- 
                Notifications
    You must be signed in to change notification settings 
- Fork 13.9k
          Re-enable copy[_nonoverlapping]() debug-checks
          #90041
        
          New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Conversation
| (rust-highfive has picked a reviewer for you, use r? to override) | 
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
| blocked on lang team sign off in the issue | 
        
          
                library/core/src/intrinsics.rs
              
                Outdated
          
        
      There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Does this imply that miri checks the same conditions?
We were debating in the @rust-lang/lang meeting whether miri even could check alignment. I was assuming that we have some idea of what the alignment of an allocation will be (based on what type it was created to represent), and hence we could do the checks, but we weren't clear on what actually happens.
In general, what kind of guarantees do we expect to make here, either at runtime or compilation time? Are these covered in the comment above?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Our general feeling is that this is a "best effort" check and it's ok to go forward, but we were not clear on the overall limits of the extent to which miri can check this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Well... these are only debug assertions, and they are commented out at present. But assuming that is irrelevant to the point: we are checking that the pointer is aligned by at least the alignment of the type of the pointee.
Miri checks everything, but miri uses the runtime path here, not the compile-time path.
CTFE mostly checks nothing unless necessary for being able to operate without ICEing. I don't remember if any alignment checks are still happening, but if they are, it's only because it was easier than having to separate the miri and CTFE logic.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can we clarify these in-code comments to be specific about which checks are done or not done? Otherwise I think it's misleading to imply we are checking all of non null, alignment, and non-overlapping if that's not the case.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
| // check is done implicitly by the CTFE-engine | |
| // Some best-effort checks (TODO: which) are done by the CTFE-engine. | |
| //This is fine as the runtime checks only happen in debug mode, so | |
| // undefined behavior would still occur in the release mode. | 
Maybe with a comment like this (obviously filled with the correct CTFE-checks done)?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
CTFE does the following checks:
Make sure the total number of bytes is less than usize::max_value
rust/compiler/rustc_const_eval/src/interpret/intrinsics.rs
Lines 548 to 553 in 6162529
| let size = size.checked_mul(count, self).ok_or_else(|| { | |
| err_ub_format!( | |
| "overflow computing total size of `{}`", | |
| if nonoverlapping { "copy_nonoverlapping" } else { "copy" } | |
| ) | |
| })?; | 
Make sure both arguments are pointers with provenance
rust/compiler/rustc_const_eval/src/interpret/intrinsics.rs
Lines 555 to 556 in 6162529
| let src = self.read_pointer(&src)?; | |
| let dst = self.read_pointer(&dst)?; | 
Make sure that the pointers are in bounds of the allocation they point to and aligned properly
Note that "properly aligned" is pessimistic. If you allocate a [u8] and convert that to a [u16], it will still assume every byte has alignment 1, in contrast to real hardware, where every second byte has alignment 2.
rust/compiler/rustc_const_eval/src/interpret/memory.rs
Lines 1039 to 1040 in 6162529
| let src_parts = self.get_ptr_access(src, size, src_align)?; | |
| let dest_parts = self.get_ptr_access(dest, size * num_copies, dest_align)?; // `Size` multiplication | 
Make sure the copy actually is nonoverlapping
rust/compiler/rustc_const_eval/src/interpret/memory.rs
Lines 1103 to 1110 in 6162529
| if nonoverlapping { | |
| // `Size` additions | |
| if (src_offset <= dest_offset && src_offset + size > dest_offset) | |
| || (dest_offset <= src_offset && dest_offset + size > src_offset) | |
| { | |
| throw_ub_format!("copy_nonoverlapping called on overlapping ranges") | |
| } | |
| } | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for this great summary!
So, if I understand this correctly, the CTFE-does check the is_nonoverlapping and is_not_null (I assume null-pointers neither point to allocations nor have provonace) cases. So the is_aligned-part is missing.
One could simple update the comment with this information. But I wanna ask first: would it be even possible/reasonable to check the alignment?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
alignment is checked, but the check is more conservative than the runtime check. This happens together with inbounds checks
        
          
                library/core/src/intrinsics.rs
              
                Outdated
          
        
      There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think we should not use words like "referential transparency" here. Please explain here that the equivalent to the debug assertions is already done in the CTFE version of the copy_nonoverlapping intrinsic and rename compiletime_check to nop. The compiletime path is not the place that needs the explanation, the const_eval_select call is "the problem".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the key bit in this case isn't that they're already done in ctfe, it's that they don't need to be: in fact, some subset of the assertions isn't done in ctfe based on earlier comments, right? (Around alignment).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, the argument is: these are just debug assertions, no harm in skipping them during CTFE.
        
