Toggle assert_unsafe_precondition in codegen instead of expansion #120594

saethlin · 2024-02-02T23:45:48Z

The goal of this PR is to make some of the unsafe precondition checks in the standard library available in debug builds. Some UI tests are included to verify that it does that.

The diff is large, but most of it is blessing mir-opt tests and I've also split up this PR so it can be reviewed commit-by-commit.

This PR:

Adds a new intrinsic, debug_assertions which is lowered to a new MIR NullOp, and only to a constant after monomorphization
Rewrites assume_unsafe_precondition to check the new intrinsic, and be monomorphic.
Skips codegen of the assume intrinsic in unoptimized builds, because that was silly before but with these checks it's very silly
The checks with the most overhead are ptr::read/ptr::write and NonNull::new_unchecked. I've simply added #[cfg(debug_assertions)] to the checks for ptr::read/ptr::write because I was unable to come up with any (good) ideas for decreasing their impact. But for NonNull::new_unchecked I found that the majority of callers can use a different function, often a safe one.

Yes, this PR slows down the compile time of some programs. But in our benchmark suite it's never more than 1% icount, and the average icount change in debug-full programs is 0.22%. I think that is acceptable for such an improvement in developer experience.

#120539 (comment)

saethlin · 2024-02-03T04:06:13Z

@bors try @rust-timer queue

Toggle assert_unsafe_precondition in codegen instead of expansion r? `@ghost` rust-lang#120539 (comment)

bors · 2024-02-03T04:07:23Z

⌛ Trying commit 6dd581b with merge 919a9f5...

bors · 2024-02-03T08:22:23Z

💥 Test timed out

saethlin · 2024-02-03T18:07:41Z

@bors try @rust-timer queue

saethlin · 2024-02-03T18:08:26Z

@bors retry

bors · 2024-02-03T18:08:50Z

⌛ Trying commit 6dd581b with merge 4ec6b4e...

Toggle assert_unsafe_precondition in codegen instead of expansion r? `@ghost` rust-lang#120539 (comment)

bors · 2024-02-03T19:39:12Z

☀️ Try build successful - checks-actions
Build commit: 4ec6b4e (4ec6b4eea2432e96b694a0b73a6a5a664e3ff17c)

rust-timer · 2024-02-03T20:54:52Z

Finished benchmarking commit (4ec6b4e): comparison URL.

Overall result: ❌✅ regressions and improvements - ACTION NEEDED

Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf.

Next Steps: If you can justify the regressions found in this try perf run, please indicate this with @rustbot label: +perf-regression-triaged along with sufficient written justification. If you cannot justify the regressions please fix the regressions and do another perf run. If the next run shows neutral or positive results, the label will be automatically removed.

@bors rollup=never
@rustbot label: -S-waiting-on-perf +perf-regression

Instruction count

This is a highly reliable metric that was used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	2.0%	[0.2%, 9.4%]	111
Regressions ❌ (secondary)	2.6%	[0.3%, 36.6%]	39
Improvements ✅ (primary)	-0.7%	[-0.8%, -0.5%]	3
Improvements ✅ (secondary)	-0.6%	[-1.3%, -0.3%]	9
All ❌✅ (primary)	1.9%	[-0.8%, 9.4%]	114

Max RSS (memory usage)

Results

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	5.5%	[1.6%, 8.9%]	12
Regressions ❌ (secondary)	4.3%	[2.5%, 6.4%]	4
Improvements ✅ (primary)	-1.2%	[-1.5%, -1.0%]	3
Improvements ✅ (secondary)	-2.7%	[-3.3%, -2.1%]	2
All ❌✅ (primary)	4.1%	[-1.5%, 8.9%]	15

Cycles

Results

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	3.4%	[1.1%, 9.0%]	58
Regressions ❌ (secondary)	8.4%	[2.0%, 36.0%]	9
Improvements ✅ (primary)	-2.4%	[-2.4%, -2.4%]	1
Improvements ✅ (secondary)	-3.8%	[-7.0%, -0.9%]	7
All ❌✅ (primary)	3.3%	[-2.4%, 9.0%]	59

Binary size

Results

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	4.4%	[0.2%, 9.3%]	95
Regressions ❌ (secondary)	4.5%	[0.2%, 33.6%]	28
Improvements ✅ (primary)	-1.1%	[-3.9%, -0.1%]	18
Improvements ✅ (secondary)	-1.0%	[-2.0%, -0.0%]	2
All ❌✅ (primary)	3.5%	[-3.9%, 9.3%]	113

Bootstrap: 662.752s -> 669.21s (0.97%)
Artifact size: 308.09 MiB -> 307.83 MiB (-0.08%)

saethlin · 2024-02-03T21:03:10Z

The few improvements are probably because the precondition checks are always kept in MIR, so we do less MIR inlining generally, and in some cases that happens to help.

