Enable eager checks for memory sanitizer

[5225225]

Fixes #99179

[rust-highfive]

r? @cuviper

(rust-highfive has picked a reviewer for you, use r? to override)

[5225225]

Question: @nikic , were the eager checks added in LLVM 15? (So I'd add an #if LLVM_VERSION_GE(14, 0) and only pass the eager check if then?). Or was it an earlier version? I can't seem to find historical llvm docs, and https://llvm.org/doxygen/structllvm_1_1MemorySanitizerOptions.html doesn't mention the added version, so I don't know where I'd go to find out.

[nikic]

The option was added in LLVM 14.

[5225225]

Strange, I was expecting that run to fail because LLVM version too old, and I'd need to put a min-llvm-version on memory-eager.rs

[5225225]

Okay, I think gnu-llvm-12 doesn't have sanitizer support, so the tests were skipped. I compiled a llvm 12 locally and tested that the code worked using it. (Not having the eager checks, but it worked)

[tmiasko]

From the perspective of the Rust alone enabling eager checks by default sounds fine to me.

Though I wonder about mixed C/C++ builds. Clang disables eager checks by default, it also has a different understanding which arguments have undef attribute. Both cases could lead to false negatives. The side with eager checks might falsely consider the caller to be responsible for checking the undef argument and assumes the argument to be initialized.

For that reason I would lean towards exposing this functionality behind a flag and matching the clang default. What do you think?

[5225225]

A LLVM person would need to answer if that's a problem.

But I do know that you get false positives if you don't have all code built with memory sanitizer, so "being careful about your dependency build flags" is already a thing.

I'm wary of making it opt-in since most code doesn't need it to be opt in.

We could add a mandatory parameter for eager checks and show a warning if the user doesn't pick one, perhaps. That'll communicate this change pretty clearly, but is rather loud.

Not sure.

[tmiasko]

A LLVM person would need to answer if that's a problem.

It is a problem. It is impossible to detect uninitialized arguments of integer types, floating point types, and data pointers in calls from Rust to C when eager checks enabled in both clang and rustc. Currently the Rust side doesn't have noundef attribute for those types, so argument is not checked. The C side does have the attribute and assumes it was already checked.

There is an analogous issue when the eager checks are enabled only in rustc.

The implementation that preserves the existing default sound fine to me, if you would like to land it. With regards to the change of the default, I would wait for further support of the idea.

[cuviper]

The code looks fine, but I don't have enough background in msan to judge if we should, so I'm re-rolling...

r? rust-lang/compiler

[jackh726]

I have less background to know if we should or not.

Let's cc @rust-lang/compiler

[bors]

☔ The latest upstream changes (presumably #100511) made this pull request unmergeable. Please resolve the merge conflicts.

[jackh726]

I don't really have any background here to judge if this is a good change or not. I imagine this might need a compiler MCP, but not sure. Going to go ahead and nominate to get discussed in the compiler meeting, since that seems like to easiest way to get feedback here.

[jackh726]

Talked about this in compiler meeting. Seems like we're good to just enable this.

@bors r+

[bors]

📌 Commit 16525cc has been approved by jackh726

It is now in the queue for this repository.