interpret: properly check for inhabitedness of nested references

[RalfJung]

View all comments

This implements the opsem from the ongoing FCP in rust-lang/unsafe-code-guidelines#413. The bit we were previously missing is that transmuting a &&! into existence was not caught as being immediate UB -- only the &! case behaved as expected.

I did not adjust the layout computation because when we compute the layout of &T, we cannot know the layout of T (as that might be recursive).

r? @oli-obk

[rustbot]

The Miri subtree was changed

cc @rust-lang/miri

Some changes occurred to the CTFE / Miri interpreter

cc @rust-lang/miri

Some changes occurred to the CTFE machinery

cc @oli-obk, @lcnr

[RalfJung]

I wasn't sure how to recurse into these. Are coroutines always inhabited via a trivial start state, or can they be uninhabited due to capturing ! as an "upvar"? How do coroutine closures work?

View changes since the review

[RalfJung]

Looks like yes they can be uninhabited

Coroutine(DefId(0:13 ~ diverges[9ce3]::async_let::{closure#0}), [(), std::future::ResumeTy, (), !, (Void,)]) is ABI-uninhabited but not opsem-uninhabited?

[RalfJung]

I now made them all check the upvar_tys, but I am not entirely sure if that is enough.

[cjgillot]

For coroutines, checking upvars is enough. The coroutine state is pretty much struct { upvars, enum { Unresumed, Returned, Panicked, Suspend0 { .. }, Suspent1 { .. }, .. } }

Note that #135527 proposes to change this to enum { Unresumed { upvars }, Returned, Panicked, Suspend0 { .. }, Suspent1 { .. }, .. }. Starting from that PR, the enum state will be inhabited in all cases.

Coroutine closures work exactly like closures.

[RalfJung]

Thanks for confirming!

[RalfJung]

I guess in theory the pattern could make a type uninhabited... so technically if we ever want to use that for the opsem we have to add it has a check here before pattern types get stabilized.

View changes since the review

[oli-obk]

none of the current patterns can, but yes, that may be possible in the future

[RalfJung]

Do we need to do something to bound this recursion? We already stop when encountering the same ADT again, so recursion is bounded by the depth of ADT field types until it comes back to the original type.

Do we need to do some stack growing magic?

View changes since the review

[oli-obk]

it's possible this can't be hit due to other stack growth protections, but theoretically you can create a very nested tuple, or just &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&T with a lot of repetitions of the reference. I'd honestly just wait for an issue

[oli-obk]

it's possible this can't be hit due to other stack growth protections, but theoretically you can create a very nested tuple, or just &&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&&T with a lot of repetitions of the reference. I'd honestly just wait for an issue

[oli-obk]

none of the current patterns can, but yes, that may be possible in the future

[RalfJung]

I pushed a proper recursion check including a recursion limit check.

But... I am not sure it's sound. This means that depending on the recursion limit, different crates might consider the same type inhabited or not.

OTOH if we just hard-code e.g. 256 here, then with a sufficiently high query recursion limit one can write a 257-level-nested type (Wrap<Wrap<...<Wrap<!>>...>>) that layout will still consider uninhabited but this check will give up.

View changes since the review

[theemathas]

Why exactly is this check soundness-critical? I don't quite follow...

As far as I can tell, it seems like this is just a courtesy best-effort check for UB in consteval, and a sanity check after computing layout?

[RalfJung]

This is also used by Miri so it is supposed to define what is and isn't UB.

Also our query system relies on cross-crate-consistent results, doesn't it?

[RalfJung]

@camsteffen proposed to do something more like inhabited_predicate_adt. I must admit that I do not understand how that query works -- I can see that it produces a predicate and ships it to the trait solver, but how is that helpful for recursive types?

[camsteffen]

Sorry, that was kind of a red herring.

More to the point is check_representability. That query uses query cycle detection to detect an infinite sized type and abort compilation.

So I think we could have a check_opsem_inhabited query which also has query cycle detection, but instead of aborting, return OpsemInhabited::False or something like that for the query result.

check_representability uses params_in_repr, so check_opsem_inhabited could use something similar like params_in_repr_or_ref to include references.

[WaffleLapkin]

Another idea, that lcnr proposed, is that we can error on overflow. I.e. when computing inhabitedness of a type, if we reach the recursion limit, emit a hard error.

Since an error prevents the code from being compiled, there is no problem with linking two different crates with different recursion limits -- they either both get the same result, or one of them doesn't compile.

We can still support (assume inhabited) types which refer to themselves directly like

struct A(&'static A);

And error only if the same type is mentioned with different generic parameters and overflows:

struct B<T: 'static>(&'static B<(T, T)>);

This is technically a breaking change, but it seems fine not to support types which infinitely grow like this (or am I missing something?).

