Taint the type of ill-formed (unsized) statics

[cjgillot]

Fixes #121176
Fixes #129109
Fixes #130970
Fixes #131347
Fixes #139872
Fixes #140332

[rustbot]

r? @davidtwco

rustbot has assigned @davidtwco.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[rustbot]

Some changes occurred to the CTFE / Miri interpreter

cc @rust-lang/miri

This PR changes a file inside tests/crashes. If a crash was fixed, please move into the corresponding ui subdir and add 'Fixes #' to the PR description to autoclose the issue upon merge.

Some changes occurred to MIR optimizations

cc @rust-lang/wg-mir-opt

Some changes occurred to the CTFE machinery

cc @RalfJung, @oli-obk, @lcnr

[RalfJung]

I'm not a fan of these functions. The point of the assertions is that they are a last line of defense to detect defective callers. They are not exhaustive checks. If the caller can't ensure that the value has the right type, that can only be fixed in the caller.

IOW, matches_abi here really is more of a maybe_matches_abi. It is necessary, but not sufficient. And trying to make it sufficient is the wrong approach; the right approach is figuring out why someone is feeding bogus data into these functions.

[RalfJung]

For instance, this is a clearly ill-formed static. Nothing should ever look at its MIR. Trying to make the MIR interpreter APIs resistant against bogus MIR is a pointless game of whack-a-mole.

[oli-obk]

yea those cases are straight forward to prevent within type_of, we don't even need to compute the layout, just doing a sizedness check.

[RalfJung]

That doesn't quite work since we allow extern statics that have extern types, which are unsized.

[oli-obk]

Well, we can check the tail manually for slices and dyn trait

[RalfJung]

But that requires unfolding the type which will trigger the same cycle error, won't it?

[RalfJung]

These all seem to be standard cases of "ill-formed MIR gets too far into the pipeline". We should never run any MIR passes on ill-formed MIR; it is a waste of effort to try and fix this inside every individual pass.

[cjgillot]

These all seem to be standard cases of "ill-formed MIR gets too far into the pipeline". We should never run any MIR passes on ill-formed MIR; it is a waste of effort to try and fix this inside every individual pass.

I agree, but fixing this is general is hard too. We have an ImpossiblePredicates pass to skip this kind of nonsense, but it is quite limited to avoid query cycles. And it cannot handle nonsense that spans multiple items.

A "cleaner" way would be to ensure we never produce a constant with mismatching ABI, be it as a ConstValue or as an OpTy. But that also clashes with the notion that miri should run on sensible code.

[RalfJung]

These are statics failing the "it must be sized" check. It's not some impossible where bound. I don't see what is so hard about marking them as tainted so nothing else ever touches them again. It's the exact same thing as a static whose initializer body is plainly ill-typed.

[cjgillot]

@RalfJung this latest version prevents creating the erroneous constants altogether. Do you agree with this version?

[RalfJung]

Yeah, that looks much better, thanks.

I'm not familiar with MIR building so I can't approve this on my own, however.

[cjgillot]

It's not ready yet. Just checking sizedness is not enough, as some non-sized types are OK too, like extern types. And using layout causes cycles.

[RalfJung]

Extern types can only work with extern statics, right?

And even then, that seems kind of cursed. Did we intentionally allow that or just forget to disallow it?

[cjgillot]

Extern types can only work with extern statics, right?

Or inside pointers. And pointers to extern types are scalars.

And even then, that seems kind of cursed. Did we intentionally allow that or just forget to disallow it?

It's intentional. We have a run-make test to verify this works.

[RalfJung]

Pointers to extern types are sized so there is no problem with them, those should just work.

[cjgillot]

The failing test is this one:

rust/tests/run-make/static-extern-type/use-foo.rs

Lines 3 to 7 in a7a1618

	extern "C" {
	type Foo;
	static FOO: Foo;
	fn bar(foo: *const Foo) -> u8;
	}

As a foreign type Foo is not sized, but &Foo and *mut Foo are still scalar. This is a special case in layout computation.

Checking whether &T is scalar in full generality requires either to call layout_of, or to open-code it. Internally, it normalizes <T as Pointee>::Metadata and compute that type's layout. The normalization process may try to normalize opaque types. This breaks https://github.com/rust-lang/rust/blob/master/tests/ui/coroutine/layout-error.rs

[RalfJung]

The failing test is this one:

Yeah, that is a very odd test, I didn't think we'd allow extern statics with unknown size. Interestingly, we reject static FOO2: [i32]; (as we have to).

