test/rustdoc/safe-intrinsic.rs b/src/test/rustdoc/safe-intrinsic.rs index d3bb8514b7e43..d08abdaeb1411 100644 --- a/src/test/rustdoc/safe-intrinsic.rs +++ b/src/test/rustdoc/safe-intrinsic.rs @@ -1,5 +1,6 @@ #![feature(intrinsics)] #![feature(no_core)] +#![feature(rustc_attrs)] #![no_core] #![crate_name = "foo"] @@ -7,6 +8,7 @@ extern "rust-intrinsic" { // @has 'foo/fn.abort.html' // @has - '//pre[@class="rust fn"]' 'pub extern "rust-intrinsic" fn abort() -> !' + #[rustc_safe_intrinsic] pub fn abort() -> !; // @has 'foo/fn.unreachable.html' // @has - '//pre[@class="rust fn"]' 'pub unsafe extern "rust-intrinsic" fn unreachable() -> !' diff --git a/src/test/ui/error-codes/E0308.rs b/src/test/ui/error-codes/E0308.rs index fa79bee570e18..dd9e0b284eaa2 100644 --- a/src/test/ui/error-codes/E0308.rs +++ b/src/test/ui/error-codes/E0308.rs @@ -1,6 +1,8 @@ #![feature(intrinsics)] +#![feature(rustc_attrs)] extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of(); //~ ERROR E0308 } diff --git a/src/test/ui/error-codes/E0308.stderr b/src/test/ui/error-codes/E0308.stderr index b71fb95e706aa..187b775f92dc0 100644 --- a/src/test/ui/error-codes/E0308.stderr +++ b/src/test/ui/error-codes/E0308.stderr @@ -1,5 +1,5 @@ error[E0308]: intrinsic has wrong type - --> $DIR/E0308.rs:4:5 + --> $DIR/E0308.rs:6:5 | LL | fn size_of(); | ^^^^^^^^^^^^^^^^ expected `()`, found `usize` diff --git a/src/test/ui/intrinsics/intrinsics-integer.rs b/src/test/ui/intrinsics/intrinsics-integer.rs index bac6c8d872b40..88bf42b685f4d 100644 --- a/src/test/ui/intrinsics/intrinsics-integer.rs +++ b/src/test/ui/intrinsics/intrinsics-integer.rs @@ -1,15 +1,21 @@ // run-pass #![feature(intrinsics)] +#![feature(rustc_attrs)] mod rusti { extern "rust-intrinsic" { + #[rustc_safe_intrinsic] pub fn ctpop(x: T) -> T; + #[rustc_safe_intrinsic] pub fn ctlz(x: T) -> T; pub fn ctlz_nonzero(x: T) -> T; + #[rustc_safe_intrinsic] pub fn cttz(x: T) -> T; pub fn cttz_nonzero(x: T) -> T; + #[rustc_safe_intrinsic] pub fn bswap(x: T) -> T; + #[rustc_safe_intrinsic] pub fn bitreverse(x: T) -> T; } } From 99d57ee23d61293bc14f6a8f0eb9ad4fe10acc94 Mon Sep 17 00:00:00 2001 From: Arthur Cohen Date: Thu, 18 Aug 2022 11:15:26 +0200 Subject: [PATCH 2/4] core: Mark all safe intrinsics with #[rustc_safe_intrinsic] --- .../src/error_codes/E0094.md | 2 + .../src/error_codes/E0211.md | 2 + library/core/src/intrinsics.rs | 38 +++++++++++++++++++ src/test/ui/error-codes/E0094.rs | 2 + src/test/ui/error-codes/E0094.stderr | 2 +- src/test/ui/extern/extern-with-type-bounds.rs | 2 + .../ui/extern/extern-with-type-bounds.stderr | 2 +- src/test/ui/intrinsics/intrinsic-alignment.rs | 1 + src/test/ui/structs-enums/rec-align-u32.rs | 1 + src/test/ui/structs-enums/rec-align-u64.rs | 1 + 10 files changed, 51 insertions(+), 2 deletions(-) diff --git a/compiler/rustc_error_codes/src/error_codes/E0094.md b/compiler/rustc_error_codes/src/error_codes/E0094.md index ec86ec44ece8e..cc546bdbb3b35 100644 --- a/compiler/rustc_error_codes/src/error_codes/E0094.md +++ b/compiler/rustc_error_codes/src/error_codes/E0094.md @@ -6,6 +6,7 @@ Erroneous code example: #![feature(intrinsics)] extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of() -> usize; // error: intrinsic has wrong number // of type parameters } @@ -19,6 +20,7 @@ Example: #![feature(intrinsics)] extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of() -> usize; // ok! } ``` diff --git