Validate before interning #122432
Validate before interning #122432
Conversation
|
Some changes occurred to the CTFE / Miri engine cc @rust-lang/miri The Miri subtree was changed cc @rust-lang/miri |
| { | ||
| for (_, prov) in alloc.provenance().ptrs().iter() { | ||
| if let AllocKind::Dead = self.get_alloc_info(prov.alloc_id()).2 { | ||
| throw_validation_failure!( | ||
| path, | ||
| DanglingPtrUseAfterFree { ptr_kind: PointerKind::Ref(Mutability::Not) } | ||
| ) | ||
| } | ||
| } | ||
| } | ||
| Ok(()) |
There was a problem hiding this comment.
There are more improvements to do here (like check unions) to get better paths, but that's harder
This comment has been minimized.
This comment has been minimized.
|
☔ The latest upstream changes (presumably #122204) made this pull request unmergeable. Please resolve the merge conflicts. |
| }; | ||
| // We always intern with `inner_mutability`, and furthermore we ensured above that if | ||
| // that is "immutable", then there are *no* mutable pointers anywhere in the newly | ||
| // interned memory -- justifying that we can indeed intern immutably. However this also |
There was a problem hiding this comment.
Hm, we're not really ensuring this any more, are we?
There was a problem hiding this comment.
That check is now done by intern_const_alloc_recursive. And that function has to re-compute inner_mutability just for that purpose.
Maybe patch_mutability_of_allocs should still do the check, but just return whether there was a problem or not, then we run validation, and then if validation didn't error and there was a problem during patch_mutability_of_allocs, then we show the other error? Thinking about it, if we do that we can probably still do interning before validation... 🙈
There was a problem hiding this comment.
Yea, there were more follow-up cleanups to do, but I didn't want to change too much in one go
There was a problem hiding this comment.
If we follow the strategy of "do interning first, record if there was an error, but delay reporting that until after validation" -- that requires way fewer changes than this PR, doesn't it?
There was a problem hiding this comment.
I'll try it out, I should have noted down what I thought I could improve/clean up if we did this
There was a problem hiding this comment.
Oh I remember now: we can make interning completely infallible by moving the CONST_EVAL_MUTABLE_PTR_IN_FINAL_VALUE into validation
There was a problem hiding this comment.
Ok, I implemented this in #122684
I think we should still go with this PR, as it allows making individual things simpler, even if it means validation needs to handle allocations that haven't been interned yet. Most of the time that should be resolveable by using general interpreter methods instead of using dedicated global_alloc code paths
There was a problem hiding this comment.
Oh I remember now: we can make interning completely infallible by moving the CONST_EVAL_MUTABLE_PTR_IN_FINAL_VALUE into validation
I don't think that works. Validation is inherently a type-based traversal, so data stored in unions (or padding) is completely ignored. (And that's arguably by design.) However we need to check all pointers to ensure none of them are mutable, including those stored in unions (and padding).
There was a problem hiding this comment.
I changed that in this PR. After a place has been validated, we also do some checks on all relocations of that place
There was a problem hiding this comment.
Hm, to me that doesn't fit with the intention of validation as a type-driven traversal... I'll have to think about this.
| | | ||
| = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior. | ||
| = note: the raw bytes of the constant (size: 8, align: 8) { | ||
| ╾ALLOC0<imm>╼ │ ╾──────╼ |
There was a problem hiding this comment.
You probably want to add the usual HEX_DUMP normalization rules to avoid having to make this stderr file per-bitwidth.
…icit. Before it was hard to see that in the other cases we just preserve the static's mutability
722aabc to
c99636f
Compare
|
@bors try @rust-timer queue |
This comment has been minimized.
This comment has been minimized.
…=<try> Validate before interning based on rust-lang#122397 fixes rust-lang#122398 r? `@RalfJung` There are more cleanups that can be done afterwards, but I think they may be unnecessary to make this PR useful on its own
This comment has been minimized.
This comment has been minimized.
|
☀️ Try build successful - checks-actions |
This comment has been minimized.
This comment has been minimized.
| const BAR: Union = { //~ ERROR it is undefined behavior | ||
| let x = 42; | ||
| Union { ptr: &x } | ||
| }; |
There was a problem hiding this comment.
Before this PR we had no tests actually excercising this code path
|
Finished benchmarking commit (abaca54): comparison URL. Overall result: ❌ regressions - ACTION NEEDEDBenchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf. Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @bors rollup=never Instruction countThis is a highly reliable metric that was used to determine the overall result at the top of this comment.
Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Binary sizeThis benchmark run did not return any relevant results for this metric. Bootstrap: 668.532s -> 668.042s (-0.07%) |
38b7f81 to
d1aee85
Compare
|
So, to me the alternative at #122684 seems conceptually simpler. What are the benefits of the approach in this PR? |
you get a path to where things are wrong, even if they are in padding or unions. And it does some separation of concerns, giving us simpler code for the mutability changes and the actual interning, instead of doing both at the same time. |
How is that tied to having the separate "patch allocation mutability" pass? It seems to me that the exact same code you wrote here would also achieve this for the other PR. (Over in that PR I am arguing maybe we want the interner to handle those errors, but that's a separate discussion from whether validation happens before or after interning. My only concern for these errors in the interner is having extra complexity in the validator which doesn't ever do anything visible without miri-unleashed.)
I would say it splits what feels like a single job into two. There's even some code duplication between the alloc-mutbl-patch pass and the interner. |
|
My next step was to get rid of I guess we'll have two of those loops then. Yea the benefits are not very large. I'll move the latest commits from here over to the other PR then |
based on #122397
fixes #122398
r? @RalfJung
There are more cleanups that can be done afterwards, but I think they may be unnecessary to make this PR useful on its own