-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(Selectively) turn on validation in const eval #95377
Conversation
Some changes occured to the CTFE / Miri engine cc @rust-lang/miri |
@bors try @rust-timer queue |
Awaiting bors try build completion. @rustbot label: +S-waiting-on-perf |
⌛ Trying commit 8ff27dec01384ec6769b77591e6cc8a01f9dd2dd with merge a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55... |
This comment has been minimized.
This comment has been minimized.
☀️ Try build successful - checks-actions |
Queued a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55 with parent d7aca22, future comparison URL. |
Finished benchmarking commit (a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55): comparison url. Summary: This benchmark run shows 82 relevant regressions 😿 to instruction counts.
If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf. Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR led to changes in compiler perf. Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @bors rollup=never |
Just 50% isn't too bad 😆 I expected worse. |
Hah! I should have known to just grab the ctfe stress test and run it locally. I'll try out some ideas over the coming days, to see if I can knock that down to a reasonable number. |
🙈 don't look too closely at the code I'm just trying to see if this is in the domain of reasonable |
@bors try @rust-timer queue |
Awaiting bors try build completion. @rustbot label: +S-waiting-on-perf |
⌛ Trying commit 27035bee70f89bfd0c6b753c0741439e24b11a95 with merge c0b2255faeb7c7432570244574d65ba1f5419512... |
☀️ Try build successful - checks-actions |
Queued c0b2255faeb7c7432570244574d65ba1f5419512 with parent ee915c3, future comparison URL. |
Finished benchmarking commit (c0b2255faeb7c7432570244574d65ba1f5419512): comparison url. Summary: This benchmark run shows 61 relevant regressions 😿 to instruction counts.
If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf. Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR led to changes in compiler perf. Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @bors rollup=never |
@bors try @rust-timer queue |
Awaiting bors try build completion. @rustbot label: +S-waiting-on-perf |
Hmm... we could totally make validation errors print the memory dump, too. Not possible for things represented as immediate, but everything else at least |
@oli-obk Can you offer any guidance on how to add code to print the memory dump? Or is that something you are planning to land in a different PR before this one? |
We have the Basically we'd need to teach the validator to make This is a bit more involved and I'm fine regression those diagnostics for now and instead opening an issue about the above |
☔ The latest upstream changes (presumably #95826) made this pull request unmergeable. Please resolve the merge conflicts. |
29433d7
to
be9b70c
Compare
☔ The latest upstream changes (presumably #97211) made this pull request unmergeable. Please resolve the merge conflicts. |
Instead of only validating values which actually get stored to a const, this PR attempts to turn on full validation in the presence of unsafe code, as detected by walking HIR when available.
@rustbot ready |
I'm conflicted on this. On the one hand it catches a bit more UB, on the other, this is a perf regression even without unsafe code, and makes the code more complex. With unsafe code the regression is massive (+50%). Maybe we should really look into the lint direction: adding a lint and making the |
Do you mean something like |
Yea, the only weird thing would be that we have no concept for |
So, I have an alternative idea I decided to turn into a PR: #97467 My change is comically simpler, which is why I don't have a lot of faith it's a good idea. But since proper UB detection is incredibly costly from the looks of it, might be worth exploring. |
@rustbot label +S-waiting-on-author -S-waiting-on-review |
☔ The latest upstream changes (presumably #97684) made this pull request unmergeable. Please resolve the merge conflicts. |
Ping from triage: |
@JohnCSimon I think I will soon be rewriting this into a different PR. Does marking this as a draft at least get it out of triage for now? (this was not blocked on merge conflicts, it is blocked on me deciding what approach to take) |
@saethlin Closing is preferable, but I try to triage anything that is over 15 days old |
Normally we tell people that CTFE may detect UB, but it doesn't have to. RFC 3016 documents this explicitly: https://rust-lang.github.io/rfcs/3016-const-ub.html. But until I dug into #95332 I didn't realize how limited the UB checks in CTFE actually are: Invalid bit patterns are not checked for until we create an actual
const
. Thus, this code (from the linked issue) is not detected as UB:and that is because in the
Machine
that rustc uses for CTFE, we have this:The general idea of this PR is to add some state to
Machine
which indicates whether or not we may be executingunsafe
code, and if we are, returntrue
.Since there is no
unsafe
in MIR, we're left analyzing HIR which is only available for the current crate. So currently this makes the defensive assumption that any MIR loaded from a non-local crate containsunsafe
. This assumption could be inverted, I'm preferring the closer-to-sound option here but of course we have no obligation to detect UB here.In this PR, the
Machine
used for CTFE detectsunsafe
in one of two ways. If there is a call toload_mir
, we walk all the MIR looking for any unsafe blocks. But if theMachine
sees a call toenforce_validity
without a previous call toload_mir
, it runs the same search but only on the current stack frame. This second case is very common when we are evaluating a trivialconst
. EachMachine
instance will only search for unsafe blocks once.r? @oli-obk