Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure ptr::read gets all the same LLVM load metadata that dereferencing does #109035

Merged
merged 6 commits into from
Mar 15, 2023
Merged

Ensure ptr::read gets all the same LLVM load metadata that dereferencing does #109035

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
6 commits
Select commit Hold shift + click to select a range
b2c717f
`MaybeUninit::assume_init_read` should have `noundef` load metadata
scottmcm Mar 11, 2023
0b96fee
Add a codegen test to confirm this fixes 106369
scottmcm Mar 12, 2023
1f70bb8
Add a codegen test to confirm this fixes 73258
scottmcm Mar 12, 2023
87696fd
Add a better approach comment in `ptr::read` to justify the intrinsic
scottmcm Mar 12, 2023
e7c6ad8
Improved implementation and comments after code review feedback
scottmcm Mar 15, 2023
dfc3377
Split the mem-replace codegen test
scottmcm Mar 15, 2023
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 2 additions & 0 deletions compiler/rustc_hir_analysis/src/check/intrinsic.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -363,6 +363,8 @@ pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem<'_>) {
sym::likely => (0, vec![tcx.types.bool], tcx.types.bool),
sym::unlikely => (0, vec![tcx.types.bool], tcx.types.bool),

sym::read_via_copy => (1, vec![tcx.mk_imm_ptr(param(0))], param(0)),

sym::discriminant_value => {
let assoc_items = tcx.associated_item_def_ids(
tcx.require_lang_item(hir::LangItem::DiscriminantKind, None),
Expand Down
7 changes: 4 additions & 3 deletions compiler/rustc_lint_defs/src/builtin.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1026,12 +1026,13 @@ declare_lint! {
/// ### Example
///
/// ```rust,compile_fail
/// #![feature(const_ptr_read)]
/// #![feature(const_mut_refs)]
/// const FOO: () = unsafe {
/// let x = &[0_u8; 4];
/// let y = x.as_ptr().cast::<u32>();
/// y.read(); // the address of a `u8` array is unknown and thus we don't know if
/// // it is aligned enough for reading a `u32`.
/// let mut z = 123;
/// y.copy_to_nonoverlapping(&mut z, 1); // the address of a `u8` array is unknown
/// // and thus we don't know if it is aligned enough for copying a `u32`.
/// };
/// ```
///
Expand Down
24 changes: 24 additions & 0 deletions compiler/rustc_mir_transform/src/lower_intrinsics.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -149,6 +149,30 @@ impl<'tcx> MirPass<'tcx> for LowerIntrinsics {
terminator.kind = TerminatorKind::Goto { target };
}
}
sym::read_via_copy => {
let Ok([arg]) = <[_; 1]>::try_from(std::mem::take(args)) else {
span_bug!(terminator.source_info.span, "Wrong number of arguments");
};
scottmcm marked this conversation as resolved.
Show resolved Hide resolved
let derefed_place =
if let Some(place) = arg.place() && let Some(local) = place.as_local() {
tcx.mk_place_deref(local.into())
} else {
span_bug!(terminator.source_info.span, "Only passing a local is supported");
};
block.statements.push(Statement {
source_info: terminator.source_info,
kind: StatementKind::Assign(Box::new((
*destination,
Rvalue::Use(Operand::Copy(derefed_place)),
))),
});
if let Some(target) = *target {
scottmcm marked this conversation as resolved.
Show resolved Hide resolved
terminator.kind = TerminatorKind::Goto { target };
} else {
// Reading something uninhabited means this is unreachable.
terminator.kind = TerminatorKind::Unreachable;
scottmcm marked this conversation as resolved.
Show resolved Hide resolved
}
}
sym::discriminant_value => {
if let (Some(target), Some(arg)) = (*target, args[0].place()) {
let arg = tcx.mk_place_deref(arg);
Expand Down
1 change: 1 addition & 0 deletions compiler/rustc_span/src/symbol.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1153,6 +1153,7 @@ symbols! {
read_enum_variant_arg,
read_struct,
read_struct_field,
read_via_copy,
readonly,
realloc,
reason,
Expand Down
14 changes: 14 additions & 0 deletions library/core/src/intrinsics.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2020,6 +2020,20 @@ extern "rust-intrinsic" {
#[rustc_safe_intrinsic]
pub fn saturating_sub<T: Copy>(a: T, b: T) -> T;

