Separate MIR lints from validation

[tmiasko]

Add a MIR lint pass, enabled with -Zlint-mir, which identifies undefined or
likely erroneous behaviour.

The initial implementation mostly migrates existing checks of this nature from
MIR validator, where they did not belong (those checks have false positives and
there is nothing inherently invalid about MIR with undefined behaviour).

Fixes #104736
Fixes #104843
Fixes #116079
Fixes #116736
Fixes #118990

[rustbot]

Some changes occurred to MIR optimizations

cc @rust-lang/wg-mir-opt

[matthiaskrgr]

Could you mention the new flag in the pr body somewhere so that git log --grep Zlint-mir finds it? 🙃

[saethlin]

there is nothing inherently invalid about MIR with undefined behaviour

I can see this being true for dead code, but I don't understand how this is true in general. Can you explain?

[tmiasko]

there is nothing inherently invalid about MIR with undefined behaviour

I can see this being true for dead code, but I don't understand how this is true in general. Can you explain?

Validator should only check that MIR is well-formed. It shouldn't be concerned with behaviour as such, and the fact that it encountered MIR with an undefined behaviour is not a reason to raise an internal compiler error.

[cjgillot]

Should we enable this by default for miropt tests ? Eventually with an 'allow' attr if ub is expected ?

[tmiasko]

• Updated compiletest to use -Zlint-mir by default for mir opt tests (one of tests violates the new return when still live check, so I disabled the lint there).

[cjgillot]

@bors r+

[bors]

📌 Commit ba430a3 has been approved by cjgillot

It is now in the queue for this repository.

[matthiaskrgr]

Fixes https://github.com/rust-lang/rust/issues/104736
Fixes https://github.com/rust-lang/rust/issues/104843
Fixes https://github.com/rust-lang/rust/issues/116079
Fixes https://github.com/rust-lang/rust/issues/116736
Fixes https://github.com/rust-lang/rust/issues/118990

Hm, so I guess all of these still ICE with -Zlint-mir?
What does this mean wrt the classification of such bugs?
Should they be reopened?

[est31]

I don't understand either why these issues were closed. Were they closed because they are false positives? Because I think that any case is a bug where you have safe Rust leading to UB in the generated MIR, whether there is an ICE about it or not. I think at least #104736 and #118990 fall under this. There is two more issues that don't have unsafe but use nightly features: those issues are also still important (unless they are false positives).

[tmiasko]

I think all those issues are false positives.

Those false positives arise from our MIR building strategy for temporaries, where StorageLive doesn't always dominate drop and StorageDead.

[saethlin]

In what sense are those false positives? Our documentation for the semantics of StorageLive/StorageDead clearly says such code is UB, and therefore it is a bug for MIR building to produce such code.

[tmiasko]

In all those issues the MIR after building looks roughly as follows:

flowchart TD
    Start --> Drop["Drop(x)"];
    Live["StorageLive(x)"] --> Init["x = ..."];
    Init --> Drop;
    Drop --> Dead["StorageDead(x)"];

Loading

Before drop elaboration Drop(x) uses x but only when x is initialized. Since x is uninitialized, drop is never executed. Behavior is well defined and we have a false positive.

[saethlin]

That sounds to me like a rather specific issue with the use of storage check disagreeing with pre-drop-elaboration MIR. Why didn't you propose a targeted fix?

[tmiasko]

That sounds to me like a rather specific issue with the use of storage check disagreeing with pre-drop-elaboration MIR.

Why would it be specific to pre drop elaboration? Because drop is definitely dead and removed? It happens sometimes, for example in #118990. In general, the same situation could arise later on. Continuing with example from #118990, Replace break 'code; with if true { break 'code; } to obscure from drop elaboration the fact that temporary is definitely uninitialized. The false positive arise at a later stage.

[RalfJung]

FWIW there are more UB checks in the validator, such as the check whether LHS and RHS overlap in assignment.

[tmiasko]

I was planning to do some follow up work, including migrating remaining checks as well. In fact, we already had a false positive regarding memory overlap.

[RalfJung]

we already had a false positive regarding memory overlap.

Do you have a link to that?

[tmiasko]

we already had a false positive regarding memory overlap.

Do you have a link to that?

#105428