What is not entirely clear to me is why we'd care about whether &Foo has metadata or not. Is that for constructing the pointer that represents the extern static access in MIR? As far as I can see, those pointers are always scalar, since statics with unsized types that require metadata are forbidden (and that makes sense; where would the metadata come from anyway).

[RalfJung]

All the issues referenced here seem to be about statics that are unsized-with-metadata. You can check for this without knowing the layout; just call ptr_metadata_ty on the type of the static. Statics can't be generic so this should always give you a definite answer.

This still has to normalize some things though, so that coroutine case could become interesting. But it's okay for that code to error, it just can't ICE.

[RalfJung]

Suggested change

	tcx.dcx().span_delayed_bug(span, format!("static's type `{ty}` is not Sized"));
	tcx.dcx().span_delayed_bug(span, format!("static's type `{pointee}` is not Sized"));

[RalfJung]

Wouldn't an alternative be to change the type of the static itself to TyKind::Error after we determined that it's not a valid type for a static? Then we don't need patches like this all over the rest of the compiler.

Cc @oli-obk

[rustbot]

This PR modifies tests/ui/issues/. If this PR is adding new tests to tests/ui/issues/,
please refrain from doing so, and instead add it to more descriptive subdirectories.

[cjgillot]

Wouldn't an alternative be to change the type of the static itself to TyKind::Error after we determined that it's not a valid type for a static? Then we don't need patches like this all over the rest of the compiler.

that would mean moving these checks to type_of, which should be fine for static items, but are very cycle prone for other things

The latest commit tries that. I think it's worse because it breaks passing tests.

[RalfJung]

Hm... I don't think I understand why this fails, but I guess that's how type_alias_impl_trait works...?

[oli-obk]

Yea, if we do use the "reveal opaque type to check the auto trait" logic, then this must cycle if we do it as a part of type_of. But if you are using a TAIT as the type of a static then it's not unreasonable to mark it as Sync, too.

Of course we could keep the Sync check out of the type_of code path and check it only in wfcheck like we did before this PR, but that'll be up to the lang team I guess?

[RalfJung]

Ah I see. Yeah Sync can't influence layout so it's much less likely to ICE later parts of the compiler... but I'm fine either way.

[oli-obk]

Suggested change

	pub type F = impl Future;
	pub type F = impl Future + Sync;

Needing an extra annotation for an opaque type in a static item seems fine to me

[oli-obk]

Similarly here. Open an issue that this cycle diagnostic should propose adding the bound to the opaque. We'll fix that for TAITs but that shouldn't stop your PR

[oli-obk]

Yea, if we do use the "reveal opaque type to check the auto trait" logic, then this must cycle if we do it as a part of type_of. But if you are using a TAIT as the type of a static then it's not unreasonable to mark it as Sync, too.

Of course we could keep the Sync check out of the type_of code path and check it only in wfcheck like we did before this PR, but that'll be up to the lang team I guess?

[oli-obk]

r? @oli-obk

@bors r+

[bors]

📌 Commit 8817572 has been approved by oli-obk

It is now in the queue for this repository.

[RalfJung]

Just some minor comment nits, I can imagine this being quite confusing for someone who doesn't have the context we do right now.

@bors r-
(But we already got rolled up so this may have to be resolved in a follow-up PR.)

[RalfJung]

Suggested change

	// Verify that here to avoid ill-formed MIR.
	match check_static_item(tcx, def_id, ty, false) {
	// Verify that here to avoid ill-formed MIR.
	// We skip the `Sync` check to avoid cycles for type-alias-impl-trait,
	// relying on the fact that non-Sync statics don't ICE the rest of the compiler.
	match check_static_item(tcx, def_id, ty, /* should_check_for_sync */ false) {

[RalfJung]

Suggested change

	// Verify that here to avoid ill-formed MIR.
	match check_static_item(tcx, def_id, ty, false) {
	// Verify that here to avoid ill-formed MIR.
	// We skip the `Sync` check to avoid cycles for type-alias-impl-trait,
	// relying on the fact that non-Sync statics don't ICE the rest of the compiler.
	match check_static_item(tcx, def_id, ty, /* should_check_for_sync */ false) {

[RalfJung]

Suggested change

	res = res.and(wfcheck::check_static_item(tcx, def_id, ty, true));
	res = res.and(wfcheck::check_static_item(tcx, def_id, ty, /* should_check_for_sync */ true));

[RalfJung]

I'll submit a PR with the comments.