Ensure miri only uses fallback bodies that have manually been vetted to preserve all UB that the native intrinsic would have

2025-06-04 19:29:07 +00:00 · 2024-04-23 13:32:30 +00:00 · 2024-04-23 13:32:30 +00:00 · 821d23b329
commit 821d23b329
parent 351658ae66
8 changed files with 44 additions and 2 deletions
--- a/compiler/rustc_const_eval/src/const_eval/machine.rs
+++ b/compiler/rustc_const_eval/src/const_eval/machine.rs
@ -468,7 +468,8 @@ impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir,
        // CTFE-specific intrinsics.
        let Some(ret) = target else {
-            // Handle diverging intrinsics.
+            // Handle diverging intrinsics. We can't handle any of them (that are not already
            // handled above), but check if there is a fallback body.
            if ecx.tcx.intrinsic(instance.def_id()).unwrap().must_be_overridden {
                throw_unsup_format!(
                    "intrinsic `{intrinsic_name}` is not supported at compile-time"
--- a/compiler/rustc_resolve/src/macros.rs
+++ b/compiler/rustc_resolve/src/macros.rs
@ -141,7 +141,7 @@ pub(crate) fn registered_tools(tcx: TyCtxt<'_>, (): ()) -> RegisteredTools {
    }
    // We implicitly add `rustfmt`, `clippy`, `diagnostic` to known tools,
    // but it's not an error to register them explicitly.
-    let predefined_tools = [sym::clippy, sym::rustfmt, sym::diagnostic];
+    let predefined_tools = [sym::clippy, sym::rustfmt, sym::diagnostic, sym::miri];
    registered_tools.extend(predefined_tools.iter().cloned().map(Ident::with_dummy_span));
    registered_tools
 }
--- a/library/core/src/intrinsics.rs
+++ b/library/core/src/intrinsics.rs
@ -987,6 +987,7 @@ pub const unsafe fn assume(b: bool) {
 #[unstable(feature = "core_intrinsics", issue = "none")]
 #[rustc_intrinsic]
 #[rustc_nounwind]
 #[cfg_attr(not(bootstrap), miri::intrinsic_fallback_checks_ub)]
 pub const fn likely(b: bool) -> bool {
    b
 }
@ -1006,6 +1007,7 @@ pub const fn likely(b: bool) -> bool {
 #[unstable(feature = "core_intrinsics", issue = "none")]
 #[rustc_intrinsic]
 #[rustc_nounwind]
 #[cfg_attr(not(bootstrap), miri::intrinsic_fallback_checks_ub)]
 pub const fn unlikely(b: bool) -> bool {
    b
 }
@ -2526,6 +2528,7 @@ extern "rust-intrinsic" {
 #[rustc_nounwind]
 #[rustc_do_not_const_check]
 #[inline]
 #[cfg_attr(not(bootstrap), miri::intrinsic_fallback_checks_ub)]
 pub const fn ptr_guaranteed_cmp<T>(ptr: *const T, other: *const T) -> u8 {
    (ptr == other) as u8
 }
--- a/src/tools/miri/src/shims/intrinsics/atomic.rs
+++ b/src/tools/miri/src/shims/intrinsics/atomic.rs
@ -14,6 +14,7 @@ pub enum AtomicOp {
 impl<'mir, 'tcx: 'mir> EvalContextExt<'mir, 'tcx> for crate::MiriInterpCx<'mir, 'tcx> {}
 pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
    /// Calls the atomic intrinsic `intrinsic`; the `atomic_` prefix has already been removed.
