Make uninit checks stricter but avoid issues for old hyper #99389
Conversation
rustbot
added
the
T-compiler
|
r? @oli-obk (rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
@bors try |
|
⌛ Trying commit 168fa786e9c38469881a8490b7752e75de90f1b1 with merge af445596a53bb2f55a69322f552f9f231e2522ad... |
|
Also, this is strictly speaking only not LLVM ub for mem::uninit if/once #99182 gets merged, but no need to block this on that getting in, it's currently LLVM ub for hyper to do what its doing. Also gonna cc @RalfJung if you want to have a look at this. I did mostly follow what you described, but also figured the const eval checks for mem::zeroed would be fine since not many people misuse that, I don't expect us to be breaking a lot more code since the only thing that breaks is someone doing Plus it exercises the const eval check code path by default, so no surprises if/when we go to turn it on everywhere. Which is probably a long way off considering how much code makes uninit ints, but I'm optimistic we can do it Eventually. |
|
💔 Test failed - checks-actions |
bors
added
S-waiting-on-author
| /// | ||
| /// This code is intentionally conservative, and will not detect | ||
| /// * making uninitialized types who have a full valid range (ints, floats, raw pointers) | ||
| /// * uninit invalid &[T] where T has align 1 (only inside arrays) |
There was a problem hiding this comment.
error: unresolved link to `T`
--> compiler/rustc_middle/src/ty/layout.rs:3491:24
|
3491|/// * uninit invalid &[T] where T has align 1 (only inside arrays)
| ^no item named `T` in scope
|
= note: `-D rustdoc::broken-intra-doc-links` implied by `-D warnings`
= help: to escape `[` and `]` characters, add '\' before them like `\[` or `\]`
I guess you need to put these into backticks ^^
There was a problem hiding this comment.
Right. Yeah, that's the second time I messed up a docs thing, I really gotta get into the habit of checking x.py doc :)
Will fix now, sorry about that :)
(How expensive would it be for PR CI to run docs? I don't know if I'm just the only one hitting this or if it would be worth adding it to PR CI.)
There was a problem hiding this comment.
workspace: /home/jess/src/rust/Cargo.toml
Compiling serde v1.0.125
Compiling rand v0.8.5
Compiling tempfile v3.2.0
Compiling serde_json v1.0.59
Compiling lint-docs v0.1.0 (/home/jess/src/rust/src/tools/lint-docs)
Finished release [optimized] target(s) in 6.08s
warning: the code example in lint `unfulfilled_lint_expectations` in /home/jess/src/rust/compiler/rustc_lint_defs/src/builtin.rs failed to generate the expected output: did not find lint `unfulfilled_lint_expectations` in output of example, got:
error[E0554]: `#![feature]` may not be used on the beta release channel
--> lint_example.rs:1:1
|
1 | #![feature(lint_reasons)]
| ^^^^^^^^^^^^^^^^^^^^^^^^^
error: aborting due to previous error
For more information about this error, try `rustc --explain E0554`.
warning: the code example in lint `unused_allocation` in /home/jess/src/rust/compiler/rustc_lint/src/unused.rs failed to generate the expected output: did not find lint `unused_allocation` in output of example, got:
error[E0554]: `#![feature]` may not be used on the beta release channel
--> lint_example.rs:1:1
|
1 | #![feature(box_syntax)]
| ^^^^^^^^^^^^^^^^^^^^^^^
error: aborting due to previous error
For more information about this error, try `rustc --explain E0554`.
Rustbook (x86_64-unknown-linux-gnu) - rustc
Rustbook (x86_64-unknown-linux-gnu) - cargo
known issue? I saw that on master doc runs too. In any case, I couldn't see any failures that seemed to be caused by me, so.... It's probably fine now.
There was a problem hiding this comment.
How expensive would it be for PR CI to run docs?
Not too terribly long, but for it to be reliable we can't use stage 0 rustdoc, which means we have to add it to the LLVM-12 builder, which is already kinda slow :/
There was a problem hiding this comment.
