Prepare miri engine for enforcing validity invariant during execution

[RalfJung]

In particular, make recursive checking of references optional, and add a const_mode parameter that says whether usize is allowed to contain a pointer. Also refactor validation a bit to be type-driven at the "leafs" (primitive types), and separately validate scalar layout to catch NonNull violations (which it did not properly validate before).

Fixes #53826
Also fixes #54751

r? @oli-obk

[rust-highfive]

⚠️ Warning ⚠️

• These commits modify submodules.

[RalfJung]

We have an interesting test failure: This extern static is considered not sufficiently aligned

#[link_name = "check_static_recursion_foreign_helper"]
extern "C" {
    #[allow(dead_code)]
    static test_static: c_int;
}

static B: &'static c_int = unsafe { &test_static };

Seems like we set some rather arbitrary alignment for these? Ideally we'd pick an alignment based on the type, would that make sense? Where is the code deciding that?

[RalfJung]

For now, I made it skip pointers to foreign statics entirely, not even checking their alignment. I think we could do better, but this is not a regression.

[oli-obk]

"the....."

[RalfJung]

I see value as the subject in this sentence, so it shouldn't need a "the". It's like a name: "Make sure that Berlin matches..."

[oli-obk]

what about undef checks?

[RalfJung]

Do we or do we not want to allow undef when the range is the entire possible range? That would mean validate_scalar_layout would also have to take a const_mode.

Note that we have type-based checks for that later, where we decide on a type-by-type basis whether we want undef or not. This here is only for additional restrictions that may be imposed on top of what the primitive types say.

[oli-obk]

technically we should be checking whether hi.overflowing_add(1) == lo, because there are 2^128 possible ways to encode the full range

[RalfJung]

That's not correct either, we actually pick the range depending on the size of the scalar. I am now using

let max_hi = u128::max_value() >> (128 - size.bits()); // as big as the size fits

[oli-obk]

I'm fairly sure I had a test for just this case (enum Foo { E = 0 } and then transmuting a pointer to the enum type)

[RalfJung]

I made this more strict with the latest changes, could you have a look?

I found your test in ub-enum.rs. Bot it kept failing as expected... maybe because this is actually not considered a primitive type, but an enum, and hence it loads the discriminant and that always fails when it is a pointer?

[RalfJung]

I finally found a way to unify handling of thin and fat pointers, so I could not resist adding that to this PR.

[RalfJung]

Seems like we set some rather arbitrary alignment for these? Ideally we'd pick an alignment based on the type, would that make sense? Where is the code deciding that?

Actually we do not set any alignment for these foreign statics, we get a "dangling pointer" error even when just trying to check alignment. For now, I think it's best to keep ignoring them.

[RalfJung]

I had to change this test because "reading" a () does not actually read anything...

[RalfJung]

Might be worth doing a perf run.

@bors try

[bors]

⌛ Trying commit 5dfc8f1 with merge 98f2e1b...

[bors]

☀️ Test successful - status-travis
State: approved= try=True

[RalfJung]

@rust-timer build 98f2e1b

[rust-timer]

Success: Queued 98f2e1b with parent c67ea54, comparison URL.

[RalfJung]

Unexpectedly things got a bit slower (because now it does that scalar check quite more often than it used to). It's 5% only for very short benchmarks though (clean incremental), and more around 1-2% for the stress tests.

[oli-obk]

I don't see how a pointer with an actual (dead or live) allocation could ever be null.

[RalfJung]

If you offset a pointer enough, it can overflow to NULL.

The only way we can know it is not NULL is to make sure it is inbounds.

[oli-obk]

If you overflow it far enough so it is inbounds again, won't we have the same problem?

[RalfJung]

Why would that be a problem? The overflow itself is okay. We only allow overflow when using wrapping_offset.

[oli-obk]

needs a test if this is reachable at all, otherwise, remove

[RalfJung]

I think this is currently unreachable because we have no way in CTFE to add an offset to a pointer. It will be reachable once that is a possibility.

[RalfJung]

The only actually surprising perf regression seems to be syn, and that one I unfortunately cannot reproduce locally... Also note syn has a ? indicating it has high variance.

"clean-opt" is supposed to regress 3%, it's 1% here (and 1% I have found impossible to debug, there's just too much noise). Looking at perf report, this spends almost all its time in LLVM. No idea how these changes here should affect anything.

I also tried reproducing "patched incremental: println-opt" for syn, but I am getting vastly different numbers for the instruction count (on the order of 47 billion instead of 27 billion), so I must be doing something else. On those measurements, this patch is a <0.1% slowdown. Here's the commands I used:

# prepare
export CARGO_INCREMENTAL=1
git reset --hard HEAD && rm target -rf && cargo +stage2.2 build --release
# bench
patch -p1 < 0-println.patch && perf stat -- cargo +stage2.2 build --release

[RalfJung]

I managed to get the perf collector running locally, and used it to re-run the syn benchmarks. I am again seeing numbers around 45 billion instead of the 27 billion on the website, and I am seeing a regression of around 0.1%. I'd call that noise.

I can't think of anything else I could do.

[oli-obk]

@bors r+

[bors]

📌 Commit fe96f82 has been approved by oli-obk

[bors]

⌛ Testing commit fe96f82 with merge 0e07c42...

[bors]

☀️ Test successful - status-appveyor, status-travis
Approved by: oli-obk
Pushing 0e07c42 to master...

[rust-highfive]

📣 Toolstate changed by #54762!

Tested on commit 0e07c42.
Direct link to PR: #54762

🎉 miri on windows: build-fail → test-pass.
🎉 miri on linux: build-fail → test-pass.

[alexcrichton]

It looks like this may have caused a minor regression across a number of targets on perf

[RalfJung]

These targets that regressed all have large constants.

That'll likely be caused by us now checking both layout and type invariants. There is some redundancy in the checking there, which I am not sure how to avoid (while keeping the code somewhat reasonably organized).

[oli-obk]

Maybe we could not run the layout checks on those value where we know the type checks to be sufficient? E.g. on char, bool and basic integers

[RalfJung]

You want to determine that by type? ;) I think you can add references and raw pointers to that list. (References have a layout restriction but we also check that and more in the type-based check.) In fact, for all the types which have a type-based check, that check should be sufficient.

Sure, worth a try I guess. I am not convinced it will help much but there is only one way to find out.