Add debug_assert_nounwind and convert assert_unsafe_precondition
#110303
Conversation
|
r? @scottmcm (rustbot has picked a reviewer for you, use r? to override) |
rustbot
added
S-waiting-on-review
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
| #[unstable(feature = "core_panic", issue = "none")] | ||
| #[allow_internal_unstable(core_panic, const_format_args)] | ||
| #[rustc_macro_transparency = "semitransparent"] | ||
| pub macro debug_assert_nounwind { |
There was a problem hiding this comment.
This macro should have documentation that explains that it should be used in unsafe contexts because it cannot compromise unwind safety. (and that debug_assert! shouldn't be because it can)
There was a problem hiding this comment.
Well, actually no unwind safety is compromised and debug_assert! can be used in these contexts, because if unwinding would only happen when there's an UB, and unwinding happening at undesirable place is an allowed behaviour for UB.
That said, causing UB by unwinding certainly defeats the purpose of having these assertions for debugging.
|
Hmm, maybe it's worth using CES to not do this for some of the cases in const eval, because the old message here is better: ---- [ui] tests/ui/consts/const_unsafe_unreachable_ub.rs stdout ----
diff of stderr:
1 error[E0080]: evaluation of constant value failed
- --> $SRC_DIR/core/src/hint.rs:LL:COL
+ --> $SRC_DIR/core/src/panicking.rs:LL:COL
3 |
- = note: entering unreachable code
+ = note: the evaluated program panicked at 'hint::unreachable_unchecked must never be reached', $SRC_DIR/core/src/panicking.rs:LL:COL
5 | |
scottmcm
added
S-waiting-on-author
|
Ah yes this old question. The "problem" is that we now detect more UB in const eval. The UB was previously only detected by sheer luck, because we produced an invalid value in a I think the new error message is just as helpful, and perhaps it is extra reason to improve the panic messages with some formatting of the output. |
When it comes to There are plenty of other places where I think checking with |
| @@ -122,7 +135,8 @@ pub const fn panic(expr: &'static str) -> ! { | |||
| #[cfg_attr(feature = "panic_immediate_abort", inline)] | |||
| #[lang = "panic_nounwind"] // needed by codegen for non-unwinding panics | |||
| #[rustc_nounwind] | |||
| pub fn panic_nounwind(expr: &'static str) -> ! { | |||
| #[rustc_const_unstable(feature = "core_panic", issue = "none")] | |||
| pub const fn panic_nounwind(expr: &'static str) -> ! { | |||
There was a problem hiding this comment.
What is the impact of adding #[track_caller] here? That would improve the const panic.
There was a problem hiding this comment.
That will require codegen backend changes to add the implicit caller location argument when it is manually called (as opposed through a Call MIR terminator).
There was a problem hiding this comment.
I think that's fine? Debug assertions are expected to have overhead, sometimes a lot of overhead. If people are concerned about debug assertions, they should turn them off. Or we should factor these assertions out to a separate flag. Either option is preferable to sacrificing UX for those who can afford the overhead, which as far as I can tell is most people?
There was a problem hiding this comment.
panic_nounwind is not just for debug assertions. panic_nounwind is used in situations where it is important to keep the code size small, and having track_caller would be contrary to that goal.
The comment above the function (helpfully hidden by github) explains this:
/// Like `panic`, but without unwinding and track_caller to reduce the impact on codesize.
There was a problem hiding this comment.
Callers that do not care about code size can just call panic_nounwind_fmt(format_args!("my message")) instead, then they will get track_caller.
This comment has been minimized.
This comment has been minimized.
