Try to turn on validation in CTFE for unsafe code

Instead of only validating values which actually get stored to a const,
this PR attempts to turn on full validation in the presence of unsafe
code, as detected by walking HIR when available.

Author: saethlin

compiler/rustc_const_eval/src/const_eval/machine.rs

@@ -2,14 +2,17 @@ use rustc_hir::def::DefKind;
 use rustc_middle::mir;
 use rustc_middle::ty::{self, Ty, TyCtxt};
 use std::borrow::Borrow;
+use std::cell::RefCell;
 use std::collections::hash_map::Entry;
 use std::hash::Hash;
 
 use rustc_data_structures::fx::FxHashMap;
 use std::fmt;
 
 use rustc_ast::Mutability;
-use rustc_hir::def_id::DefId;
+use rustc_hir::def_id::{DefId, LocalDefId};
+use rustc_hir::intravisit::Visitor;
+use rustc_hir::Node;
 use rustc_middle::mir::AssertMessage;
 use rustc_session::Limit;
 use rustc_span::symbol::{sym, Symbol};
@@ -18,7 +21,7 @@ use rustc_target::spec::abi::Abi;
 
 use crate::interpret::{
     self, compile_time_machine, AllocId, ConstAllocation, Frame, ImmTy, InterpCx, InterpResult,
-    OpTy, PlaceTy, Pointer, Scalar, StackPopUnwind,
+    Machine, OpTy, PlaceTy, Pointer, Scalar, StackPopUnwind,
 };
 
 use super::error::*;
@@ -101,6 +104,8 @@ pub struct CompileTimeInterpreter<'mir, 'tcx> {
     /// * Pointers to allocations inside of statics can never leak outside, to a non-static global.
     /// This boolean here controls the second part.
     pub(super) can_access_statics: bool,
+
+    unsafe_detector: RefCell<UnsafeDetector>,
 }
 
 impl<'mir, 'tcx> CompileTimeInterpreter<'mir, 'tcx> {
@@ -109,6 +114,7 @@ impl<'mir, 'tcx> CompileTimeInterpreter<'mir, 'tcx> {
             steps_remaining: const_eval_limit.0,
             stack: Vec::new(),
             can_access_statics,
+            unsafe_detector: RefCell::new(UnsafeDetector::default()),
         }
     }
 }
@@ -229,9 +235,102 @@ impl<'mir, 'tcx: 'mir> CompileTimeEvalContext<'mir, 'tcx> {
     }
 }
 
+struct FindUnsafeVisitor<'tcx> {
+    tcx: TyCtxt<'tcx>,
+    found_unsafe: bool,
+}
+
+impl<'tcx> Visitor<'tcx> for FindUnsafeVisitor<'tcx> {
+    type NestedFilter = rustc_middle::hir::nested_filter::All;
+
+    fn nested_visit_map(&mut self) -> Self::Map {
+        self.tcx.hir()
+    }
+
+    fn visit_block(&mut self, block: &'tcx rustc_hir::Block<'tcx>) {
+        rustc_hir::intravisit::walk_block(self, block);
+        if let rustc_hir::BlockCheckMode::UnsafeBlock(_) = block.rules {
+            self.found_unsafe = true;
+        }
+    }
+}
+
+#[cold]
+#[inline(never)]
+fn may_contain_unsafe<'mir, 'tcx>(
+    ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>,
+    def_id: DefId,
+) -> bool {
+    let hir = ecx.tcx.hir();
+    if let Some(Node::Item(item)) = hir.get_if_local(def_id) {
+        let mut visitor = FindUnsafeVisitor { tcx: *ecx.tcx, found_unsafe: false };
+        visitor.visit_item(&item);
+        visitor.found_unsafe
+    } else {
+        true
+    }
+}
+
+#[derive(Default)]
+struct UnsafeDetector {
+    loaded_mir_with_unsafe: Option<bool>,
+    known_safe_defs: FxHashMap<LocalDefId, bool>,
+}
+
+impl UnsafeDetector {
+    #[cold]
+    #[inline(never)]
+    fn analyze_def<'mir, 'tcx>(
+        &mut self,
+        ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>,
+        def_id: DefId,
+    ) {
+        if let Some(local_id) = def_id.as_local() {
+            let found_unsafe = *self
+                .known_safe_defs
+                .entry(local_id)
+                .or_insert_with(|| may_contain_unsafe(ecx, def_id));
+            self.loaded_mir_with_unsafe = Some(found_unsafe);
+        } else {
+            self.loaded_mir_with_unsafe = Some(true);
+        }
+    }
+
+    #[cold]
+    #[inline(never)]
+    fn analyze_stack<'mir, 'tcx>(ecx: &InterpCx<'mir, 'tcx, CompileTimeInterpreter<'mir, 'tcx>>) {
+        let mut this = ecx.machine.unsafe_detector.borrow_mut();
+        let stack = CompileTimeInterpreter::stack(ecx);
+        if stack.len() == 1 {
+            let frame = stack.last().unwrap();
+            this.analyze_def(ecx, frame.instance.def_id());
+        } else {
+            this.loaded_mir_with_unsafe = Some(true);
+        }
+    }
+
+    #[inline]
+    fn is_init(&self) -> bool {
+        self.loaded_mir_with_unsafe.is_some()
+    }
+
+    #[inline]
+    fn mir_needs_validation(&self) -> bool {
+        self.loaded_mir_with_unsafe == Some(true)
+    }
+}
+
 impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir, 'tcx> {
     compile_time_machine!(<'mir, 'tcx>);
 
+    fn enforce_validity(ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
+        let unsafe_detector = ecx.machine.unsafe_detector.get_mut();
+        if !unsafe_detector.is_init() {
+            UnsafeDetector::analyze_stack(ecx);
+        }
+        ecx.machine.unsafe_detector.get_mut().mir_needs_validation()
+    }
+
     type MemoryKind = MemoryKind;
 
     const PANIC_ON_ALLOC_FAIL: bool = false; // will be raised as a proper error
@@ -240,10 +339,12 @@ impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir,
         ecx: &InterpCx<'mir, 'tcx, Self>,
         instance: ty::InstanceDef<'tcx>,
     ) -> InterpResult<'tcx, &'tcx mir::Body<'tcx>> {
-        match instance {
+        ecx.machine.unsafe_detector.borrow_mut().analyze_def(ecx, instance.def_id());
+
+        let mir = match instance {
             ty::InstanceDef::Item(def) => {
                 if ecx.tcx.is_ctfe_mir_available(def.did) {
-                    Ok(ecx.tcx.mir_for_ctfe_opt_const_arg(def))
+                    ecx.tcx.mir_for_ctfe_opt_const_arg(def)
                 } else if ecx.tcx.def_kind(def.did) == DefKind::AssocConst {
                     let guar = ecx.tcx.sess.delay_span_bug(
                         rustc_span::DUMMY_SP,
@@ -252,12 +353,16 @@ impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for CompileTimeInterpreter<'mir,
                     throw_inval!(AlreadyReported(guar));
                 } else {
                     let path = ecx.tcx.def_path_str(def.did);
-                    Err(ConstEvalErrKind::NeedsRfc(format!("calling extern function `{}`", path))
-                        .into())
+                    return Err(ConstEvalErrKind::NeedsRfc(format!(
+                        "calling extern function `{}`",
+                        path
+                    ))
+                    .into());
                 }
             }
-            _ => Ok(ecx.tcx.instance_mir(instance)),
-        }
+            _ => ecx.tcx.instance_mir(instance),
+        };
+        Ok(mir)
     }
 
     fn find_mir_or_eval_fn(

compiler/rustc_const_eval/src/interpret/machine.rs

@@ -131,7 +131,7 @@ pub trait Machine<'mir, 'tcx>: Sized {
     fn force_int_for_alignment_check(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;
 
     /// Whether to enforce the validity invariant
-    fn enforce_validity(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;
+    fn enforce_validity(ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool;
 
     /// Whether to enforce integers and floats being initialized.
     fn enforce_number_init(ecx: &InterpCx<'mir, 'tcx, Self>) -> bool;
@@ -450,7 +450,7 @@ pub macro compile_time_machine(<$mir: lifetime, $tcx: lifetime>) {
     }
 
     #[inline(always)]
-    fn enforce_validity(_ecx: &InterpCx<$mir, $tcx, Self>) -> bool {
+    fn enforce_validity(_ecx: &mut InterpCx<$mir, $tcx, Self>) -> bool {
         false // for now, we don't enforce validity
     }
 

compiler/rustc_mir_transform/src/const_prop.rs

@@ -184,6 +184,12 @@ impl ConstPropMachine<'_, '_> {
 
 impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for ConstPropMachine<'mir, 'tcx> {
     compile_time_machine!(<'mir, 'tcx>);
+
+    #[inline(always)]
+    fn enforce_validity(_ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
+        false
+    }
+
     const PANIC_ON_ALLOC_FAIL: bool = true; // all allocations are small (see `MAX_ALLOC_LIMIT`)
 
     type MemoryKind = !;

compiler/rustc_mir_transform/src/const_prop_lint.rs

@@ -176,6 +176,12 @@ impl ConstPropMachine<'_, '_> {
 
 impl<'mir, 'tcx> interpret::Machine<'mir, 'tcx> for ConstPropMachine<'mir, 'tcx> {
     compile_time_machine!(<'mir, 'tcx>);
+
+    #[inline(always)]
+    fn enforce_validity(_ecx: &mut InterpCx<'mir, 'tcx, Self>) -> bool {
+        false
+    }
+
     const PANIC_ON_ALLOC_FAIL: bool = true; // all allocations are small (see `MAX_ALLOC_LIMIT`)
 
     type MemoryKind = !;

src/test/ui/const-generics/min_const_generics/invalid-patterns.32bit.stderr

@@ -22,49 +22,29 @@ error[E0308]: mismatched types
 LL |   get_flag::<42, 0x5ad>();
    |                  ^^^^^ expected `char`, found `u8`
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:38:21
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:38:32
    |
 LL |   get_flag::<false, { unsafe { char_raw.character } }>();
-   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 4, align: 4) {
-               __ __ __ __                                     │ ░░░░
-           }
+   |                                ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:40:14
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:40:25
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
-   |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 1, align: 1) {
-               42                                              │ B
-           }
+   |                         ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:42:14
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:42:25
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
-   |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 1, align: 1) {
-               42                                              │ B
-           }
+   |                         ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:42:47
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:42:58
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
-   |                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 4, align: 4) {
-               __ __ __ __                                     │ ░░░░
-           }
+   |                                                          ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
 
 error: aborting due to 8 previous errors
 

src/test/ui/const-generics/min_const_generics/invalid-patterns.64bit.stderr

@@ -22,49 +22,29 @@ error[E0308]: mismatched types
 LL |   get_flag::<42, 0x5ad>();
    |                  ^^^^^ expected `char`, found `u8`
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:38:21
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:38:32
    |
 LL |   get_flag::<false, { unsafe { char_raw.character } }>();
-   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 4, align: 4) {
-               __ __ __ __                                     │ ░░░░
-           }
+   |                                ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:40:14
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:40:25
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
-   |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 1, align: 1) {
-               42                                              │ B
-           }
+   |                         ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:42:14
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:42:25
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
-   |              ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 1, align: 1) {
-               42                                              │ B
-           }
+   |                         ^^^^^^^^^^^^^^^^ type validation failed: encountered 0x42, but expected a boolean
 
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/invalid-patterns.rs:42:47
+error[E0080]: evaluation of constant value failed
+  --> $DIR/invalid-patterns.rs:42:58
    |
 LL |   get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
-   |                                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 4, align: 4) {
-               __ __ __ __                                     │ ░░░░
-           }
+   |                                                          ^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected a valid unicode scalar value (in `0..=0x10FFFF` but not in `0xD800..=0xDFFF`)
 
 error: aborting due to 8 previous errors
 

src/test/ui/const-generics/min_const_generics/invalid-patterns.rs

@@ -36,10 +36,10 @@ fn main() {
 
 
   get_flag::<false, { unsafe { char_raw.character } }>();
-  //~^ ERROR it is undefined behavior
+  //~^ ERROR evaluation of constant value failed
   get_flag::<{ unsafe { bool_raw.boolean } }, 'z'>();
-  //~^ ERROR it is undefined behavior
+  //~^ ERROR evaluation of constant value failed
   get_flag::<{ unsafe { bool_raw.boolean } }, { unsafe { char_raw.character } }>();
-  //~^ ERROR it is undefined behavior
-  //~| ERROR it is undefined behavior
+  //~^ ERROR evaluation of constant value failed
+  //~| ERROR evaluation of constant value failed
 }

src/test/ui/consts/const-err4.32bit.stderr

@@ -1,13 +1,8 @@
-error[E0080]: it is undefined behavior to use this value
-  --> $DIR/const-err4.rs:9:11
+error[E0080]: evaluation of constant value failed
+  --> $DIR/const-err4.rs:9:21
    |
 LL |     Boo = [unsafe { Foo { b: () }.a }; 4][3],
-   |           ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected initialized bytes
-   |
-   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: 4, align: 4) {
-               __ __ __ __                                     │ ░░░░
-           }
+   |                     ^^^^^^^^^^^^^^^ type validation failed: encountered uninitialized bytes, but expected initialized bytes
 
 error: aborting due to previous error