Oh also do you mind opening an issue for that feature gate error? We should fix it, but we really should make sure it's tested somewhere and not just ignored.
There was a problem hiding this comment.
fwiw, lint reasons have recently stabilized so their error should be gone upon rebase. The box_syntax feature gate is being removed by #97774 but that PR is kinda stalled right now, mostly because the lint is warn by default but has a bunch of false positives and widening it to Box::new would lead to exposing it to a wide audience.
This comment has been minimized.
This comment has been minimized.
|
@bors try |
|
⌛ Trying commit 6ca481ecf3ca04e913712af16e07f0fc9ba91957 with merge e468a8b2c03d14f4cc595ff11f731cc44d6af743... |
Well, except for old crossbeam... |
|
☀️ Try build successful - checks-actions |
|
Is the goal of this PR that, assuming #99182 lands, we never have LLVM UB from |
RalfJung
changed the title
| "attempted to zero-initialize type `LR_NonZero`, which is invalid" | ||
| test_panic_msg( | ||
| || mem::uninitialized::<(&[u8], &str, &())>(), | ||
| "attempted to leave type `(&[u8], &str, &())` uninitialized, which is invalid" |
There was a problem hiding this comment.
This one we could accept, if we wanted, by accepting all references to sized align-1-ZST... doesn't seem very important though.
There was a problem hiding this comment.
Though allowing &[u8] and rejecting &() feels rather arbitrary so we should probably allow both then?
There was a problem hiding this comment.
Could do, but I figure since not many people are actually making a reference to a ZST, no harm in forbidding it now.
The changes here are rather arbitrary in their nature, we're only not panicking on the bits that we can't panic on just yet, while making the checks stricter where we can.
Making an uninit [bool; 1] will start to panic after this change, even if that's still not LLVM UB if we 0x01 fill, because there's not really a widely used crate that does that (inb4 some crate started doing that since the last crater run :p).
Hyper doesn't make uninit refs to sized ZSTs, so I don't think we need to allow them here, even if it is somewhat inconsistent to forbid them.
I'm fine with ignoring &() as well, I just don't feel it's needed.
|
Okay, I think this is ready for crater. |
|
Okay, went through all of them. I didn't create an issue for the ones that I couldn't reproduce / worked fine with a fresh lockfile, but I reported most of them upstream.
@rustbot ready |
rustbot
added
S-waiting-on-review
5225225
force-pushed
the
stricter-uninit-checks
branch
from
c2a8e68
to
a6ab54b
Compare
|
#98862 (comment) gave a go-ahead to introduce a FCW. Might be smart to do that before this, so people have some warning period. (Though that would be for all uses of mem::uninitialized, and not just the ones we're panicking on here) |
rustbot
added
S-blocked
|
#101061 is an alternative to this PR that relaxes the panics in light of |
|
Actually, this makes me wonder -- is there even LLVM UB from Maybe stopping at arrays is actually fine if all we are aiming for is avoid LLVM UB -- and the only thing we still should strengthen are the checks for |
|
☔ The latest upstream changes (presumably #102622) made this pull request unmergeable. Please resolve the merge conflicts. |
|
Closing this seeing that #101061 was implemented, this is not really needed anymore |
This makes the checks for
std::mem::uninitializedstricter, but tries to avoid makinghyperpanic.hyperversions 0.11 to early 0.14 all make slices inside arrays, so we don't panic on slices inside arrays. We still will panic on any other reference, even to ZSTs.No change was made to the
std::mem::zeroedchecks.We still consider uninit primitives that have a full range to be valid, as well as &[u8] (more generally, any type with an align of 1) and &str but only inside arrays.
I ran these on some known bad
hypercrates, and they all passed, whereas a known bad crossbeam crate using mem::zeroed failed. Which is what I expected.See: #66151
Once the code's been reviewed and we're happy with the amount of checks this is doing, this will definitely need a crater run. I'm expecting hopefully less than the previous run, mostly crossbeam but maybe with some extra surprises.