Data race spans

[saethlin]

Fixes #2205

This adds output to data race errors very similar to the spans we emit for Stacked Borrows errors. For example, from our test suite:

help: The Atomic Load on thread `<unnamed>` is here
  --> tests/fail/data_race/atomic_read_na_write_race1.rs:23:13
   |
23 | ...   (&*c.0).load(Ordering::SeqCst) //~ ERROR: Data race detected between Atomic Load on thread `<unnamed>` and Write o...
   |       ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
help: The Write on thread `<unnamed>` is here
  --> tests/fail/data_race/atomic_read_na_write_race1.rs:19:13
   |
19 |             *(c.0 as *mut usize) = 32;
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^```

Because of #2647 this comes without a perf regression, according to our benchmarks.

[RalfJung]

I assume this is intended to fix #2205 ?

(Since it is marked as a draft, I'll not put it in my queue for now.)

[bors]

☔ The latest upstream changes (presumably #2663) made this pull request unmergeable. Please resolve the merge conflicts.

[RalfJung]

@rustbot author

[saethlin]

@rustbot ready

[oli-obk]

Side-note: we could probably use https://doc.rust-lang.org/nightly/nightly-rustc/rustc_index/vec/struct.IndexVec.html for VClock and https://doc.rust-lang.org/nightly/nightly-rustc/rustc_index/macro.newtype_index.html for VectorIdx

[saethlin]

Hm, IndexVec just wraps a Vec and currently this uses SmallVec, and this PR is already messing with the inline capacity. There are ambient concerns about the data race detector overhead: #2716 #1689 which in my experience are not backed up by profiling, but I still think the prudent thing to do is adjust one thing at a time here. Happy to look into this in a separate PR.

[oli-obk]

Makes sense

[oli-obk]

Everything starting at consists should be on the fields. Internal docs use the flag to generate docs for private items

[RalfJung]

This comment seems to be still open.

[oli-obk]

r=me after a doc nit

[RalfJung]

Would it make sense to move the current_span calls behind the fn call? That seems nicer than putting the burden on all callers. Basically instead of passing current_thread and current_span it could pass &Machine?

EDIT: Ah, that doesn't work since it overlaps with data_race. Hm... I guess we can go ahead with separate arguments for now, but if you have a nice idea for how to avoid having to pass so many arguments, that would be great.

[RalfJung]

Nit: is "is" the right verb? One of them happened in the past. Do we know which one? Can we make the message "Earlier, the X on thread Y happened here" and "Now, the X' on thread Y' happened here"? In fact isn't the latter span redundant with the main error span?

[saethlin]

Hah I was also not sure what words to use here. This is a data race, so strictly does it make any sense to say that one of these operations happens before the other? They happen in a particular order in the interpreter, but should diagnostics be commenting on the interpreter or the program semantics (or lack thereof)?

I chose present tense because I imagine this diagnostic as a response to the current user experience, where someone would rightfully ask "But Miri, where is the read/write/allocate/deallocate?" so now Miri says "The read/write/allocate/deallocate is here"

(As I describe this I realize it is not consistent with how I worded the Stacked Borrows diagnostics. Ah well.)

[RalfJung]

With vector clocks, there could actually be considerate amounts of "real time" between the two operations, even in an observable way. But you also have a point.

What about the fact that one of these two spans is always redundant since it is the same as where the error points? I think it'd be better to just say "the other access was over there" or so?

[saethlin]

Yeah, I've tried to reduce the duplication here, but I feel backed into a corner again by the limited diagnostics API. Doesn't change the fact that this is still much better than before.

[RalfJung]

This seems potentially confusing, since after the help we have a backtrace that attaches to the "main span", not the "other access span". I think that's why I think it is good to say something about the "earlier conflicting access". Also if both accesses are of the same kind, saying "the Write" is not very informative.

So what about

error: Undefined Behavior: Data race detected between (1) Atomic Store on thread `<unnamed>` and (2) Read on thread `<unnamed>` at ALLOC. Access (2) just happened here
  --> $DIR/atomic_write_na_read_race1.rs:LL:CC
   |
LL |             *atomic_ref.get_mut()
   |             ^^^^^^^^^^^^^^^^^^^^^
   |
help: and access (1) occurred earlier here
  --> $DIR/atomic_write_na_read_race1.rs:LL:CC
   |
LL |             atomic_ref.store(32, Ordering::SeqCst)
   |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
   = note: BACKTRACE:
   = note: inside closure at $DIR/atomic_write_na_read_race1.rs:LL:CC

Yeah it is annoying that the same text is repeated for the error title and label -- that would be #2200, which will be very annoying work since all the ui tests will need adjustment.

[saethlin]

I agree there is potential for confusion with the backtrace. I often find the Stacked Borrows errors a bit visually confusing, and have often wanted some other way to format all this information. I'll try to keep an eye on how this plays out.

I like this numbering strategy overall, I'm just not sure about calling these an "access". That word has a particular meaning in Stacked Borrows, and feel like calling an allocation or deallocation an access might be confusing to newcomers (even though it is technically correct to use the word). I think we can just drop the word without loss of clarity?

---

Also it occurs to me that we're now comparing a "local" span with the topmost frame, so things could look a bit odd if the race occurs through a standard library function that isn't #[track_caller]. I can't find any examples of this, so it may be that the way people write data races, this just isn't a concern. Just mentioning this so you're aware of it, I think we shouldn't cook up a solution until we have a real example.

[RalfJung]

Also it occurs to me that we're now comparing a "local" span with the topmost frame, so things could look a bit odd if the race occurs through a standard library function that isn't #[track_caller].

The main backtrace will also skip track_caller frames by default so I think one needs to pass -Zmiri-backtrace=full to get anything weird?