          
                library/core/src/intrinsics.rs
              
                Outdated
          
        
      There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
similarly here. I don't think anyone reading this will know what's up and what safety constraints are upheld
| @rust-lang/wg-const-eval members can now approve such harmless uses of const_eval_select. So beyond the comment changes, this lgtm. | 
| const_eval_select appears to be present on beta, so the  I would also like to see the comments updated to reflect that we're not actually behaving the same way at runtime and within CTFE, but that we're OK to do so because the checks are best-effort (indeed, debug asserts) and not necessary for correctness. | 
| I've incorporated the review feedback and rebased onto the current master (while dropping the  @rustbot modify labels to -S-waiting-on-author +S-waiting-on-review | 
      
        
              This comment has been minimized.
        
        
      
    
  This comment has been minimized.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Please also squash the commits. Thanks!
This commit re-enables the debug checks for valid usages of the two functions `copy()` and `copy_nonoverlapping()`. Those checks were com- mented out in #79684 in order to make the functions const. All that's been left was a FIXME, that could not be resolved until there is was way to only do the checks at runtime. Since #89247 there is such a way: `const_eval_select()`. This commit uses that new intrinsic in order to either do nothing (at compile time) or to do the old checks (at runtime). The change itself is rather small: in order to make the checks usable with `const_eval_select`, they are moved into a local function (one for `copy` and one for `copy_nonoverlapping` to keep symmetry). The change does not break referential transparency, as there is nothing you can do at compile time, which you cannot do on runtime without get- ting undefined behavior. The CTFE-engine won't allow missuses. The other way round is also fine.
| ⌛ Testing commit 60a9d5a with merge 733cb177b5d131572d3a9510fa70ba409b719e2a... | 
| 💔 Test failed - checks-actions | 
| The job  Click to see the possible cause of the failure (guessed by this bot) | 
| ⌛ Testing commit 60a9d5a with merge 78be1ed3db2434de321c3a27feb6adfae5097bf8... | 
| 💔 Test failed - checks-actions | 
| The job  Click to see the possible cause of the failure (guessed by this bot) | 
| @bors retry | 
| ☀️ Test successful - checks-actions | 
| Finished benchmarking commit (7594067): comparison url. Summary: This benchmark run did not return any relevant changes. If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf. @rustbot label: -perf-regression | 
Pkgsrc changes: * Bump available bootstraps to 1.57.0. * For some reason, the vendor/libc checksums don't need fixing. * Bump required external LLVM to 12.0, according to upstream change log. * Adapt the Darwin linker patch. (For some reason I've not figured out yet, cargo is a lot more verbose while building, echoes the rustc invocation.) Upstream changes: Version 1.58.1 (2022-01-19) =========================== * Fix race condition in `std::fs::remove_dir_all` ([CVE-2022-21658]) * [Handle captured arguments in the `useless_format` Clippy lint][clippy/8295] * [Move `non_send_fields_in_send_ty` Clippy lint to nursery][clippy/8075] * [Fix wrong error message displayed when some imports are missing][91254] * [Fix rustfmt not formatting generated files from stdin][92912] [CVE-2022-21658]: https://www.cve.org/CVERecord?id=CVE-2022-21658] [91254]: rust-lang/rust#91254 [92912]: rust-lang/rust#92912 [clippy/8075]: rust-lang/rust-clippy#8075 [clippy/8295]: rust-lang/rust-clippy#8295 Version 1.58.0 (2022-01-13) ========================== Language -------- - [Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!