/// This is a *typed* read, `copy *p` in MIR.
///
/// The stabilized form of this intrinsic is [`crate::ptr::read`], so
/// that can be implemented without needing to do an *untyped* copy
/// via [`copy_nonoverlapping`], and thus can get proper metadata.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
/// The stabilized form of this intrinsic is [`crate::ptr::read`], so
/// that can be implemented without needing to do an *untyped* copy
/// via [`copy_nonoverlapping`], and thus can get proper metadata.
/// The stabilized form of this intrinsic is [`crate::ptr::read`], so that
/// it is easier for the compiler to generate a load with proper metadata.

///
/// This intrinsic can *only* be called with a copy or move of a local.
/// (It allows neither constants nor projections.)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This confused me a bit — at first I though that read_via_copy only works for pointers to locals; While it seems like actually it can only be called with a pointer which is itself a local (i.e. read_via_copy(x) ✅, read_via_copy(s.f) ❎).

Maybe the docs can be clarified a bit.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This seems like a strange (and very syntactic) restriction? Isn't there a high risk that some other program transformation might, for instance, turn

let x = s.f;
read_via_copy(x)

into

read_via_copy(s.f)

?

Copy link
Member

@workingjubilee workingjubilee Mar 14, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That can be fixed via introducing a temporary if it becomes a problem (and Jakob mentioned that on... Zulip?), but it seems the current tendency in the MIR is to aggressively desugar everything and introduce temporaries everywhere, then roll them back up in opt passes. If the implementation works and produces less MIR than the alternative, I think there's a merit in not introducing One More Temporary for the crab to claw through.

Maybe we should note why this "bug" was not "fixed", though, so that if anyone comes by and it needs to be fixed, they can immediately change it.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes, this is about as big an optimization footgun as can exist. What saves us is that this runs before optimizations, so they don't have to care

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Still seems rather fragile, and needs at least a comment explaining the situation.

///
/// To avoid introducing any `noalias` requirements, it just takes a pointer.
#[cfg(not(bootstrap))]
#[rustc_const_unstable(feature = "const_ptr_read", issue = "80377")]
pub fn read_via_copy<T>(p: *const T) -> T;
WaffleLapkin marked this conversation as resolved.
Show resolved Hide resolved

/// Returns the value of the discriminant for the variant in 'v';
/// if `T` has no discriminant, returns `0`.
///
Expand Down
20 changes: 14 additions & 6 deletions library/core/src/ptr/mod.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1137,25 +1137,33 @@ pub const unsafe fn replace<T>(dst: *mut T, mut src: T) -> T {
pub const unsafe fn read<T>(src: *const T) -> T {
// We are calling the intrinsics directly to avoid function calls in the generated code
// as `intrinsics::copy_nonoverlapping` is a wrapper function.
#[cfg(bootstrap)]
extern "rust-intrinsic" {
#[rustc_const_stable(feature = "const_intrinsic_copy", since = "1.63.0")]
fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: usize);
}

let mut tmp = MaybeUninit::<T>::uninit();
// SAFETY: the caller must guarantee that `src` is valid for reads.
// `src` cannot overlap `tmp` because `tmp` was just allocated on
// the stack as a separate allocated object.
//
// Also, since we just wrote a valid value into `tmp`, it is guaranteed
// to be properly initialized.
unsafe {
assert_unsafe_precondition!(
"ptr::read requires that the pointer argument is aligned and non-null",
[T](src: *const T) => is_aligned_and_not_null(src)
);
copy_nonoverlapping(src, tmp.as_mut_ptr(), 1);
tmp.assume_init()

#[cfg(bootstrap)]
{
let mut tmp = MaybeUninit::<T>::uninit();
copy_nonoverlapping(src, tmp.as_mut_ptr(), 1);
tmp.assume_init()
}
#[cfg(not(bootstrap))]
{
// This uses a dedicated intrinsic, not `copy_nonoverlapping`,
// so that it gets a *typed* copy, not an *untyped* one.
crate::intrinsics::read_via_copy(src)
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JakobDegen it would be super nice if this entire PR was just

mir!({
    RET = *src;
    Return()
})

Are there any plans to allow defining intrinsics with custom MIR? Maybe it's difficult because both are in core?