a/compiler/rustc_error_codes/src/error_codes/E0211.md b/compiler/rustc_error_codes/src/error_codes/E0211.md index 77289f019005e..8c2462ebd9b86 100644 --- a/compiler/rustc_error_codes/src/error_codes/E0211.md +++ b/compiler/rustc_error_codes/src/error_codes/E0211.md @@ -7,6 +7,7 @@ used. Erroneous code examples: #![feature(intrinsics)] extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of(); // error: intrinsic has wrong type } @@ -42,6 +43,7 @@ For the first code example, please check the function definition. Example: #![feature(intrinsics)] extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of() -> usize; // ok! } ``` diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index 12b43da5a4280..15ee14398b676 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -788,6 +788,7 @@ extern "rust-intrinsic" { /// uninitialized at that point in the control flow. /// /// This intrinsic should not be used outside of the compiler. + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn rustc_peek(_: T) -> T; /// Aborts the execution of the process. @@ -805,6 +806,7 @@ extern "rust-intrinsic" { /// On Unix, the /// process will probably terminate with a signal like `SIGABRT`, `SIGILL`, `SIGTRAP`, `SIGSEGV` or /// `SIGBUS`. The precise behaviour is not guaranteed and not stable. + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn abort() -> !; /// Informs the optimizer that this point in the code is not reachable, @@ -843,6 +845,7 @@ extern "rust-intrinsic" { /// /// This intrinsic does not have a stable counterpart. #[rustc_const_unstable(feature = "const_likely", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn likely(b: bool) -> bool; /// Hints to the compiler that branch condition is likely to be false. @@ -857,6 +860,7 @@ extern "rust-intrinsic" { /// /// This intrinsic does not have a stable counterpart. #[rustc_const_unstable(feature = "const_likely", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn unlikely(b: bool) -> bool; /// Executes a breakpoint trap, for inspection by a debugger. @@ -876,6 +880,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`core::mem::size_of`]. #[rustc_const_stable(feature = "const_size_of", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn size_of() -> usize; /// The minimum alignment of a type. @@ -887,6 +892,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`core::mem::align_of`]. #[rustc_const_stable(feature = "const_min_align_of", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn min_align_of() -> usize; /// The preferred alignment of a type. /// @@ -915,6 +921,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`core::any::type_name`]. #[rustc_const_unstable(feature = "const_type_name", issue = "63084")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn type_name() -> &'static str; /// Gets an identifier which is globally unique to the specified type. This @@ -928,6 +935,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`core::any::TypeId::of`]. #[rustc_const_unstable(feature = "const_type_id", issue = "77125")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn type_id() -> u64; /// A guard for unsafe functions that cannot ever be executed if `T` is uninhabited: @@ -935,6 +943,7 @@ extern "rust-intrinsic" { /// /// This intrinsic does not have a stable counterpart. #[rustc_const_stable(feature = "const_assert_type", since = "1.59.