(Selectively) turn on validation in const eval

[saethlin]

Normally we tell people that CTFE may detect UB, but it doesn't have to. RFC 3016 documents this explicitly: https://rust-lang.github.io/rfcs/3016-const-ub.html. But until I dug into #95332 I didn't realize how limited the UB checks in CTFE actually are: Invalid bit patterns are not checked for until we create an actual const. Thus, this code (from the linked issue) is not detected as UB:

use std::num::NonZeroU8;
pub const UNDEFINED: Option<NonZeroU8> = Some(unsafe { NonZeroU8::new_unchecked(0) });

and that is because in the Machine that rustc uses for CTFE, we have this:

    #[inline(always)]
    fn enforce_validity(_ecx: &InterpCx<'mir, 'tcx, Self>) -> bool {
        false // for now, we don't enforce validity
    }

The general idea of this PR is to add some state to Machine which indicates whether or not we may be executing unsafe code, and if we are, return true.

Since there is no unsafe in MIR, we're left analyzing HIR which is only available for the current crate. So currently this makes the defensive assumption that any MIR loaded from a non-local crate contains unsafe. This assumption could be inverted, I'm preferring the closer-to-sound option here but of course we have no obligation to detect UB here.

In this PR, the Machine used for CTFE detects unsafe in one of two ways. If there is a call to load_mir, we walk all the MIR looking for any unsafe blocks. But if the Machine sees a call to enforce_validity without a previous call to load_mir, it runs the same search but only on the current stack frame. This second case is very common when we are evaluating a trivial const. Each Machine instance will only search for unsafe blocks once.

r? @oli-obk

[rust-highfive]

Some changes occured to the CTFE / Miri engine

cc @rust-lang/miri

[RalfJung]

@bors try @rust-timer queue
(FWIW, to my knowledge benchmarking like this will work even when the test suite still fails, so you don't have to get it all green just to collect some data.)

[rust-timer]

Awaiting bors try build completion.

@rustbot label: +S-waiting-on-perf

[bors]

⌛ Trying commit 8ff27dec01384ec6769b77591e6cc8a01f9dd2dd with merge a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55...

[bors]

☀️ Try build successful - checks-actions
Build commit: a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55 (a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55)

[rust-timer]

Queued a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55 with parent d7aca22, future comparison URL.

[rust-timer]

Finished benchmarking commit (a5f01f22c3b8dccfe9fbeb6ae38c833309d3bf55): comparison url.

Summary: This benchmark run shows 82 relevant regressions 😿 to instruction counts.

• Arithmetic mean of relevant regressions: 6.7%
• Arithmetic mean of all relevant changes: 6.6%
• Largest regression in instruction counts: 50.6% on full builds of ctfe-stress-4 check

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR led to changes in compiler perf.

Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @rustbot label: +perf-regression-triaged along with sufficient written justification. If you cannot justify the regressions please fix the regressions and do another perf run. If the next run shows neutral or positive results, the label will be automatically removed.

@bors rollup=never
@rustbot label: +S-waiting-on-review -S-waiting-on-perf +perf-regression

[oli-obk]

Just 50% isn't too bad 😆 I expected worse.

[saethlin]

Hah! I should have known to just grab the ctfe stress test and run it locally. I'll try out some ideas over the coming days, to see if I can knock that down to a reasonable number.

[saethlin]

🙈 don't look too closely at the code I'm just trying to see if this is in the domain of reasonable

[compiler-errors]

@bors try @rust-timer queue

[rust-timer]

Awaiting bors try build completion.

@rustbot label: +S-waiting-on-perf

[bors]

⌛ Trying commit 27035bee70f89bfd0c6b753c0741439e24b11a95 with merge c0b2255faeb7c7432570244574d65ba1f5419512...

[bors]

☀️ Try build successful - checks-actions
Build commit: c0b2255faeb7c7432570244574d65ba1f5419512 (c0b2255faeb7c7432570244574d65ba1f5419512)

[rust-timer]

Queued c0b2255faeb7c7432570244574d65ba1f5419512 with parent ee915c3, future comparison URL.

[rust-timer]

Finished benchmarking commit (c0b2255faeb7c7432570244574d65ba1f5419512): comparison url.

Summary: This benchmark run shows 61 relevant regressions 😿 to instruction counts.

• Arithmetic mean of relevant regressions: 5.1%
• Arithmetic mean of all relevant changes: 5.0%
• Largest regression in instruction counts: 23.9% on full builds of coercions check

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR led to changes in compiler perf.

Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @rustbot label: +perf-regression-triaged along with sufficient written justification. If you cannot justify the regressions please fix the regressions and do another perf run. If the next run shows neutral or positive results, the label will be automatically removed.

@bors rollup=never
@rustbot label: +S-waiting-on-review -S-waiting-on-perf +perf-regression

[oli-obk]

@bors try @rust-timer queue

[rust-timer]

Awaiting bors try build completion.

@rustbot label: +S-waiting-on-perf

[oli-obk]

Hmm... we could totally make validation errors print the memory dump, too. Not possible for things represented as immediate, but everything else at least

[saethlin]

@oli-obk Can you offer any guidance on how to add code to print the memory dump? Or is that something you are planning to land in a different PR before this one?

[oli-obk]

We have the display_allocation function for rendering these.

Basically we'd need to teach the validator to make throw_validation_failure also pass an Operand in addition to the self.path argument that is being used to print the field names of where things went wrong. We can then forward the operand via the ValidationFailure error type and use it in the diagnostic printing of ValidationFailure to produce a more detailed message (as a first step, maybe just print the memory of Indirect operands and Immediate(Scalar(Pointer)) operands.

This is a bit more involved and I'm fine regression those diagnostics for now and instead opening an issue about the above

[bors]

☔ The latest upstream changes (presumably #95826) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #97211) made this pull request unmergeable. Please resolve the merge conflicts.

[saethlin]

@rustbot ready

[oli-obk]

I'm conflicted on this. On the one hand it catches a bit more UB, on the other, this is a perf regression even without unsafe code, and makes the code more complex. With unsafe code the regression is massive (+50%).

Maybe we should really look into the lint direction: adding a lint and making the Machine::enable_validation solely depend on whether the MIR body has the lint enabled (and thus not permitting fine-grained lint allowing)

[saethlin]

Do you mean something like #[forbid(const_ub)] ? Would users be able to use that as an inner attribute in the crate root?

[oli-obk]

Yea, the only weird thing would be that we have no concept for warn(const_ub) and that you can't use it within functions on expressions, only on functions.

[clarfonthey]

So, I have an alternative idea I decided to turn into a PR: #97467

My change is comically simpler, which is why I don't have a lot of faith it's a good idea. But since proper UB detection is incredibly costly from the looks of it, might be worth exploring.

[saethlin]

@rustbot label +S-waiting-on-author -S-waiting-on-review

[bors]

☔ The latest upstream changes (presumably #97684) made this pull request unmergeable. Please resolve the merge conflicts.

[JohnCSimon]

Ping from triage:
@saethlin - what is the status of this PR? can you address the merge conflicts?

[saethlin]

@JohnCSimon I think I will soon be rewriting this into a different PR. Does marking this as a draft at least get it out of triage for now? (this was not blocked on merge conflicts, it is blocked on me deciding what approach to take)

[JohnCSimon]

@saethlin Closing is preferable, but I try to triage anything that is over 15 days old