    /// Returns `Ok(true)` if the intrinsic was handled.
    fn emulate_atomic_intrinsic(
        &mut self,
        intrinsic_name: &str,
--- a/src/tools/miri/src/shims/intrinsics/mod.rs
+++ b/src/tools/miri/src/shims/intrinsics/mod.rs
@ -11,6 +11,7 @@ use rustc_middle::{
    ty::{self, FloatTy},
 };
 use rustc_target::abi::Size;
 use rustc_span::{sym, Symbol};
 use crate::*;
 use atomic::EvalContextExt as _;
@ -48,6 +49,7 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
        // All remaining supported intrinsics have a return place.
        let ret = match ret {
            // FIXME: add fallback body support once we actually have a diverging intrinsic with a fallback body
            None => throw_unsup_format!("unimplemented (diverging) intrinsic: `{intrinsic_name}`"),
            Some(p) => p,
        };
@ -63,9 +65,14 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
        // The rest jumps to `ret` immediately.
        if !this.emulate_intrinsic_by_name(intrinsic_name, instance.args, args, dest)? {
            // We haven't handled the intrinsic, let's see if we can use a fallback body.
            if this.tcx.intrinsic(instance.def_id()).unwrap().must_be_overridden {
                throw_unsup_format!("unimplemented intrinsic: `{intrinsic_name}`")
            }
            let intrinsic_fallback_checks_ub = Symbol::intern("intrinsic_fallback_checks_ub");
            if this.tcx.get_attrs_by_path(instance.def_id(), &[sym::miri, intrinsic_fallback_checks_ub]).next().is_none() {
                throw_unsup_format!("miri can only use intrinsic fallback bodies that check UB. After verifying that `{intrinsic_name}` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that");
            }
            return Ok(Some(ty::Instance {
                def: ty::InstanceDef::Item(instance.def_id()),
                args: instance.args,
@ -78,6 +85,7 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
    }
    /// Emulates a Miri-supported intrinsic (not supported by the core engine).
    /// Returns `Ok(true)` if the intrinsic was handled.
    fn emulate_intrinsic_by_name(
        &mut self,
        intrinsic_name: &str,
--- a/src/tools/miri/src/shims/intrinsics/simd.rs
+++ b/src/tools/miri/src/shims/intrinsics/simd.rs
@ -16,6 +16,7 @@ pub(crate) enum MinMax {
 impl<'mir, 'tcx: 'mir> EvalContextExt<'mir, 'tcx> for crate::MiriInterpCx<'mir, 'tcx> {}
 pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
    /// Calls the simd intrinsic `intrinsic`; the `simd_` prefix has already been removed.
    /// Returns `Ok(true)` if the intrinsic was handled.
    fn emulate_simd_intrinsic(
        &mut self,
        intrinsic_name: &str,
--- a/src/tools/miri/tests/fail/intrinsic_fallback_checks_ub.rs
+++ b/src/tools/miri/tests/fail/intrinsic_fallback_checks_ub.rs
@ -0,0 +1,14 @@
 #![feature(rustc_attrs, effects)]
 #[rustc_intrinsic]
 #[rustc_nounwind]
 #[rustc_do_not_const_check]
 #[inline]
 pub const fn ptr_guaranteed_cmp<T>(ptr: *const T, other: *const T) -> u8 {
    (ptr == other) as u8
 }
 fn main() {
    ptr_guaranteed_cmp::<()>(std::ptr::null(), std::ptr::null());
    //~^ ERROR: can only use intrinsic fallback bodies that check UB.
 }
--- a/src/tools/miri/tests/fail/intrinsic_fallback_checks_ub.stderr
+++ b/src/tools/miri/tests/fail/intrinsic_fallback_checks_ub.stderr
@ -0,0 +1,14 @@
 error: unsupported operation: miri can only use intrinsic fallback bodies that check UB. After verifying that `ptr_guaranteed_cmp` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that
  --> $DIR/intrinsic_fallback_checks_ub.rs:LL:CC
   |
 LL |     ptr_guaranteed_cmp::<()>(std::ptr::null(), std::ptr::null());
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ miri can only use intrinsic fallback bodies that check UB. After verifying that `ptr_guaranteed_cmp` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that
   |
   = help: this is likely not a bug in the program; it indicates that the program performed an operation that the interpreter does not support
   = note: BACKTRACE:
   = note: inside `main` at $DIR/intrinsic_fallback_checks_ub.rs:LL:CC
 note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
 error: aborting due to 1 previous error