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn assert_inhabited(); /// A guard for unsafe functions that cannot ever be executed if `T` does not permit @@ -942,6 +951,7 @@ extern "rust-intrinsic" { /// /// This intrinsic does not have a stable counterpart. #[rustc_const_unstable(feature = "const_assert_type2", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn assert_zero_valid(); /// A guard for unsafe functions that cannot ever be executed if `T` has invalid @@ -949,6 +959,7 @@ extern "rust-intrinsic" { /// /// This intrinsic does not have a stable counterpart. #[rustc_const_unstable(feature = "const_assert_type2", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn assert_uninit_valid(); /// Gets a reference to a static `Location` indicating where it was called. @@ -960,6 +971,7 @@ extern "rust-intrinsic" { /// /// Consider using [`core::panic::Location::caller`] instead. #[rustc_const_unstable(feature = "const_caller_location", issue = "76156")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn caller_location() -> &'static crate::panic::Location<'static>; /// Moves a value out of scope without running drop glue. @@ -972,6 +984,7 @@ extern "rust-intrinsic" { /// Therefore, implementations must not require the user to uphold /// any safety invariants. #[rustc_const_unstable(feature = "const_intrinsic_forget", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn forget(_: T); /// Reinterprets the bits of a value of one type as another type. @@ -1251,6 +1264,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`mem::needs_drop`](crate::mem::needs_drop). #[rustc_const_stable(feature = "const_needs_drop", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn needs_drop() -> bool; /// Calculates the offset from a pointer. @@ -1295,6 +1309,7 @@ extern "rust-intrinsic" { /// any safety invariants. /// /// Consider using [`pointer::mask`] instead. + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn ptr_mask(ptr: *const T, mask: usize) -> *const T; /// Equivalent to the appropriate `llvm.memcpy.p0i8.0i8.*` intrinsic, with @@ -1486,6 +1501,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is /// [`f32::min`] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn minnumf32(x: f32, y: f32) -> f32; /// Returns the minimum of two `f64` values. /// @@ -1496,6 +1512,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is /// [`f64::min`] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn minnumf64(x: f64, y: f64) -> f64; /// Returns the maximum of two `f32` values. /// @@ -1506,6 +1523,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is /// [`f32::max`] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn maxnumf32(x: f32, y: f32) -> f32; /// Returns the maximum of two `f64` values. /// @@ -1516,6 +1534,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is /// [`f64::max`] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn maxnumf64(x: f64, y: f64) -> f64; /// Copies the sign from `y` to `x` for `f32` values. @@ -1636,6 +1655,7 @@ extern "rust-intrinsic" { /// primitives via the `count_ones` method. For example, /// [`u32::count_ones`] #[rustc_const_stable(feature = "const_ctpop", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn ctpop(x: T) -> T; /// Returns the number of leading unset bits (zeroes) in an integer type `T`. @@ -1673,6 +1693,7 @@ extern "rust-intrinsic" { /// assert_eq!(num_leading, 16); /// ``` #[rustc_const_stable(feature = "const_ctlz", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn ctlz(x: T) -> T; /// Like `ctlz`, but extra-unsafe as it returns `undef` when @@ -1729,6 +1750,7 @@ extern "rust-intrinsic" { /// assert_eq!