Lower transmutes from int to pointer type as gep on null #121282
Conversation
rustbot
added
S-waiting-on-review
saethlin
force-pushed
the
gep-null-means-no-provenance
branch
from
03e5b5d
to
903dd09
Compare
|
@bors try @rust-timer queue |
This comment has been minimized.
This comment has been minimized.
rustbot
added
the
S-waiting-on-perf
…e, r=<try> Lower transmutes from int to pointer type as gep on null I thought of this while looking at rust-lang#121242 The UI test that's being changed here crashes without changing the transmutes into casts. Based on that, this PR should not be merged without a crater build-and-test run.
|
☀️ Try build successful - checks-actions |
This comment has been minimized.
This comment has been minimized.
|
Finished benchmarking commit (d073071): comparison URL. Overall result: no relevant changes - no action neededBenchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf. @bors rollup=never Instruction countThis benchmark run did not return any relevant results for this metric. Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Binary sizeResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Bootstrap: 640.336s -> 641.418s (0.17%) |
rustbot
removed
the
S-waiting-on-perf
|
@craterbot run mode=build-and-test |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
|
@craterbot abort |
|
🗑️ Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-review
|
@craterbot run mode=build-and-test start=master#61223975d46f794466efa832bc7562b9707ecc46+rustflags=-Copt-level=3 end=try#d073071d77ce0f93b4fd8cc567a1e2b9e1b22126+rustflags=-Copt-level=3 |
|
👌 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
craterbot
added
S-waiting-on-crater
tests/codegen/transmute-scalar.rs
Outdated
| @@ -49,7 +49,7 @@ pub fn ptr_to_int(p: *mut u16) -> usize { | |||
| } | |||
|
|
|||
| // CHECK: define{{.*}}ptr @int_to_ptr([[USIZE]] %i) | |||
| // CHECK: %_0 = inttoptr [[USIZE]] %i to ptr | |||
| // CHECK: %_0 = getelementptr i8, ptr null, i64 %i | |||
There was a problem hiding this comment.
I think to make this pass on non-64-bit you need
| // CHECK: %_0 = getelementptr i8, ptr null, i64 %i | |
| // CHECK: %_0 = getelementptr i8, ptr null, [[USIZE]] %i |
|
🚧 Experiment ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more |
library/core/src/intrinsics.rs
Outdated
| /// std::mem::transmute::<usize, *const u8>(address) | ||
| /// }; | ||
| /// unsafe { | ||
| /// assert_eq!(*ptr, 0); |
There was a problem hiding this comment.
| /// assert_eq!(*ptr, 0); | |
| /// assert_eq!(*ptr, 0); // undefined behavior! ⚠️ |
library/core/src/intrinsics.rs
Outdated
| /// let address = unsafe { | ||
| /// std::mem::transmute::<*const u8, usize>(ptr) | ||
| /// }; | ||
| /// let new_ref = unsafe { |
There was a problem hiding this comment.
| /// let new_ref = unsafe { | |
| /// // undefined behavior! ⚠️ | |
| /// let new_ref = unsafe { |
library/core/src/intrinsics.rs
Outdated
| /// Distinguishing exactly which operation in this program is invalid touches on unspecified | ||
| /// aspects of the Rust memory model. If you need to store a pointer as another type then | ||
| /// recover the original pointer later, you cannot use `transmute` to round-trip through a | ||
| /// type which is not a pointer, reference, or [`MaybeUninit`][crate::mem::MaybeUninit]. |
There was a problem hiding this comment.
Seems more useful to say which type can be used?
library/core/src/intrinsics.rs
Outdated
| @@ -1223,6 +1223,35 @@ extern "rust-intrinsic" { | |||
| /// } | |||
| /// ``` | |||
| /// | |||
| /// However, since pointers (and references) have provenance and integers do not, the following | |||
| /// program executes UB: | |||
There was a problem hiding this comment.
I feel like this needs more comments explaining what happens -- ideally referring to some module-level docs in std::ptr that explain the entire provenance story.
Right now this PR is the first to introduce the word "provenance" into stable docs. I don't think you can just use the term here without any explanation. So either this needs to be reworded to avoid that term, or the libs change here can only land once there's a proper explanation of "provenance" somewhere (e.g., once strict provenance is stable).
There was a problem hiding this comment.
Also, burying this in the examples doesn't seem appropriate. There is existing discussion of ptr2int transmutes up above and down below, it's strange that this is entirely disconnected.