Now I'm going to try to find the precondition checks that I think are least profitable and make those get toggled early.

saethlin · 2024-02-03T23:26:30Z

@bors try @rust-timer queue

bors · 2024-02-03T23:27:41Z

⌛ Trying commit 3ef4a60 with merge 4da3573...

Toggle assert_unsafe_precondition in codegen instead of expansion r? `@ghost` rust-lang#120539 (comment)

Upgrade toolchain to 2024-02-17. Relevant PRs: rust-lang/rust#120872 rust-lang/rust#120594 Resolves #3028 By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 and MIT licenses.

…iler-errors Ignore less tests in debug builds Since rust-lang#120594 and rust-lang#120863, nearly all UB-detecting debug assertions get compiled out of code that is monomorphized by a crate built with debug assertions disabled. Which means that if we default all our codegen tests to `-Cdebug-assertions=no`, most of them work just fine against a sysroot built with debug assertions. I also tried to explain a bit better why some tests need to be skipped, for those that still need to be skipped.

Rollup merge of rust-lang#121531 - saethlin:ignore-less-debug, r=compiler-errors Ignore less tests in debug builds Since rust-lang#120594 and rust-lang#120863, nearly all UB-detecting debug assertions get compiled out of code that is monomorphized by a crate built with debug assertions disabled. Which means that if we default all our codegen tests to `-Cdebug-assertions=no`, most of them work just fine against a sysroot built with debug assertions. I also tried to explain a bit better why some tests need to be skipped, for those that still need to be skipped.

Ignore less tests in debug builds Since rust-lang/rust#120594 and rust-lang/rust#120863, nearly all UB-detecting debug assertions get compiled out of code that is monomorphized by a crate built with debug assertions disabled. Which means that if we default all our codegen tests to `-Cdebug-assertions=no`, most of them work just fine against a sysroot built with debug assertions. I also tried to explain a bit better why some tests need to be skipped, for those that still need to be skipped.

DianQK · 2024-02-26T13:16:35Z

tests/mir-opt/inline/unwrap_unchecked.unwrap_unchecked.Inline.panic-abort.diff

+      bb1: {
+         StorageLive(_4);
+         _4 = cfg!(debug_assertions);
+         assume(_4);


So it's expected that it doesn't directly convert to unreachable here, right?

I didn't notice the associated comments. This is for the standard library. :)

Avoid more NonNull-raw-NonNull roundtrips in Vec r? the8472 The standard library in general has a lot of these round-trips from niched types to their raw innards and back. Such round-trips have overhead in debug builds since rust-lang#120594. I removed some such round-trips in that initial PR and I've been meaning to come back and hunt down more such examples (this is the last item on rust-lang#120848).

Rollup merge of rust-lang#123835 - saethlin:vec-from-nonnull, r=the8472 Avoid more NonNull-raw-NonNull roundtrips in Vec r? the8472 The standard library in general has a lot of these round-trips from niched types to their raw innards and back. Such round-trips have overhead in debug builds since rust-lang#120594. I removed some such round-trips in that initial PR and I've been meaning to come back and hunt down more such examples (this is the last item on rust-lang#120848).