Copy link
Member Author

@scottmcm scottmcm Mar 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

There's https://stdrs.dev/nightly/x86_64-unknown-linux-gnu/std/intrinsics/mir/macro.mir.html (err, which of course you know because you used it in the example 🤦), but I don't know if that's something we'd ever want to use for productized things, rather than just in tests.

}
scottmcm marked this conversation as resolved.
Show resolved Hide resolved
}
}

Expand Down
41 changes: 36 additions & 5 deletions tests/codegen/mem-replace-direct-memcpy.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -12,13 +12,44 @@ pub fn replace_byte(dst: &mut u8, src: u8) -> u8 {
std::mem::replace(dst, src)
}

#[repr(C, align(8))]
pub struct Big([u64; 7]);
pub fn replace_big(dst: &mut Big, src: Big) -> Big {
// Before the `read_via_copy` intrinsic, this emitted six `memcpy`s.
std::mem::replace(dst, src)
}

// NOTE(eddyb) the `CHECK-NOT`s ensure that the only calls of `@llvm.memcpy` in
// the entire output, are the two direct calls we want, from `ptr::replace`.
// the entire output, are the direct calls we want, from `ptr::replace`.

// CHECK-NOT: call void @llvm.memcpy
// CHECK: ; core::mem::replace
// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 1 %{{.*}}, {{i8\*|ptr}} align 1 %{{.*}}, i{{.*}} 1, i1 false)

// For a large type, we expect exactly three `memcpy`s
// CHECK-LABEL: define internal void @{{.+}}mem{{.+}}replace{{.+}}sret(%Big)
// CHECK-NOT: alloca
// CHECK: alloca %Big
// CHECK-NOT: alloca
// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 8 %{{.*}}, {{i8\*|ptr}} align 8 %{{.*}}, i{{.*}} 56, i1 false)
// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 8 %{{.*}}, {{i8\*|ptr}} align 8 %{{.*}}, i{{.*}} 56, i1 false)
// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 8 %{{.*}}, {{i8\*|ptr}} align 8 %{{.*}}, i{{.*}} 56, i1 false)
// CHECK-NOT: call void @llvm.memcpy

// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 1 %{{.*}}, {{i8\*|ptr}} align 1 %{{.*}}, i{{.*}} 1, i1 false)

// For a small type, we expect one each of `load`/`store`/`memcpy` instead
// CHECK-LABEL: define internal noundef i8 @{{.+}}mem{{.+}}replace
// CHECK-NOT: alloca
// CHECK: alloca i8
// CHECK-NOT: alloca
// CHECK-NOT: call void @llvm.memcpy
// CHECK: load i8
// CHECK-NOT: call void @llvm.memcpy
// CHECK: store i8
// CHECK-NOT: call void @llvm.memcpy
// CHECK: call void @llvm.memcpy.{{.+}}({{i8\*|ptr}} align 1 %{{.*}}, {{i8\*|ptr}} align 1 %{{.*}}, i{{.*}} 1, i1 false)
// CHECK-NOT: call void @llvm.memcpy

// CHECK-NOT: call void @llvm.memcpy
51 changes: 51 additions & 0 deletions tests/codegen/read-noundef-metadata.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,51 @@
// compile-flags: -O -Z merge-functions=disabled
// no-system-llvm
// ignore-debug (the extra assertions get in the way)

#![crate_type = "lib"]

// Ensure that various forms of reading pointers correctly annotate the `load`s
// with `!noundef` metadata to enable extra optimization. The functions return
// `MaybeUninit` to keep it from being inferred from the function type.
scottmcm marked this conversation as resolved.
Show resolved Hide resolved

use std::mem::MaybeUninit;