There was a problem hiding this comment.
Ah, I see. I will not be the one to write the documentation for what provenance is, so we can either land this without added documentation on the basis of what Scott said here: #121282 (comment) or not at all.
I'm going to force-push away the documentation from this PR.
There was a problem hiding this comment.
I'll see if I can add some wording to the docs that warn against int2ptr transmutes without talking directly about promotion. That doesn't have to block this PR.
saethlin
force-pushed
the
gep-null-means-no-provenance
branch
from
e8e53b8
to
2eb9c6d
Compare
|
This is a small change that looks good to me. Miri has confidently called it UB for ages, as mentioned above, and @saethlin has done as much as can be expected from the crater results. Anyone broken by it can change to using a cast instead of the transmute, which is something that doesn't have MSRV issues since casts have existed forever. So let's do it! I agree it would be nice to have more documentation about what is and isn't allowed with transmutes and provenance, but that's the existing state of the docs, since misusing this is already UB. The special transmute path is itself relatively new -- I added it in #109843, where arguably I shouldn't have used |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
|
Finished benchmarking commit (0fa7fea): comparison URL. Overall result: no relevant changes - no action needed@rustbot label: -perf-regression Instruction countThis benchmark run did not return any relevant results for this metric. Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesThis benchmark run did not return any relevant results for this metric. Binary sizeThis benchmark run did not return any relevant results for this metric. Bootstrap: 672.319s -> 672.448s (0.02%) |
Ignore some more crates Adding all the spurious failures I identified in rust-lang/rust#121282 (comment) I'm also not sure what `blacklist.md` is for, but it hasn't been updated in 6 years so I imagine it's not important.
Ignore some more crates Adding all the spurious failures I identified in rust-lang/rust#121282 (comment) I'm also not sure what `blacklist.md` is for, but it hasn't been updated in 6 years so I imagine it's not important.
Ignore some more crates Adding all the spurious failures I identified in rust-lang/rust#121282 (comment) I'm also not sure what `blacklist.md` is for, but it hasn't been updated in 6 years so I imagine it's not important.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `@saethlin` `@scottmcm` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ``@saethlin`` ``@scottmcm`` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ````@saethlin```` ````@scottmcm```` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `````@saethlin````` `````@scottmcm````` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
Rollup merge of rust-lang#122379 - RalfJung:int2ptr-transmute, r=m-ou-se transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
Pkgsrc changes: * Adapt checksums and patches, some have beene intregrated upstream. Upstream chnages: Version 1.78.0 (2024-05-02) =========================== Language -------- - [Stabilize `#[cfg(target_abi = ...)]`] (rust-lang/rust#119590) - [Stabilize the `#[diagnostic]` namespace and `#[diagnostic::on_unimplemented]` attribute] (rust-lang/rust#119888) - [Make async-fn-in-trait implementable with concrete signatures] (rust-lang/rust#120103) - [Make matching on NaN a hard error, and remove the rest of `illegal_floating_point_literal_pattern`] (rust-lang/rust#116284) - [static mut: allow mutable reference to arbitrary types, not just slices and arrays] (rust-lang/rust#117614) - [Extend `invalid_reference_casting` to include references casting to bigger memory layout] (rust-lang/rust#118983) - [Add `non_contiguous_range_endpoints` lint for singleton gaps after exclusive ranges] (rust-lang/rust#118879) - [Add `wasm_c_abi` lint for use of older wasm-bindgen versions] (rust-lang/rust#117918) This lint currently only works when using Cargo. - [Update `indirect_structural_match` and `pointer_structural_match` lints to match RFC] (rust-lang/rust#120423) - [Make non-`PartialEq`-typed consts as patterns a hard error] (rust-lang/rust#120805) - [Split `refining_impl_trait` lint into `_reachable`, `_internal` variants] (rust-lang/rust#121720) - [Remove unnecessary type inference when using associated types inside of higher ranked `where`-bounds] (rust-lang/rust#119849) - [Weaken eager detection of cyclic types during