Pkgsrc changes: * Adapt checksums and patches, some have beene intregrated upstream. Upstream chnages: Version 1.78.0 (2024-05-02) =========================== Language -------- - [Stabilize `#[cfg(target_abi = ...)]`] (rust-lang/rust#119590) - [Stabilize the `#[diagnostic]` namespace and `#[diagnostic::on_unimplemented]` attribute] (rust-lang/rust#119888) - [Make async-fn-in-trait implementable with concrete signatures] (rust-lang/rust#120103) - [Make matching on NaN a hard error, and remove the rest of `illegal_floating_point_literal_pattern`] (rust-lang/rust#116284) - [static mut: allow mutable reference to arbitrary types, not just slices and arrays] (rust-lang/rust#117614) - [Extend `invalid_reference_casting` to include references casting to bigger memory layout] (rust-lang/rust#118983) - [Add `non_contiguous_range_endpoints` lint for singleton gaps after exclusive ranges] (rust-lang/rust#118879) - [Add `wasm_c_abi` lint for use of older wasm-bindgen versions] (rust-lang/rust#117918) This lint currently only works when using Cargo. - [Update `indirect_structural_match` and `pointer_structural_match` lints to match RFC] (rust-lang/rust#120423) - [Make non-`PartialEq`-typed consts as patterns a hard error] (rust-lang/rust#120805) - [Split `refining_impl_trait` lint into `_reachable`, `_internal` variants] (rust-lang/rust#121720) - [Remove unnecessary type inference when using associated types inside of higher ranked `where`-bounds] (rust-lang/rust#119849) - [Weaken eager detection of cyclic types during type inference] (rust-lang/rust#119989) - [`trait Trait: Auto {}`: allow upcasting from `dyn Trait` to `dyn Auto`] (rust-lang/rust#119338) Compiler -------- - [Made `INVALID_DOC_ATTRIBUTES` lint deny by default] (rust-lang/rust#111505) - [Increase accuracy of redundant `use` checking] (rust-lang/rust#117772) - [Suggest moving definition if non-found macro_rules! is defined later] (rust-lang/rust#121130) - [Lower transmutes from int to pointer type as gep on null] (rust-lang/rust#121282) Target changes: - [Windows tier 1 targets now require at least Windows 10] (rust-lang/rust#115141) - [Enable CMPXCHG16B, SSE3, SAHF/LAHF and 128-bit Atomics in tier 1 Windows] (rust-lang/rust#120820) - [Add `wasm32-wasip1` tier 2 (without host tools) target] (rust-lang/rust#120468) - [Add `wasm32-wasip2` tier 3 target] (rust-lang/rust#119616) - [Rename `wasm32-wasi-preview1-threads` to `wasm32-wasip1-threads`] (rust-lang/rust#122170) - [Add `arm64ec-pc-windows-msvc` tier 3 target] (rust-lang/rust#119199) - [Add `armv8r-none-eabihf` tier 3 target for the Cortex-R52] (rust-lang/rust#110482) - [Add `loongarch64-unknown-linux-musl` tier 3 target] (rust-lang/rust#121832) Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [Bump Unicode to version 15.1.0, regenerate tables] (rust-lang/rust#120777) - [Make align_offset, align_to well-behaved in all cases] (rust-lang/rust#121201) - [PartialEq, PartialOrd: document expectations for transitive chains] (rust-lang/rust#115386) - [Optimize away poison guards when std is built with panic=abort] (rust-lang/rust#100603) - [Replace pthread `RwLock` with custom implementation] (rust-lang/rust#110211) - [Implement unwind safety for Condvar on all platforms] (rust-lang/rust#121768) - [Add ASCII fast-path for `char::is_grapheme_extended`] (rust-lang/rust#121138) Stabilized APIs --------------- - [`impl Read for &Stdin`] (https://doc.rust-lang.org/stable/std/io/struct.Stdin.html#impl-Read-for-%26Stdin) - [Accept non `'static` lifetimes for several `std::error::Error` related implementations] (rust-lang/rust#113833) - [Make `impl<Fd: AsFd>` impl take `?Sized`] (rust-lang/rust#114655) - [`impl From<TryReserveError> for io::Error`] (https://doc.rust-lang.org/stable/std/io/struct.Error.html#impl-From%3CTryReserveError%3E-for-Error) These APIs are now stable in const contexts: - [`Barrier::new()`] (https://doc.rust-lang.org/stable/std/sync/struct.Barrier.html#method.new) Cargo ----- - [Stabilize lockfile v4](rust-lang/cargo#12852) - [Respect `rust-version` when generating lockfile] (rust-lang/cargo#12861) - [Control `--charset` via auto-detecting config value] (rust-lang/cargo#13337) - [Support `target.<triple>.rustdocflags` officially] (rust-lang/cargo#13197) - [Stabilize global cache data tracking] (rust-lang/cargo#13492) Misc ---- - [rustdoc: add `--test-builder-wrapper` arg to support wrappers such as RUSTC_WRAPPER when building doctests] (rust-lang/rust#114651) Compatibility Notes ------------------- - [Many unsafe precondition checks now run for user code with debug assertions enabled] (rust-lang/rust#120594) This change helps users catch undefined behavior in their code, though the details of how much is checked are generally not stable. - [riscv only supports split_debuginfo=off for now] (rust-lang/rust#120518) - [Consistently check bounds on hidden types of `impl Trait`] (rust-lang/rust#121679) - [Change equality of higher ranked types to not rely on subtyping] (rust-lang/rust#118247) - [When called, additionally check bounds on normalized function return type] (rust-lang/rust#118882) - [Expand coverage for `arithmetic_overflow` lint] (rust-lang/rust#119432) Internal Changes ---------------- These changes do not affect any public interfaces of Rust, but they represent significant improvements to the performance or internals of rustc and related tools. - [Update to LLVM 18](rust-lang/rust#120055) - [Build `rustc` with 1CGU on `x86_64-pc-windows-msvc`] (rust-lang/rust#112267) - [Build `rustc` with 1CGU on `x86_64-apple-darwin`] (rust-lang/rust#112268) - [Introduce `run-make` V2 infrastructure, a `run_make_support` library and port over 2 tests as example] (rust-lang/rust#113026) - [Windows: Implement condvar, mutex and rwlock using futex] (rust-lang/rust#121956)

rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Feb 2, 2024