I pushed an attempt to clarify the backtrace situation a bit. What do you think?

[saethlin]

I think the clarification is good. It's a marginal improvement, but an improvement.

Here is an example of a program that produces the flavor of weird output I'm referring to:

use std::sync::atomic::AtomicPtr;
fn main() {
    let mut v: Vec<i32> = Vec::with_capacity(2);
    let ptr = AtomicPtr::new(v.as_mut_ptr());
    let handle = std::thread::spawn(move || {
        let mut v = unsafe { Vec::from_raw_parts(ptr.into_inner(), 0, 2) };
        v.push(0);
    });
    v.push(0);
    let _ = handle.join();
}

error: Undefined Behavior: Data race detected between (1) Write on thread `main` and (2) Write on thread `<unnamed>` at alloc1617. (2) just happened here
    --> /home/ben/.rustup/toolchains/miri/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:1839:13
     |
1839 |             ptr::write(end, value);
     |             ^^^^^^^^^^^^^^^^^^^^^^ Data race detected between (1) Write on thread `main` and (2) Write on thread `<unnamed>` at alloc1617. (2) just happened here
     |
help: and (1) occurred earlier here
    --> demo.rs:9:5
     |
9    |     v.push(2);
     |     ^^^^^^^^^
     = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
     = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
     = note: BACKTRACE (of the first span):
     = note: inside `std::vec::Vec::<i32>::push` at /home/ben/.rustup/toolchains/miri/lib/rustlib/src/rust/library/alloc/src/vec/mod.rs:1839:13: 1839:35
note: inside closure
    --> demo.rs:7:9
     |
7    |         v.push(1);
     |         ^^^^^^^^^

The wording of our diagnostic pretty clearly asks the user to compare the topmost span of the backtrace and the first help span, but the topmost span can be dislocated from the user code by a fair bit if it is buried inside a standard library data structure or algorithm. For example, if a data race is triggered by the PartialOrd impl used in the depths of slice::sort. (as I write this I'm realizing I could have cooked up a more extreme example, ah well...)

[RalfJung]

Oh I see. Yeah... I think this PR here is still an improvement, feel free to file an issue to track this problem and possible ideas for how to fix it.

[RalfJung]

@saethlin could you do benchmarks with -Zmiri-disable-stacked-borrows -Zmiri-disable-validation so that we can an idea for how expensive this is?

[saethlin]

Before:

Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/backtraces/Cargo.toml
  Time (mean ± σ):      2.262 s ±  0.005 s    [User: 2.204 s, System: 0.054 s]
  Range (min … max):    2.256 s …  2.270 s    5 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/mse/Cargo.toml
  Time (mean ± σ):     389.0 ms ±   4.6 ms    [User: 351.8 ms, System: 36.8 ms]
  Range (min … max):   383.3 ms … 394.1 ms    7 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/serde1/Cargo.toml
  Time (mean ± σ):     930.7 ms ±   6.6 ms    [User: 882.4 ms, System: 47.3 ms]
  Range (min … max):   924.3 ms … 940.7 ms    5 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/serde2/Cargo.toml
  Time (mean ± σ):      1.844 s ±  0.033 s    [User: 1.795 s, System: 0.047 s]
  Range (min … max):    1.812 s …  1.885 s    5 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/slice-get-unchecked/Cargo.toml
  Time (mean ± σ):     322.3 ms ±   4.2 ms    [User: 282.1 ms, System: 40.0 ms]
  Range (min … max):   313.0 ms … 326.0 ms    9 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/unicode/Cargo.toml
  Time (mean ± σ):     717.5 ms ±   2.1 ms    [User: 681.5 ms, System: 35.4 ms]
  Range (min … max):   714.5 ms … 720.2 ms    5 runs

After:

Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/backtraces/Cargo.toml
  Time (mean ± σ):      2.275 s ±  0.038 s    [User: 2.201 s, System: 0.057 s]
  Range (min … max):    2.245 s …  2.341 s    5 runs
  
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/mse/Cargo.toml
  Time (mean ± σ):     393.9 ms ±   1.2 ms    [User: 360.0 ms, System: 33.6 ms]
  Range (min … max):   392.4 ms … 396.1 ms    7 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/serde1/Cargo.toml
  Time (mean ± σ):     933.1 ms ±   3.2 ms    [User: 888.6 ms, System: 43.6 ms]
  Range (min … max):   927.8 ms … 935.5 ms    5 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/serde2/Cargo.toml
  Time (mean ± σ):      1.909 s ±  0.006 s    [User: 1.851 s, System: 0.056 s]
  Range (min … max):    1.899 s …  1.916 s    5 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/slice-get-unchecked/Cargo.toml
  Time (mean ± σ):     325.8 ms ±   2.0 ms    [User: 287.1 ms, System: 38.5 ms]
  Range (min … max):   323.5 ms … 329.6 ms    9 runs
 
Benchmark 1: cargo +miri miri run --manifest-path /home/ben/miri/bench-cargo-miri/unicode/Cargo.toml
  Time (mean ± σ):     715.4 ms ±   3.4 ms    [User: 672.1 ms, System: 42.6 ms]
  Range (min … max):   711.0 ms … 720.2 ms    5 runs

This is about the size of the effect I expected.

[RalfJung]

So (2) happened before (1) in execution order. That seems confusing? I had deliberately swapped them in my proposal.

[saethlin]

🤦 I was so sure I was following your proposal

[RalfJung]

@bors r+

[bors]

📌 Commit 60a100a has been approved by RalfJung

It is now in the queue for this repository.

[bors]

⌛ Testing commit 60a100a with merge 4ec960f...

[bors]

☀️ Test successful - checks-actions
Approved by: RalfJung
Pushing 4ec960f to master...