CTFE has no notation of address, so this can't be checked during const eval. |
|
Is there a way to gate tests depending on whether debug assertion is enabled for std or not? Apparently adding |
|
|
CTFE doen't have (absolute) addresses, but it still has alignment / relative addresses. So this works, but the errors do indeed look worse. code + errors#![feature(const_pointer_byte_offsets)]
#![feature(const_ptr_read)]
#![feature(pointer_byte_offsets)]
const _: i32 = {
let a = [1, 2];
unsafe { a.as_ptr().byte_add(1).read() }
};
const _: i32 = {
unsafe { core::ptr::null::<i32>().read() }
};CTFE errors: assertion errors: |
|
That's checking for guaranteed alignment, not the actual alignment. The behaviour of |
|
☔ The latest upstream changes (presumably #110393) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@scottmcm I've reverted the change in |
|
☔ The latest upstream changes (presumably #111453) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@rustbot ready |
rustbot
added
S-waiting-on-review
|
Sorry, I think this should go to a team member for review since it's a convention change |
|
@bors r=Mark-Simulacrum |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-actions |
1 similar comment
|
☀️ Test successful - checks-actions |
|
Finished benchmarking commit (9529a5d): comparison URL. Overall result: ❌✅ regressions and improvements - ACTION NEEDEDNext Steps: If you can justify the regressions found in this perf run, please indicate this with @rustbot label: +perf-regression Instruction countThis is a highly reliable metric that was used to determine the overall result at the top of this comment.
Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Binary sizeResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Bootstrap: 672.47s -> 675.527s (0.45%) |
|
A bit of churn in the perf results. Nothing to really worry about, though, I think. Hopefully the 3s increase in bootstrap time is just noise? @rustbot label: +perf-regression-triaged |
rustbot
added
the
perf-regression-triaged
| @@ -1,6 +1,7 @@ | |||
| // stderr-per-bitwidth | |||
| // ignore-endian-big | |||
| // ignore-tidy-linelength | |||
| // ignore-debug debug assertions catch some UB too early | |||
There was a problem hiding this comment.
This is bad. It is fairly common that developers have debug assertions enabled locally so this now means they can't run or bless this test any more.
This will regularly affect me when I work on const-eval things. I would now have to bless this test by hand by copy-pasting CI results, which is clearly not a workable development mode. I think we cannot disable this test, we need to find another solution.
EDIT: Ah turns out I have debug-assertions-std = false. But still, making const-eval development hard with debug-assertions-std = true is not a great situation.
There was a problem hiding this comment.
The diff seems to be caused by Alignment::new_unchecked. IMO we should either un-do the PR for that or use a different way of creating invalid layouts for this test (that avoids the assertion).
| #[rustc_const_unstable(feature = "core_panic", issue = "none")] | ||
| pub const fn panic_nounwind_fmt(fmt: fmt::Arguments<'_>, force_no_backtrace: bool) -> ! { | ||
| #[track_caller] | ||
| fn runtime(fmt: fmt::Arguments<'_>, force_no_backtrace: bool) -> ! { |
There was a problem hiding this comment.
This should probably have at least #[cfg_attr(feature = "panic_immediate_abort", inline)], like almost all the functions in this file.
make const tests independent of std debug assertions Fixes some fallout from rust-lang#110303: `ignore-debug` is bad since it makes it very annoying to develop rustc with debug assertions enabled. These tests do not really provide any interesting test coverage, we already got plenty of other tests that check that we detect invalid enums. So we can just remove them.
Rollup merge of rust-lang#118358 - RalfJung:const-tests, r=WaffleLapkin make const tests independent of std debug assertions Fixes some fallout from rust-lang#110303: `ignore-debug` is bad since it makes it very annoying to develop rustc with debug assertions enabled. These tests do not really provide any interesting test coverage, we already got plenty of other tests that check that we detect invalid enums. So we can just remove them.
make sure panic_nounwind_fmt can still be fully inlined (e.g. for panic_immediate_abort) Follow-up to rust-lang#110303.
make sure panic_nounwind_fmt can still be fully inlined (e.g. for panic_immediate_abort) Follow-up to rust-lang/rust#110303.
make sure panic_nounwind_fmt can still be fully inlined (e.g. for panic_immediate_abort) Follow-up to rust-lang/rust#110303.
make sure panic_nounwind_fmt can still be fully inlined (e.g. for panic_immediate_abort) Follow-up to rust-lang/rust#110303.
assert_unsafe_preconditionchecks non-CTFE-evaluable conditions in runtime and performs no-op in compile time, while many of its current usage can be checked during const eval.