// CHECK-LABEL: define i8 @copy_byte(
#[no_mangle]
pub unsafe fn copy_byte(p: *const u8) -> MaybeUninit<u8> {
// CHECK-NOT: load
// CHECK: load i8, ptr %p, align 1
// CHECK-SAME: !noundef !
// CHECK-NOT: load
MaybeUninit::new(*p)
}

// CHECK-LABEL: define i8 @read_byte(
#[no_mangle]
pub unsafe fn read_byte(p: *const u8) -> MaybeUninit<u8> {
// CHECK-NOT: load
// CHECK: load i8, ptr %p, align 1
// CHECK-SAME: !noundef !
// CHECK-NOT: load
MaybeUninit::new(p.read())
}

// CHECK-LABEL: define i8 @read_byte_maybe_uninit(
#[no_mangle]
pub unsafe fn read_byte_maybe_uninit(p: *const MaybeUninit<u8>) -> MaybeUninit<u8> {
// CHECK-NOT: load
// CHECK: load i8, ptr %p, align 1
// CHECK-NOT: noundef
// CHECK-NOT: load
p.read()
}

// CHECK-LABEL: define i8 @read_byte_assume_init(
#[no_mangle]
pub unsafe fn read_byte_assume_init(p: &MaybeUninit<u8>) -> MaybeUninit<u8> {
// CHECK-NOT: load
// CHECK: load i8, ptr %p, align 1
// CHECK-SAME: !noundef !
// CHECK-NOT: load
MaybeUninit::new(p.assume_init_read())
}
27 changes: 27 additions & 0 deletions tests/mir-opt/lower_intrinsics.read_via_copy_primitive.LowerIntrinsics.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,27 @@
- // MIR for `read_via_copy_primitive` before LowerIntrinsics
+ // MIR for `read_via_copy_primitive` after LowerIntrinsics

fn read_via_copy_primitive(_1: &i32) -> i32 {
debug r => _1; // in scope 0 at $DIR/lower_intrinsics.rs:+0:32: +0:33
let mut _0: i32; // return place in scope 0 at $DIR/lower_intrinsics.rs:+0:44: +0:47
let mut _2: *const i32; // in scope 0 at $DIR/lower_intrinsics.rs:+1:46: +1:47
scope 1 {
}

bb0: {
StorageLive(_2); // scope 1 at $DIR/lower_intrinsics.rs:+1:46: +1:47
_2 = &raw const (*_1); // scope 1 at $DIR/lower_intrinsics.rs:+1:46: +1:47
- _0 = read_via_copy::<i32>(move _2) -> bb1; // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
- // mir::Constant
- // + span: $DIR/lower_intrinsics.rs:85:14: 85:45
- // + literal: Const { ty: unsafe extern "rust-intrinsic" fn(*const i32) -> i32 {read_via_copy::<i32>}, val: Value(<ZST>) }
+ _0 = (*_2); // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
+ goto -> bb1; // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
}

bb1: {
StorageDead(_2); // scope 1 at $DIR/lower_intrinsics.rs:+1:47: +1:48
return; // scope 0 at $DIR/lower_intrinsics.rs:+2:2: +2:2
}
}

22 changes: 22 additions & 0 deletions tests/mir-opt/lower_intrinsics.read_via_copy_uninhabited.LowerIntrinsics.diff
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,22 @@
- // MIR for `read_via_copy_uninhabited` before LowerIntrinsics
+ // MIR for `read_via_copy_uninhabited` after LowerIntrinsics

fn read_via_copy_uninhabited(_1: &Never) -> Never {
debug r => _1; // in scope 0 at $DIR/lower_intrinsics.rs:+0:34: +0:35
let mut _0: Never; // return place in scope 0 at $DIR/lower_intrinsics.rs:+0:48: +0:53
let mut _2: *const Never; // in scope 0 at $DIR/lower_intrinsics.rs:+1:46: +1:47
scope 1 {
}