("{ident}")`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect. - [`*const T` pointers can now be dereferenced in const contexts.][89551] - [The rules for when a generic struct implements `Unsize` have been relaxed.][90417] Compiler -------- - [Add LLVM CFI support to the Rust compiler][89652] - [Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo. - [Add support for LLVM coverage mapping format versions 5 and 6][91207] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Update the minimum external LLVM to 12][90175] - [Add `x86_64-unknown-none` at Tier 3*][89062] - [Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries. - [Don't abort compilation after giving a lint error][87337] - [Error messages point at the source of trait bound obligations in more places][89580] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value. - [Paths are automatically canonicalized on Windows for operations that support it][89174] - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041] - [Implement `RefUnwindSafe` for `Rc<T>`][87467] - [Make RSplit<T, P>: Clone not require T: Clone][90117] - [Implement `Termination` for `Result<Infallible, E>`][88601]. This allows writing `fn main() -> Result<Infallible, ErrorType>`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program). Stabilized APIs --------------- - [`Metadata::is_symlink`] - [`Path::is_symlink`] - [`{integer}::saturating_div`] - [`Option::unwrap_unchecked`] - [`Result::unwrap_unchecked`] - [`Result::unwrap_err_unchecked`] - [`NonZero{unsigned}::is_power_of_two`] - [`File::options`] These APIs are now usable in const contexts: - [`Duration::new`] - [`Duration::checked_add`] - [`Duration::saturating_add`] - [`Duration::checked_sub`] - [`Duration::saturating_sub`] - [`Duration::checked_mul`] - [`Duration::saturating_mul`] - [`Duration::checked_div`] - [`MaybeUninit::as_ptr`] - [`MaybeUninit::as_mut_ptr`] - [`MaybeUninit::assume_init`] - [`MaybeUninit::assume_init_ref`] Cargo ----- - [Add --message-format for install command][cargo/10107] - [Warn when alias shadows external subcommand][cargo/10082] Rustdoc ------- - [Show all Deref implementations recursively in rustdoc][90183] - [Use computed visibility in rustdoc][88447] Compatibility Notes ------------------- - [Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library. - Windows: [`std::process::Command` will no longer search the current directory for executables.][87704] - [All proc-macro backward-compatibility lints are now deny-by-default.][88041] - [proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297] - [Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc. - [rustdoc now rejects some unexpected semicolons in doctests][91026] Internal Changes ---------------- These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. - [Implement coherence checks for negative trait impls][90104] - [Add rustc lint, warning when iterating over hashmaps][89558] - [Optimize live point computation][90491] - [Enable verification for 1/32nd of queries loaded from disk][90361] - [Implement version of normalize_erasing_regions that allows for normalization failure][91255] [87337]: rust-lang/rust#87337 [87467]: rust-lang/rust#87467 [87704]: rust-lang/rust#87704 [88041]: rust-lang/rust#88041 [88300]: rust-lang/rust#88300 [88447]: rust-lang/rust#88447 [88601]: rust-lang/rust#88601 [88624]: rust-lang/rust#88624 [89062]: rust-lang/rust#89062 [89174]: rust-lang/rust#89174 [89542]: rust-lang/rust#89542 [89551]: rust-lang/rust#89551 [89558]: rust-lang/rust#89558 [89580]: rust-lang/rust#89580 [89652]: rust-lang/rust#89652 [89677]: rust-lang/rust#89677 [89951]: rust-lang/rust#89951 [90041]: rust-lang/rust#90041 [90058]: rust-lang/rust#90058 [90104]: rust-lang/rust#90104 [90117]: rust-lang/rust#90117 [90175]: rust-lang/rust#90175 [90183]: rust-lang/rust#90183 [90297]: rust-lang/rust#90297 [90329]: rust-lang/rust#90329 [90361]: rust-lang/rust#90361 [90417]: rust-lang/rust#90417 [90473]: rust-lang/rust#90473 [90491]: rust-lang/rust#90491 [90733]: rust-lang/rust#90733 [90833]: rust-lang/rust#90833 [90846]: rust-lang/rust#90846 [90896]: rust-lang/rust#90896 [91026]: rust-lang/rust#91026 [91207]: rust-lang/rust#91207 [91255]: rust-lang/rust#91255 [91301]: rust-lang/rust#91301 [cargo/10082]: rust-lang/cargo#10082 [cargo/10107]: rust-lang/cargo#10107 [`Metadata::is_symlink`]: https://doc.rust-lang.org/stable/std/fs/struct.Metadata.html#method.is_symlink [`Path::is_symlink`]: https://doc.rust-lang.org/stable/std/path/struct.Path.html#method.is_symlink [`{integer}::saturating_div`]: https://doc.rust-lang.org/stable/std/primitive.i8.html#method.saturating_div [`Option::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/option/enum.Option.html#method.unwrap_unchecked [`Result::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_unchecked [`Result::unwrap_err_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_err_unchecked [`NonZero{unsigned}::is_power_of_two`]: https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html#method.is_power_of_two [`File::options`]: https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.options [`unix::process::ExitStatusExt::core_dumped`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.core_dumped [`unix::process::ExitStatusExt::stopped_signal`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.stopped_signal [`unix::process::ExitStatusExt::continued`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.continued [`unix::process::ExitStatusExt::into_raw`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.into_raw [`Duration::new`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.new [`Duration::checked_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_add [`Duration::saturating_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_add [`Duration::checked_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_sub [`Duration::saturating_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_sub [`Duration::checked_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_mul [`Duration::saturating_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_mul [`Duration::checked_div`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_div [`Duration::as_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f64 [`Duration::as_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f32 [`Duration::from_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f64 [`Duration::from_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f32 [`Duration::mul_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f64 [`Duration::mul_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f32 [`Duration::div_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f64 [`Duration::div_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f32 [`Duration::div_duration_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f64 [`Duration::div_duration_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f32 [`MaybeUninit::as_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_ptr [`MaybeUninit::as_mut_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_mut_ptr [`MaybeUninit::assume_init`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init [`MaybeUninit::assume_init_ref`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init_ref
Pkgsrc changes: * Bump bootstrap kit version to 1.57.0. * Bump require external LLVM to 12.0, according to upstream change log. * Adjust patches as needed, adjust line numbers. * Update checksum adjustments. For some reason the vendor/libc checksum doesn't need fixing, apparently, it remains as commented out. * Add makefile to do all the NetBSD boostrap/cross builds (do-cross.mk). Allow passing in additions to CONFIGURE_ARGS via ADD_CONFIGURE_ARGS. Upstream changes: Version 1.58.1 (2022-01-19) =========================== * Fix race condition in `std::fs::remove_dir_all` ([CVE-2022-21658]) * [Handle captured arguments in the `useless_format` Clippy lint][clippy/8295] * [Move `non_send_fields_in_send_ty` Clippy lint to nursery][clippy/8075] * [Fix wrong error message displayed when some imports are missing][91254] * [Fix rustfmt not formatting generated files from stdin][92912] [CVE-2022-21658]: https://www.cve.org/CVERecord?id=CVE-2022-21658] [91254]: rust-lang/rust#91254 [92912]: rust-lang/rust#92912 [clippy/8075]: rust-lang/rust-clippy#8075 [clippy/8295]: rust-lang/rust-clippy#8295 Version 1.58.0 (2022-01-13) ========================== Language -------- - [Format strings can now capture arguments simply by writing `{ident}` in the string.][90473] This works in all macros accepting format strings. Support for this in `panic!` (`panic!("{ident}")`) requires the 2021 edition; panic invocations in previous editions that appear to be trying to use this will result in a warning lint about not having the intended effect. - [`*const T` pointers can now be dereferenced in const contexts.][89551] - [The rules for when a generic struct implements `Unsize` have been relaxed.][90417] Compiler -------- - [Add LLVM CFI support to the Rust compiler][89652] - [Stabilize -Z strip as -C strip][90058]. Note that while release builds already don't add debug symbols for the code you compile, the compiled standard library that ships with Rust includes debug symbols, so you may want to use the `strip` option to remove these symbols to produce smaller release binaries. Note that this