[theemathas]

But this seems fine, considering how much of an edge case this is?

Given,

struct Wrap<T>(T);

I believe that the algorithm you proposed would say that &Wrap<Wrap<!>> is inhabited, which doesn't seem like a particularly strange edge case. @WaffleLapkin

[theemathas]

This is technically a breaking change, but it seems fine not to support types which infinitely grow like this (or am I missing something?).

Given that #138599 fixed multiple issues, it seems that there exist some use cases where people want such strange recursive types. We can't know how much that is before we run crater though.

[WaffleLapkin]

I believe that the algorithm you proposed would say that &Wrap<Wrap<!>> is inhabited, which doesn't seem like a particularly strange edge case. @WaffleLapkin

I personally think that it's "fine", especially given that this improves over the status quo. But I suppose we could also allow recursing through the same definition a set number of times (i.e. setting a recursion limit higher than 1)...

[RalfJung]

@WaffleLapkin I like that first version, and I think I can combine it with an idea I had to avoid the problem @theemathas mentioned. This avoids any dependency on the recursion limit while also still satisfying the desired implication "layout inhabited => opsem inhabited". I pushed that now.

[craterbot]

👌 Experiment pr-156977 created and queued.
🤖 Automatically detected try build 05c0158
⚠️ Try build based on commit 5f63b50, but latest commit is d1a8249. Did you forget to make a new try build?
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[RalfJung]

@rustbot ready

[theemathas]

Suggested change

	bug!("non-normalized type in `is_opsem_uninhabited_raw::rec`: `{ty}`")
	bug!("non-normalized type in `is_opsem_uninhabited_recursor`: `{ty}`")

View changes since the review

[theemathas]

Maybe it would be cleaner to have a struct that manually implements a trait? I kinda hate that less than having this confusing knot of callbacks.

View changes since the review

[theemathas]

Alternatively, we could have a function that takes some arguments and returns the needed adt_handler. Each time we need an adt_handler, we call this function instead of trying (and failing) to use the closure itself.

[RalfJung]

Returning a closure is awkward and requires Box. And personally I prefer the current approach over a new trait. But I can add a trait if that becomes a blocking concern.

[theemathas]

@craterbot cancel

See #157814

[craterbot]

🗑️ Experiment pr-156977 deleted!

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[theemathas]

@craterbot check p=1 crates=https://crater-reports.s3.amazonaws.com/pr-157814-crater-rollup/retry-regressed-list.txt

[craterbot]

👌 Experiment pr-156977 created and queued.
🤖 Automatically detected try build 05c0158
⚠️ Try build based on commit 5f63b50, but latest commit is 09db86e. Did you forget to make a new try build?
🔍 You can check out the queue and this experiment's details.

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🚧 Experiment pr-156977 is now running

ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

[craterbot]

🎉 Experiment pr-156977 is completed!
📊 0 regressed and 0 fixed (14695 total)
📊 610 spurious results on the retry-regressed-list.txt, consider a retry¹ if this is a significant amount.
📰 Open the summary report.

⚠️ If you notice any spurious failure please add them to the denylist!
ℹ️ Crater is a tool to run experiments across parts of the Rust ecosystem. Learn more

Footnotes

1. re-run the experiment with crates=https://crater-reports.s3.amazonaws.com/pr-156977/retry-regressed-list.txt ↩

[RalfJung]

Crater looks good, so @WaffleLapkin this is ready for review. :)

[WaffleLapkin]

When pattern types start supporting enums, we'll need to decide if type X here is inhabited or not:

#![feature(pattern_types)]
#![feature(pattern_type_macro)]
#![feature(never_type)]
enum E {
    A,
    B(!),
}

type X = pattern_type!(E is E::B(_));

View changes since the review

[WaffleLapkin]

I feel like the code is fairly confusing with the closures & mutual recursion.

This query is only called for ADTs. I think if you change it to be is_adt_opsem_inhabited(tcx, adt_def, adt_args, seen) the code will become a lot clearer.

Then you can have

• is_opsem_inhabited calls is_opsem_inhabited_recursor
• is_opsem_inhabited_recursor calls is_adt_opsem_inhabited for adts
• is_adt_opsem_inhabited calls is_opsem_inhabited_recursor directly

I think this should work & make the code a lot easier to follow.

View changes since the review

[WaffleLapkin]

Q: wasn't the thing that we want "layout uninhabited" => "opsem uninhabited"?

View changes since the review

[WaffleLapkin]

I feel like this should be documented on the public function.

View changes since the review

[WaffleLapkin]

Q: Do we need to special case Box in is_opsem_inhabited?

View changes since the review

[WaffleLapkin]

Q: why change this?

View changes since the review

[WaffleLapkin]

"every enum"?

View changes since the review