bb0: {
StorageLive(_2); // scope 1 at $DIR/lower_intrinsics.rs:+1:46: +1:47
_2 = &raw const (*_1); // scope 1 at $DIR/lower_intrinsics.rs:+1:46: +1:47
- _0 = read_via_copy::<Never>(move _2); // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
- // mir::Constant
- // + span: $DIR/lower_intrinsics.rs:90:14: 90:45
- // + literal: Const { ty: unsafe extern "rust-intrinsic" fn(*const Never) -> Never {read_via_copy::<Never>}, val: Value(<ZST>) }
+ _0 = (*_2); // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
+ unreachable; // scope 1 at $DIR/lower_intrinsics.rs:+1:14: +1:48
}
}

12 changes: 12 additions & 0 deletions tests/mir-opt/lower_intrinsics.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -79,3 +79,15 @@ pub fn with_overflow(a: i32, b: i32) {
let _y = core::intrinsics::sub_with_overflow(a, b);
let _z = core::intrinsics::mul_with_overflow(a, b);
}

// EMIT_MIR lower_intrinsics.read_via_copy_primitive.LowerIntrinsics.diff
pub fn read_via_copy_primitive(r: &i32) -> i32 {
unsafe { core::intrinsics::read_via_copy(r) }
}

// EMIT_MIR lower_intrinsics.read_via_copy_uninhabited.LowerIntrinsics.diff
pub fn read_via_copy_uninhabited(r: &Never) -> Never {
unsafe { core::intrinsics::read_via_copy(r) }
}

pub enum Never {}
6 changes: 3 additions & 3 deletions tests/ui/const-ptr/out_of_bounds_read.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
error[E0080]: evaluation of constant value failed
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= note: memory access failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
= note: dereferencing pointer failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
|
note: inside `std::ptr::read::<u32>`
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
Expand All @@ -14,7 +14,7 @@ LL | const _READ: u32 = unsafe { ptr::read(PAST_END_PTR) };
error[E0080]: evaluation of constant value failed
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= note: memory access failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
= note: dereferencing pointer failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
|
note: inside `std::ptr::read::<u32>`
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
Expand All @@ -29,7 +29,7 @@ LL | const _CONST_READ: u32 = unsafe { PAST_END_PTR.read() };
error[E0080]: evaluation of constant value failed
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= note: memory access failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
= note: dereferencing pointer failed: alloc5 has size 4, so pointer to 4 bytes starting at offset 4 is out-of-bounds
|
note: inside `std::ptr::read::<u32>`
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
Expand Down
24 changes: 3 additions & 21 deletions tests/ui/consts/const-eval/ub-ref-ptr.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -148,11 +148,11 @@ LL | const DATA_FN_PTR: fn() = unsafe { mem::transmute(&13) };
HEX_DUMP
}

error: accessing memory with alignment 1, but alignment 4 is required
error[E0080]: evaluation of constant value failed
Copy link
Contributor

@JakobDegen JakobDegen Mar 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This does make a future-incompat warning into a hard error. Based on the comment here though, this seems to be pre-approved by T-lang. In any case, cc @RalfJung and @oli-obk for awareness

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, these future incompat warnings were because we wanted to make moving away from dubious const-eval patterns smoother as part of the Const UB Armistice of #99923, so that const UB doesn't immediately turn into const-break-the-build due to compiler changes. If people feel it's been enough time we can switch this off.

Copy link
Contributor

@JakobDegen JakobDegen Mar 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This particular PR just affects ptr::read() which should definitely be fine imo. I'll leave the bikeshedding about what do to with the other cases to everyone else :)

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

IIRC, general temperature was that for these UB-in-const cases, a single warning stable cycle is probably sufficient, two is definitely sufficient, and that we're within rights to do no warning releases if we wanted to (i.e. warning at all is a good faith best effort to give some time to migrate).

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Amusingly, the "see issue" is pointing at #68585, which is

Tracking issue for conflicting repr(...) hints future compatibility

Copy link
Member

@workingjubilee workingjubilee Mar 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Purely if it was up to me: go for it.