type inference] (rust-lang/rust#119989) - [`trait Trait: Auto {}`: allow upcasting from `dyn Trait` to `dyn Auto`] (rust-lang/rust#119338) Compiler -------- - [Made `INVALID_DOC_ATTRIBUTES` lint deny by default] (rust-lang/rust#111505) - [Increase accuracy of redundant `use` checking] (rust-lang/rust#117772) - [Suggest moving definition if non-found macro_rules! is defined later] (rust-lang/rust#121130) - [Lower transmutes from int to pointer type as gep on null] (rust-lang/rust#121282) Target changes: - [Windows tier 1 targets now require at least Windows 10] (rust-lang/rust#115141) - [Enable CMPXCHG16B, SSE3, SAHF/LAHF and 128-bit Atomics in tier 1 Windows] (rust-lang/rust#120820) - [Add `wasm32-wasip1` tier 2 (without host tools) target] (rust-lang/rust#120468) - [Add `wasm32-wasip2` tier 3 target] (rust-lang/rust#119616) - [Rename `wasm32-wasi-preview1-threads` to `wasm32-wasip1-threads`] (rust-lang/rust#122170) - [Add `arm64ec-pc-windows-msvc` tier 3 target] (rust-lang/rust#119199) - [Add `armv8r-none-eabihf` tier 3 target for the Cortex-R52] (rust-lang/rust#110482) - [Add `loongarch64-unknown-linux-musl` tier 3 target] (rust-lang/rust#121832) Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [Bump Unicode to version 15.1.0, regenerate tables] (rust-lang/rust#120777) - [Make align_offset, align_to well-behaved in all cases] (rust-lang/rust#121201) - [PartialEq, PartialOrd: document expectations for transitive chains] (rust-lang/rust#115386) - [Optimize away poison guards when std is built with panic=abort] (rust-lang/rust#100603) - [Replace pthread `RwLock` with custom implementation] (rust-lang/rust#110211) - [Implement unwind safety for Condvar on all platforms] (rust-lang/rust#121768) - [Add ASCII fast-path for `char::is_grapheme_extended`] (rust-lang/rust#121138) Stabilized APIs --------------- - [`impl Read for &Stdin`] (https://doc.rust-lang.org/stable/std/io/struct.Stdin.html#impl-Read-for-%26Stdin) - [Accept non `'static` lifetimes for several `std::error::Error` related implementations] (rust-lang/rust#113833) - [Make `impl<Fd: AsFd>` impl take `?Sized`] (rust-lang/rust#114655) - [`impl From<TryReserveError> for io::Error`] (https://doc.rust-lang.org/stable/std/io/struct.Error.html#impl-From%3CTryReserveError%3E-for-Error) These APIs are now stable in const contexts: - [`Barrier::new()`] (https://doc.rust-lang.org/stable/std/sync/struct.Barrier.html#method.new) Cargo ----- - [Stabilize lockfile v4](rust-lang/cargo#12852) - [Respect `rust-version` when generating lockfile] (rust-lang/cargo#12861) - [Control `--charset` via auto-detecting config value] (rust-lang/cargo#13337) - [Support `target.<triple>.rustdocflags` officially] (rust-lang/cargo#13197) - [Stabilize global cache data tracking] (rust-lang/cargo#13492) Misc ---- - [rustdoc: add `--test-builder-wrapper` arg to support wrappers such as RUSTC_WRAPPER when building doctests] (rust-lang/rust#114651) Compatibility Notes ------------------- - [Many unsafe precondition checks now run for user code with debug assertions enabled] (rust-lang/rust#120594) This change helps users catch undefined behavior in their code, though the details of how much is checked are generally not stable. - [riscv only supports split_debuginfo=off for now] (rust-lang/rust#120518) - [Consistently check bounds on hidden types of `impl Trait`] (rust-lang/rust#121679) - [Change equality of higher ranked types to not rely on subtyping] (rust-lang/rust#118247) - [When called, additionally check bounds on normalized function return type] (rust-lang/rust#118882) - [Expand coverage for `arithmetic_overflow` lint] (rust-lang/rust#119432) Internal Changes ---------------- These changes do not affect any public interfaces of Rust, but they represent significant improvements to the performance or internals of rustc and related tools. - [Update to LLVM 18](rust-lang/rust#120055) - [Build `rustc` with 1CGU on `x86_64-pc-windows-msvc`] (rust-lang/rust#112267) - [Build `rustc` with 1CGU on `x86_64-apple-darwin`] (rust-lang/rust#112268) - [Introduce `run-make` V2 infrastructure, a `run_make_support` library and port over 2 tests as example] (rust-lang/rust#113026) - [Windows: Implement condvar, mutex and rwlock using futex] (rust-lang/rust#121956)
I thought of this while looking at #121242. See that PR's description for why this lowering is preferable.
The UI test that's being changed here crashes without changing the transmutes into casts. Based on that, this PR should not be merged without a crater build-and-test run.