CTFE/Miri engine Pointer type overhaul

[RalfJung]

This fixes the long-standing problem that we are using Scalar as a type to represent pointers that might be integer values (since they point to a ZST). The main problem is that with int-to-ptr casts, there are multiple ways to represent the same pointer as a Scalar and it is unclear if "normalization" (i.e., the cast) already happened or not. This leads to ugly methods like force_mplace_ptr and force_op_ptr.
Another problem this solves is that in Miri, it would make a lot more sense to have the Pointer::offset field represent the full absolute address (instead of being relative to the AllocId). This means we can do ptr-to-int casts without access to any machine state, and it means that the overflow checks on pointer arithmetic are (finally!) accurate.

To solve this, the Pointer type is made entirely parametric over the provenance, so that we can use Pointer<AllocId> inside Scalar but use Pointer<Option<AllocId>> when accessing memory (where None represents the case that we could not figure out an AllocId; in that case the offset is an absolute address). Moreover, the Provenance trait determines if a pointer with a given provenance can be cast to an integer by simply dropping the provenance.

I hope this can be read commit-by-commit, but the first commit does the bulk of the work. It introduces some FIXMEs that are resolved later.
Fixes rust-lang/miri#841
Miri PR: rust-lang/miri#1851
r? @oli-obk

[rust-highfive]

Some changes occured to the CTFE / Miri engine

cc @rust-lang/miri

Some changes occured to rustc_codegen_cranelift

cc @bjorn3

Some changes occured to the CTFE / Miri engine

cc @rust-lang/miri

[oli-obk]

could into_parts assert this flag internally? Or does miri also have a need for it?

[RalfJung]

Yeah Miri needs to access the offset to compare between Pointer<AllocId> (address is relative) and Pointer<Tag> (address is absolute).

[RalfJung]

FWIW, I actually did think of a way to make this more type-safe: the Provenance trait could have an associated type Offset, and a function wrap_offset(Size) -> Offset. Then into_parts would return Offset, so code generic in Tag would actually not know the type Offset and this could not use it wrong.

Then we might go even further and make the Pointer::offset field be of type Offset... though at that point we cannot define generic pointer arithmetic methods any more so we'd need some more methods in the Provenance trait.

But I am not sure if that's worth it. I had one bug caused by mis-interpreting a relative offset as absolute, and this would not have caught it (since the bug was about pointers stored inside an Allocation, where the offset is part of the byte array anyway).

[oli-obk]

Why is there a custom formatting function? Couldn't this be an impl on Pointer<AllocId> directly, allowing all aggregates containing Pointer to derive their Debug impls?

[RalfJung]

I don't see how. The Tag type affects how the Pointer itself is rendered:

• Pointer<AllocId>: alloc123+0x13
• Pointer<Tag>: 0x12defg60[alloc123]<Stacked Borrows info>

[RalfJung]

I'm mainly unhappy about the roundabout formatting stuff that requires one to essentially write the derived impl by hand.

Yeah I am unhappy about that as well.^^ Open to suggestions for how to do this better.

[oli-obk]

can miri implement Display for Pointer since Tag is a miri-internal type?

[RalfJung]

Doesn't that only work for "fundamental" types?

[RalfJung]

Oh also that would not help -- the generic code in rustc_mir::interpret needs to know for sure that it can debug-print pointers. So we need something generic.

Is it possible to add Pointer<Self::PointerTag>: Debug as a requirement to the Machine trait?^^

[oli-obk]

Is it possible to add Pointer<Self::PointerTag>: Debug as a requirement to the Machine trait?^^

Not in a useful way (you'd have to repeat the bound at every usage site of Machine).

but you could keep your fmt function and only implement Debug manually on Pointer<Tag: Provenance> and then you should be able to derive Debug everywhere else, as long as you add the Tag: Provenance bound to all the types instead of only on the impls. It's not nice, but nicer than doing manual trivial impls everywhere I think?

[oli-obk]

thinking about this again, it's not too bad, so we can merge and figure out improvements later

[oli-obk]

The design lgtm in general, I'm mainly unhappy about the roundabout formatting stuff that requires one to essentially write the derived impl by hand.

[RalfJung]

I pushed some more commits, mostly because changes were needed to get Miri to work again.

One change is rather unfortunate: I had to give the init_allocation_extra machine hook access to &Memory (and not just &MemoryExtra, and this necessitated a less optimal implementation of Memory::get_mut. With a better borrow checker we could recover the original cost for the happy case (where the allocation is in the local memory), but there'd still be extra cost for when we have to reach for the global memory. I also hat to make MonoHashMap::get in Miri less efficient to avoid RefCell panics.
The reason Miri needs &Memory is that it needs to query the size and alignment of allocations. So one possible alternative would be to make dead_alloc_map actually contain all allocations, not just the dead ones; and to give the init_allocation_extra machine hook access to that map as well. This would be a rather gross hack since Rust does not have good support for representing "a struct with some of its fields borrowed away".

An extremely coarse benchmark (time ./miri test pass) showed no regressions in Miri performance; let's make sure there is no rustc regression either:
@bors try
@rust-timer queue

[oli-obk]

r=me if you want, unless you are already working on the things we discussed and want to get them into this PR

[RalfJung]

Yeah I am already experimenting now.^^

[RalfJung]

This leads to an unnecessary Tag: Debug bound (because we can't control the where clause if the generated Debug, which is the entire problem of course), but I still think it's a win overall.

I did not yet do this for Scalar and ScalarMaybeUninit though, just to the higher-level types. Those two have custom Debug impls anyway.

[RalfJung]

Ah, with that last commit this PR actually has a net negative line count. :)

[oli-obk]

@bors r+

[bors]

📌 Commit efbee50 has been approved by oli-obk

[bors]

⌛ Testing commit efbee50 with merge c78ebb7...

[bors]

☀️ Test successful - checks-actions
Approved by: oli-obk
Pushing c78ebb7 to master...

[rust-highfive]

📣 Toolstate changed by #87123!

Tested on commit c78ebb7.
Direct link to PR: #87123

💔 miri on windows: test-pass → build-fail (cc @eddyb @RalfJung @oli-obk).
💔 miri on linux: test-pass → build-fail (cc @eddyb @RalfJung @oli-obk).