It seems like this will be a hugely beneficial change, crates impacted were still technically "doing it wrong", we're landing this no sooner than 1.70 (so they've had 1.68 and will have 1.69 to fix it), and "const-stable since 1.63" actually means that we should cut it off sooner rather than later due to the "Lindy effect" that bad code patterns have (i.e. the longer a pattern exists, the longer it is expected to continue existing). "More time to migrate" is something we should be considering for const fn stabilizations with version numbers like 1.49

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah this is fine, we can by now probably make that entire lint into a hard error.

What I don't understand immediately is why this PR changes behavior here though...

Copy link
Contributor

@erikdesjardins erikdesjardins Mar 12, 2023
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It changes behavior because unaligned copy_nonoverlapping is (temporarily) allowed, but unaligned derefs are not: https://godbolt.org/z/M6f5MrjKo

error: accessing memory with alignment 1, but alignment 4 is required
 --> /rustc/8a73f50d875840b8077b8ec080fa41881d7ce40d/library/core/src/intrinsics.rs:2393:9
  |
  = warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!
  = note: for more information, see issue #68585 <https://github.com/rust-lang/rust/issues/104616>
note: inside `copy_nonoverlapping::<u32>`
 --> /rustc/8a73f50d875840b8077b8ec080fa41881d7ce40d/library/core/src/intrinsics.rs:2393:9
note: inside `COPY_NONOVERLAPPING`
 --> <source>:8:5
  |
8 |     ptr::copy_nonoverlapping(unaligned, ptr::addr_of_mut!(dest), 1);
  |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  = note: `#[deny(invalid_alignment)]` on by default

error[E0080]: evaluation of constant value failed
  --> <source>:14:5
   |
14 |     *unaligned
   |     ^^^^^^^^^^ accessing memory with alignment 1, but alignment 4 is required

(and this PR changes ptr::read from using copy_nonoverlapping to a deref)

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It changes behavior because unaligned copy_nonoverlapping is (temporarily) allowed, but unaligned derefs are not

That's the thing, unaligned derefs should also be temporarily allowed...

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I am... confused. On playground both * and copy_nonoverlapping error: [play]. Moreover the lint from copy_nonoverlapping is not actually a lint, you can't allow it: [play]. Lastly, the compiler says there are 3 errors, but only shows 2??...

--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!
= note: for more information, see issue #68585 <https://github.com/rust-lang/rust/issues/104616>
= note: accessing memory with alignment 1, but alignment 4 is required
|
note: inside `std::ptr::read::<u32>`
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
note: inside `ptr::const_ptr::<impl *const u32>::read`
Expand All @@ -162,25 +162,7 @@ note: inside `UNALIGNED_READ`
|
LL | ptr.read();
| ^^^^^^^^^^
= note: `#[deny(invalid_alignment)]` on by default

error: aborting due to 15 previous errors

For more information about this error, try `rustc --explain E0080`.
Future incompatibility report: Future breakage diagnostic:
error: accessing memory with alignment 1, but alignment 4 is required
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= warning: this was previously accepted by the compiler but is being phased out; it will become a hard error in a future release!
= note: for more information, see issue #68585 <https://github.com/rust-lang/rust/issues/104616>
note: inside `std::ptr::read::<u32>`
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
note: inside `ptr::const_ptr::<impl *const u32>::read`
--> $SRC_DIR/core/src/ptr/const_ptr.rs:LL:COL
note: inside `UNALIGNED_READ`
--> $DIR/ub-ref-ptr.rs:67:5
|
LL | ptr.read();
| ^^^^^^^^^^
= note: `#[deny(invalid_alignment)]` on by default

2 changes: 1 addition & 1 deletion tests/ui/consts/issue-miri-1910.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,7 +1,7 @@
error[E0080]: evaluation of constant value failed
--> $SRC_DIR/core/src/ptr/mod.rs:LL:COL
|
= note: unable to copy parts of a pointer from memory at ALLOC
= note: unable to turn pointer into raw bytes
|
= help: this code performed an operation that depends on the underlying bytes representing a pointer
= help: the absolute address of a pointer is not known at compile-time, so such operations are not supported
Expand Down