Make sure our handling of partially initialized values is compatible with LLVM / We cannot use LLVM poison semantics #94428
Comments
|
Also see this LLVM thread. |
jyn514
added
A-LLVM
|
There was another LLVM discussion early last year, re-affirming this point:
That is not great since it means we can't have "delayed UB (via poison)" in Rust at all even when LLVM has it. |
|
See llvm/llvm-project#96631, specifically this comment by @nikic
So right now it looks like LLVM is increasingly homing in on "frontends can't use poison for their own semantics if they want to have good codegen", which is unfortunate. (But still better than unsound codegen!) See here for one example of a discussion where people asked for having poison semantics in Rust. The usual suspects that wants this are sound wrappers around fast-math operations, and SIMD wrappers where some lanes may become poison. To be clear, "let's first get LLVM into a sound state, remove undef, and then figure out how to let frontends use poison" seems like a viable strategy to me. I'd just hate for us to end up in a corner where letting frontends use poison is near impossible. After all frontends can use undef, so if undef is gone and poison can't be used, that's quite the regression. |
RalfJung
changed the title
The intent is for types like
MaybeUninit<u64>to support dealing with partially initialized data: e.g., if we have a(u32, u16)(and assuming for a second we could rely on its layout), it should be sound to transmute that toMaybeUninit<u64>and back even though the padding between the two tuple fields might be uninitialized. Code like #94212 relies on this.The thing is, we are compiling
MaybeUninit<u64>toi64for LLVM --MaybeUninitisrepr(transparent). This was required to avoid codegen regressions whenMaybeUninitstarted to be used in some hot data copying loops inside libcore. So, for this all to work out, we better be sure thati64correctly preserves partially initialized data.LLVM has two kinds of "uninit" data,
undefandpoison.undefis per-bit and precisely preserved in alliNtypes, so we should be fine here.poison, however, is per-value: when loading ani64and any of its bytes ispoison, the entire result ispoison. That is exactly not what we want forMaybeUninit<u64>. However, at least in current LLVM,poisonis only created in very few situations (such as "nowrap" arithmetic that overflows), and AFAIK none of them can happen in a UB-free Rust program -- so, basically "uninit" in Rust only ever corresponds toundefin LLVM, never topoison. (But I might have missed places where LLVM generatesposion.)So I think right now we are good. However, LLVM is slowly moving away from
undefand towardsposion, sinceundefis seriously ill-behaved in many ways. And if that ever means that "uninit" in Rust could correspond to LLVMpoison, then we have a problem here -- we have to keep monitoring this situation, and it might be good for us to be involved in the relevant LLVM discussions here as well to make sure they are aware of this problem.Similarly, as we evolve the MIR semantics we have to make sure that no UB-free program can generate
poisonafter compilation to LLVM.A very elegant solution to this issue would be for LLVM to adopt the "byte type" proposal, however, so far my impression is the LLVM community is not convinced they need such a type. With a byte type,
MaybeUninit<u64>could be easily compiled tob64in LLVM, and a byte type would preservepoisonprecisely, so we'd be all good.I am mostly opening this so we have some place to track the current situation, and to make sure everyone agrees on what the main concerns are here -- and to get input from folks with more LLVM experience in case I got some of this wrong.
Cc @rust-lang/wg-unsafe-code-guidelines @rust-lang/wg-llvm
The text was updated successfully, but these errors were encountered: