Do not assert layout in KnownPanicsLint.

[cjgillot]

Fixes #121176
Fixes #129109
Fixes #130970
Fixes #131347
Fixes #139872
Fixes #140332

[rustbot]

r? @davidtwco

rustbot has assigned @davidtwco.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

[rustbot]

Some changes occurred to the CTFE / Miri interpreter

cc @rust-lang/miri

This PR changes a file inside tests/crashes. If a crash was fixed, please move into the corresponding ui subdir and add 'Fixes #' to the PR description to autoclose the issue upon merge.

Some changes occurred to MIR optimizations

cc @rust-lang/wg-mir-opt

Some changes occurred to the CTFE machinery

cc @RalfJung, @oli-obk, @lcnr

[RalfJung]

I'm not a fan of these functions. The point of the assertions is that they are a last line of defense to detect defective callers. They are not exhaustive checks. If the caller can't ensure that the value has the right type, that can only be fixed in the caller.

IOW, matches_abi here really is more of a maybe_matches_abi. It is necessary, but not sufficient. And trying to make it sufficient is the wrong approach; the right approach is figuring out why someone is feeding bogus data into these functions.

[RalfJung]

For instance, this is a clearly ill-formed static. Nothing should ever look at its MIR. Trying to make the MIR interpreter APIs resistant against bogus MIR is a pointless game of whack-a-mole.

[oli-obk]

yea those cases are straight forward to prevent within type_of, we don't even need to compute the layout, just doing a sizedness check.

[RalfJung]

That doesn't quite work since we allow extern statics that have extern types, which are unsized.

[oli-obk]

Well, we can check the tail manually for slices and dyn trait

[RalfJung]

But that requires unfolding the type which will trigger the same cycle error, won't it?

[RalfJung]

These all seem to be standard cases of "ill-formed MIR gets too far into the pipeline". We should never run any MIR passes on ill-formed MIR; it is a waste of effort to try and fix this inside every individual pass.

[cjgillot]

These all seem to be standard cases of "ill-formed MIR gets too far into the pipeline". We should never run any MIR passes on ill-formed MIR; it is a waste of effort to try and fix this inside every individual pass.

I agree, but fixing this is general is hard too. We have an ImpossiblePredicates pass to skip this kind of nonsense, but it is quite limited to avoid query cycles. And it cannot handle nonsense that spans multiple items.

A "cleaner" way would be to ensure we never produce a constant with mismatching ABI, be it as a ConstValue or as an OpTy. But that also clashes with the notion that miri should run on sensible code.

[RalfJung]

These are statics failing the "it must be sized" check. It's not some impossible where bound. I don't see what is so hard about marking them as tainted so nothing else ever touches them again. It's the exact same thing as a static whose initializer body is plainly ill-typed.

[cjgillot]

@RalfJung this latest version prevents creating the erroneous constants altogether. Do you agree with this version?

[RalfJung]

Yeah, that looks much better, thanks.

I'm not familiar with MIR building so I can't approve this on my own, however.

[cjgillot]

It's not ready yet. Just checking sizedness is not enough, as some non-sized types are OK too, like extern types. And using layout causes cycles.

[RalfJung]

Extern types can only work with extern statics, right?

And even then, that seems kind of cursed. Did we intentionally allow that or just forget to disallow it?

[cjgillot]

Extern types can only work with extern statics, right?

Or inside pointers. And pointers to extern types are scalars.

And even then, that seems kind of cursed. Did we intentionally allow that or just forget to disallow it?

It's intentional. We have a run-make test to verify this works.

[RalfJung]

Pointers to extern types are sized so there is no problem with them, those should just work.

[cjgillot]

The failing test is this one:

rust/tests/run-make/static-extern-type/use-foo.rs

Lines 3 to 7 in a7a1618

	extern "C" {
	type Foo;
	static FOO: Foo;
	fn bar(foo: *const Foo) -> u8;
	}

As a foreign type Foo is not sized, but &Foo and *mut Foo are still scalar. This is a special case in layout computation.

Checking whether &T is scalar in full generality requires either to call layout_of, or to open-code it. Internally, it normalizes <T as Pointee>::Metadata and compute that type's layout. The normalization process may try to normalize opaque types. This breaks https://github.com/rust-lang/rust/blob/master/tests/ui/coroutine/layout-error.rs

[RalfJung]

The failing test is this one:

Yeah, that is a very odd test, I didn't think we'd allow extern statics with unknown size. Interestingly, we reject static FOO2: [i32]; (as we have to).

What is not entirely clear to me is why we'd care about whether &Foo has metadata or not. Is that for constructing the pointer that represents the extern static access in MIR? As far as I can see, those pointers are always scalar, since statics with unsized types that require metadata are forbidden (and that makes sense; where would the metadata come from anyway).

[RalfJung]

All the issues referenced here seem to be about statics that are unsized-with-metadata. You can check for this without knowing the layout; just call ptr_metadata_ty on the type of the static. Statics can't be generic so this should always give you a definite answer.

This still has to normalize some things though, so that coroutine case could become interesting. But it's okay for that code to error, it just can't ICE.

[RalfJung]

Suggested change

	tcx.dcx().span_delayed_bug(span, format!("static's type `{ty}` is not Sized"));
	tcx.dcx().span_delayed_bug(span, format!("static's type `{pointee}` is not Sized"));

[RalfJung]

Wouldn't an alternative be to change the type of the static itself to TyKind::Error after we determined that it's not a valid type for a static? Then we don't need patches like this all over the rest of the compiler.

Cc @oli-obk

[RalfJung]

ty is not the type of the static, it's the type of a pointer to the static.

[RalfJung]

As noted before, I think the better approach would be to give the static an Error type -- otherwise, there might well be other consumers all over rustc that assume things about a statics type, that all need to get a fix like this.

[cjgillot]

I tried that, and for some reason that was not enough to fix the ices. I did try to find why error tainting failed.

[RalfJung]

@oli-obk is it okay for this to cycle-error? Having the type of a static depend on its value does seem quite cursed.^^

[oli-obk]

Is a static's type meaningfully different from a function's return type? Because it's not about its evaluated value, but just how opaque types work.

I don't think this use case is particularly unusual and expect people will want to be using TAITs like this.

[RalfJung]

Is a static's type meaningfully different from a function's return type?

Hm... not really, the problem is just that the constraint on the type cannot be so easily expressed as a trait query. For return types it's T: Sized, but for static types it's... T: Pointee<Metadata = ()> or so?

[oli-obk]

Wouldn't an alternative be to change the type of the static itself to TyKind::Error after we determined that it's not a valid type for a static? Then we don't need patches like this all over the rest of the compiler.

that would mean moving these checks to type_of, which should be fine for static items, but are very cycle prone for other things

[rustbot]

This PR modifies tests/ui/issues/. If this PR is adding new tests to tests/ui/issues/,
please refrain from doing so, and instead add it to more descriptive subdirectories.

[cjgillot]

Wouldn't an alternative be to change the type of the static itself to TyKind::Error after we determined that it's not a valid type for a static? Then we don't need patches like this all over the rest of the compiler.

that would mean moving these checks to type_of, which should be fine for static items, but are very cycle prone for other things

The latest commit tries that. I think it's worse because it breaks passing tests.