(num_trailing, 16); /// ``` #[rustc_const_stable(feature = "const_cttz", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn cttz(x: T) -> T; /// Like `cttz`, but extra-unsafe as it returns `undef` when @@ -1761,6 +1783,7 @@ extern "rust-intrinsic" { /// primitives via the `swap_bytes` method. For example, /// [`u32::swap_bytes`] #[rustc_const_stable(feature = "const_bswap", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn bswap(x: T) -> T; /// Reverses the bits in an integer type `T`. @@ -1774,6 +1797,7 @@ extern "rust-intrinsic" { /// primitives via the `reverse_bits` method. For example, /// [`u32::reverse_bits`] #[rustc_const_stable(feature = "const_bitreverse", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn bitreverse(x: T) -> T; /// Performs checked integer addition. @@ -1787,6 +1811,7 @@ extern "rust-intrinsic" { /// primitives via the `overflowing_add` method. For example, /// [`u32::overflowing_add`] #[rustc_const_stable(feature = "const_int_overflow", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn add_with_overflow(x: T, y: T) -> (T, bool); /// Performs checked integer subtraction @@ -1800,6 +1825,7 @@ extern "rust-intrinsic" { /// primitives via the `overflowing_sub` method. For example, /// [`u32::overflowing_sub`] #[rustc_const_stable(feature = "const_int_overflow", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn sub_with_overflow(x: T, y: T) -> (T, bool); /// Performs checked integer multiplication @@ -1813,6 +1839,7 @@ extern "rust-intrinsic" { /// primitives via the `overflowing_mul` method. For example, /// [`u32::overflowing_mul`] #[rustc_const_stable(feature = "const_int_overflow", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn mul_with_overflow(x: T, y: T) -> (T, bool); /// Performs an exact division, resulting in undefined behavior where @@ -1887,6 +1914,7 @@ extern "rust-intrinsic" { /// primitives via the `rotate_left` method. For example, /// [`u32::rotate_left`] #[rustc_const_stable(feature = "const_int_rotate", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn rotate_left(x: T, y: T) -> T; /// Performs rotate right. @@ -1900,6 +1928,7 @@ extern "rust-intrinsic" { /// primitives via the `rotate_right` method. For example, /// [`u32::rotate_right`] #[rustc_const_stable(feature = "const_int_rotate", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn rotate_right(x: T, y: T) -> T; /// Returns (a + b) mod 2N, where N is the width of T in bits. @@ -1913,6 +1942,7 @@ extern "rust-intrinsic" { /// primitives via the `wrapping_add` method. For example, /// [`u32::wrapping_add`] #[rustc_const_stable(feature = "const_int_wrapping", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn wrapping_add(a: T, b: T) -> T; /// Returns (a - b) mod 2N, where N is the width of T in bits. /// @@ -1925,6 +1955,7 @@ extern "rust-intrinsic" { /// primitives via the `wrapping_sub` method. For example, /// [`u32::wrapping_sub`] #[rustc_const_stable(feature = "const_int_wrapping", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn wrapping_sub(a: T, b: T) -> T; /// Returns (a * b) mod 2N, where N is the width of T in bits. /// @@ -1937,6 +1968,7 @@ extern "rust-intrinsic" { /// primitives via the `wrapping_mul` method. For example, /// [`u32::wrapping_mul`] #[rustc_const_stable(feature = "const_int_wrapping", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn wrapping_mul(a: T, b: T) -> T; /// Computes `a + b`, saturating at numeric bounds. @@ -1950,6 +1982,7 @@ extern "rust-intrinsic" { /// primitives via the `saturating_add` method. For example, /// [`u32::saturating_add`] #[rustc_const_stable(feature = "const_int_saturating", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn saturating_add(a: T, b: T) -> T; /// Computes `a - b`, saturating at numeric bounds. /// @@ -1962,6 +1995,7 @@ extern "rust-intrinsic" { /// primitives via the `saturating_sub` method. For example, /// [`u32::saturating_sub`] #[rustc_const_stable(feature = "const_int_saturating", since = "1.40.0")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn saturating_sub(a: T, b: T) -> T; /// Returns the value of the discriminant for the variant in 'v'; @@ -1974,6 +2008,7 @@ extern "rust-intrinsic" { /// /// The stabilized version of this intrinsic is [`core::mem::discriminant`]. #[rustc_const_unstable(feature = "const_discriminant", issue = "69821")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn discriminant_value(v: &T) -> ::Discriminant; /// Returns the number of variants of the type `T` cast to a `usize`; @@ -1986,6 +2021,7 @@ extern "rust-intrinsic" { /// /// The to-be-stabilized version of this intrinsic is [`mem::variant_count`]. #[rustc_const_unstable(feature = "variant_count", issue = "73662")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn variant_count() -> usize; /// Rust's "try catch" construct which invokes the function pointer `try_fn` @@ -2019,6 +2055,7 @@ extern "rust-intrinsic" { /// Therefore, implementations must not require the user to uphold /// any safety invariants. #[rustc_const_unstable(feature = "const_raw_ptr_comparison", issue = "53020")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn ptr_guaranteed_cmp(ptr: *const T, other: *const T) -> u8; /// Allocates a block of memory at compile time. @@ -2069,6 +2106,7 @@ extern "rust-intrinsic" { /// /// [`std::hint::black_box`]: crate::hint::black_box #[rustc_const_unstable(feature = "const_black_box", issue = "none")] + #[cfg_attr(not(bootstrap), rustc_safe_intrinsic)] pub fn black_box(dummy: T) -> T; /// `ptr` must point to a vtable. diff --git a/src/test/ui/error-codes/E0094.rs b/src/test/ui/error-codes/E0094.rs index 0d58e5a2862c4..a2ec932c12455 100644 --- a/src/test/ui/error-codes/E0094.rs +++ b/src/test/ui/error-codes/E0094.rs @@ -1,5 +1,7 @@ #![feature(intrinsics)] + extern "rust-intrinsic" { + #[rustc_safe_intrinsic] fn size_of() -> usize; //~ ERROR E0094 } diff --git a/src/test/ui/error-codes/E0094.stderr b/src/test/ui/error-codes/E0094.stderr index da97f3a014b06..531cd4c784d33 100644 --- a/src/test/ui/error-codes/E0094.stderr +++ b/src/test/ui/error-codes/E0094.stderr @@ -1,5 +1,5 @@ error[E0094]: intrinsic has wrong number of type parameters: found 2, expected 1 - --> $DIR/E0094.rs:3:15 + --> $DIR/E0094.rs:5:15 | LL | fn size_of() -> usize; | ^^^^^^ expected 1 type parameter diff --git a/src/test/ui/extern/extern-with-type-bounds.rs b/src/test/ui/extern/extern-with-type-bounds.rs index 8f9683e4a7485..a72aa4171a103 100644 --- a/src/test/ui/extern/extern-with-type-bounds.rs +++ b/src/test/ui/extern/extern-with-type-bounds.rs @@ -2,6 +2,7 @@ extern "rust-intrinsic" { // Real example from libcore + #[rustc_safe_intrinsic] fn type_id() -> u64; // Silent bounds made explicit to make sure they are actually @@ -10,6 +11,7 @@ extern "rust-intrinsic" { // Bounds aren't checked right now, so this should work // even though it's incorrect. + #[rustc_safe_intrinsic] fn size_of() -> usize; // Unresolved bounds should still error. diff --git a/src/test/ui/extern/extern-with-type-bounds.stderr b/src/test/ui/extern/extern-with-type-bounds.stderr index acd0596422f8a..88be1e5dd3da0 100644 --- a/src/test/ui/extern/extern-with-type-bounds.stderr +++ b/src/test/ui/extern/extern-with-type-bounds.stderr @@ -1,5 +1,5 @@ error[E0405]: cannot find trait `NoSuchTrait` in this scope - --> $DIR/extern-with-type-bounds.rs:16:20 + --> $DIR/extern-with-type-bounds.rs:18:20 | LL | fn align_of() -> usize; | ^^^^^^^^^^^ not found in this scope diff --git a/src/test/ui/intrinsics/intrinsic-alignment.rs b/src/test/ui/intrinsics/intrinsic-alignment.rs index 6007eba8c0906..c8b1ff1dbce3b 100644 --- a/src/test/ui/intrinsics/intrinsic-alignment.rs +++ b/src/test/ui/intrinsics/intrinsic-alignment.rs @@ -6,6 +6,7 @@ mod rusti { extern "rust-intrinsic" { pub fn pref_align_of() -> usize; + #[rustc_safe_intrinsic] pub fn min_align_of() -> usize; } } diff --git a/src/test/ui/structs-enums/rec-align-u32.rs b/src/test/ui/structs-enums/rec-align-u32.rs index 889294daa340c..ee704198d193b 100644 --- a/src/test/ui/structs-enums/rec-align-u32.rs +++ b/src/test/ui/structs-enums/rec-align-u32.rs @@ -10,6 +10,7 @@ use std::mem; mod rusti { extern "rust-intrinsic" { pub fn pref_align_of() -> usize; + #[rustc_safe_intrinsic] pub fn min_align_of() -> usize; } } diff --git a/src/test/ui/structs-enums/rec-align-u64.rs b/src/test/ui/structs-enums/rec-align-u64.rs index 3bc2d16cf9df2..40ede9705f115 100644 --- a/src/test/ui/structs-enums/rec-align-u64.rs +++ b/src/test/ui/structs-enums/rec-align-u64.rs @@ -12,6 +12,7 @@ use std::mem; mod rusti { extern "rust-intrinsic" { pub fn pref_align_of() -> usize; + #[rustc_safe_intrinsic] pub fn min_align_of() -> usize; } } From 37bf8f888cb7b8a7cb461f0d41588e500b0bb9d1 Mon Sep 17 00:00:00 2001 From: Arthur Cohen Date: Fri, 9 Sep 2022 16:38:33 +0200 Subject: [PATCH 3/4] rustc_safe_intrinsic: Keep list of safe intrinsics within the compiler --- .../rustc_hir_analysis/src/check/intrinsic.rs | 62 ++++++++++++++++++- 1 file changed, 59 insertions(+), 3 deletions(-) diff --git a/compiler/rustc_hir_analysis/src/check/intrinsic.rs b/compiler/rustc_hir_analysis/src/check/intrinsic.rs index b43d492eb7aad..8be1cf04f8b69 100644 --- a/compiler/rustc_hir_analysis/src/check/intrinsic.rs +++ b/compiler/rustc_hir_analysis/src/check/intrinsic.rs @@ -8,7 +8,7 @@ use crate::errors::{ use crate::require_same_types; use hir::def_id::DefId; -use rustc_errors::struct_span_err; +use rustc_errors::{struct_span_err, DiagnosticMessage}; use rustc_hir as hir; use rustc_middle::traits::{ObligationCause, ObligationCauseCode}; use rustc_middle::ty::{self, TyCtxt}; @@ -63,10 +63,66 @@ fn equate_intrinsic_type<'tcx>( /// Returns the unsafety of the given intrinsic. pub fn intrinsic_operation_unsafety(tcx: TyCtxt<'_>, intrinsic_id: DefId) -> hir::Unsafety { - match tcx.has_attr(intrinsic_id, sym::rustc_safe_intrinsic) { + let has_safe_attr = match tcx.has_attr(intrinsic_id, sym::rustc_safe_intrinsic) { true => hir::Unsafety::Normal, false => hir::Unsafety::Unsafe, + }; + let is_in_list = match tcx.item_name(intrinsic_id) { + // When adding a new intrinsic to this list, + // it's usually worth updating that intrinsic's documentation + // to note that it's safe to call, since + // safe extern fns are otherwise unprecedented. + sym::abort + | sym::assert_inhabited + | sym::assert_zero_valid + | sym::assert_uninit_valid + | sym::size_of + | sym::min_align_of + | sym::needs_drop + | sym::caller_location + | sym::add_with_overflow + | sym::sub_with_overflow + | sym::mul_with_overflow + | sym::wrapping_add + | sym::wrapping_sub + | sym::wrapping_mul + | sym::saturating_add + | sym::saturating_sub + | sym::rotate_left + | sym::rotate_right + | sym::ctpop + | sym::ctlz + | sym::cttz + | sym::bswap + | sym::bitreverse + | sym::discriminant_value + | sym::type_id + | sym::likely + | sym::unlikely + | sym::ptr_guaranteed_cmp + | sym::minnumf32 + | sym::minnumf64 + | sym::maxnumf32 + | sym::rustc_peek + | sym::maxnumf64 + | sym::type_name + | sym::forget + | sym::black_box + | sym::variant_count + | sym::ptr_mask => hir::Unsafety::Normal, + _ => hir::Unsafety::Unsafe, + }; + + if has_safe_attr != is_in_list { + tcx.sess.struct_span_err( + tcx.def_span(intrinsic_id), + DiagnosticMessage::Str(format!( + "intrinsic safety mismatch between list of intrinsics within the compiler and core library intrinsics for intrinsic `{}`", + tcx.item_name(intrinsic_id) + ))).emit(); } + + is_in_list } /// Remember to add all intrinsics here, in `compiler/rustc_codegen_llvm/src/intrinsic.rs`, @@ -312,7 +368,7 @@ pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem<'_>) { ( 1, vec![ - tcx.mk_imm_ref(tcx.mk_region(ty::ReLateBound(ty::INNERMOST, br)), param(0)) + tcx.mk_imm_ref(tcx.mk_region(ty::ReLateBound(ty::INNERMOST, br)), param(0)), ], tcx.mk_projection(discriminant_def_id, tcx.mk_substs([param(0).into()].iter())), ) From b1b86491f1c2bb761a06b779a3a7a936a996977a Mon Sep 17 00:00:00 2001 From: Arthur Cohen Date: Tue, 27 Sep 2022 07:22:07 +0200 Subject: [PATCH 4/4] rustc_safe_intrinsic: Add UI test --- src/test/ui/intrinsics/safe-intrinsic-mismatch.rs | 11 +++++++++++ .../ui/intrinsics/safe-intrinsic-mismatch.stderr | 14 ++++++++++++++ 2 files changed, 25 insertions(+) create mode 100644 src/test/ui/intrinsics/safe-intrinsic-mismatch.rs create mode 100644 src/test/ui/intrinsics/safe-intrinsic-mismatch.stderr diff --git a/src/test/ui/intrinsics/safe-intrinsic-mismatch.rs b/src/test/ui/intrinsics/safe-intrinsic-mismatch.rs new file mode 100644 index 0000000000000..50e12eaeb5cc0 --- /dev/null +++ b/src/test/ui/intrinsics/safe-intrinsic-mismatch.rs @@ -0,0 +1,11 @@ +#![feature(intrinsics)] +#![feature(rustc_attrs)] + +extern "rust-intrinsic" { + fn size_of() -> usize; //~ ERROR intrinsic safety mismatch + + #[rustc_safe_intrinsic] + fn assume(b: bool); //~ ERROR intrinsic safety mismatch +} + +fn main() {} diff --git a/src/test/ui/intrinsics/safe-intrinsic-mismatch.stderr b/src/test/ui/intrinsics/safe-intrinsic-mismatch.stderr new file mode 100644 index 0000000000000..0c2f3be491dd3 --- /dev/null +++ b/src/test/ui/intrinsics/safe-intrinsic-mismatch.stderr @@ -0,0 +1,14 @@ +error: intrinsic safety mismatch between list of intrinsics within the compiler and core library intrinsics for intrinsic `size_of` + --> $DIR/safe-intrinsic-mismatch.rs:5:5 + | +LL | fn size_of() -> usize; + | ^^^^^^^^^^^^^^^^^^^^^^^^ + +error: intrinsic safety mismatch between list of intrinsics within the compiler and core library intrinsics for intrinsic `assume` + --> $DIR/safe-intrinsic-mismatch.rs:8:5 + | +LL | fn assume(b: bool); + | ^^^^^^^^^^^^^^^^^^ + +error: aborting due to 2 previous errors +