release only includes support in rustc, not directly in cargo. - [Add support for LLVM coverage mapping format versions 5 and 6][91207] - [Emit LLVM optimization remarks when enabled with `-Cremark`][90833] - [Update the minimum external LLVM to 12][90175] - [Add `x86_64-unknown-none` at Tier 3*][89062] - [Build musl dist artifacts with debuginfo enabled][90733]. When building release binaries using musl, you may want to use the newly stabilized strip option to remove these debug symbols, reducing the size of your binaries. - [Don't abort compilation after giving a lint error][87337] - [Error messages point at the source of trait bound obligations in more places][89580] \* Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. Libraries --------- - [All remaining functions in the standard library have `#[must_use]` annotations where appropriate][89692], producing a warning when ignoring their return value. This helps catch mistakes such as expecting a function to mutate a value in place rather than return a new value. - [Paths are automatically canonicalized on Windows for operations that support it][89174] - [Re-enable debug checks for `copy` and `copy_nonoverlapping`][90041] - [Implement `RefUnwindSafe` for `Rc<T>`][87467] - [Make RSplit<T, P>: Clone not require T: Clone][90117] - [Implement `Termination` for `Result<Infallible, E>`][88601]. This allows writing `fn main() -> Result<Infallible, ErrorType>`, for a program whose successful exits never involve returning from `main` (for instance, a program that calls `exit`, or that uses `exec` to run another program). Stabilized APIs --------------- - [`Metadata::is_symlink`] - [`Path::is_symlink`] - [`{integer}::saturating_div`] - [`Option::unwrap_unchecked`] - [`Result::unwrap_unchecked`] - [`Result::unwrap_err_unchecked`] - [`NonZero{unsigned}::is_power_of_two`] - [`File::options`] These APIs are now usable in const contexts: - [`Duration::new`] - [`Duration::checked_add`] - [`Duration::saturating_add`] - [`Duration::checked_sub`] - [`Duration::saturating_sub`] - [`Duration::checked_mul`] - [`Duration::saturating_mul`] - [`Duration::checked_div`] - [`MaybeUninit::as_ptr`] - [`MaybeUninit::as_mut_ptr`] - [`MaybeUninit::assume_init`] - [`MaybeUninit::assume_init_ref`] Cargo ----- - [Add --message-format for install command][cargo/10107] - [Warn when alias shadows external subcommand][cargo/10082] Rustdoc ------- - [Show all Deref implementations recursively in rustdoc][90183] - [Use computed visibility in rustdoc][88447] Compatibility Notes ------------------- - [Try all stable method candidates first before trying unstable ones][90329]. This change ensures that adding new nightly-only methods to the Rust standard library will not break code invoking methods of the same name from traits outside the standard library. - Windows: [`std::process::Command` will no longer search the current directory for executables.][87704] - [All proc-macro backward-compatibility lints are now deny-by-default.][88041] - [proc_macro: Append .0 to unsuffixed float if it would otherwise become int token][90297] - [Refactor weak symbols in std::sys::unix][90846]. This optimizes accesses to glibc functions, by avoiding the use of dlopen. This does not increase the [minimum expected version of glibc](https://doc.rust-lang.org/nightly/rustc/platform-support.html). However, software distributions that use symbol versions to detect library dependencies, and which take weak symbols into account in that analysis, may detect rust binaries as requiring newer versions of glibc. - [rustdoc now rejects some unexpected semicolons in doctests][91026] Internal Changes ---------------- These changes provide no direct user facing benefits, but represent significant improvements to the internals and overall performance of rustc and related tools. - [Implement coherence checks for negative trait impls][90104] - [Add rustc lint, warning when iterating over hashmaps][89558] - [Optimize live point computation][90491] - [Enable verification for 1/32nd of queries loaded from disk][90361] - [Implement version of normalize_erasing_regions that allows for normalization failure][91255] [87337]: rust-lang/rust#87337 [87467]: rust-lang/rust#87467 [87704]: rust-lang/rust#87704 [88041]: rust-lang/rust#88041 [88300]: rust-lang/rust#88300 [88447]: rust-lang/rust#88447 [88601]: rust-lang/rust#88601 [88624]: rust-lang/rust#88624 [89062]: rust-lang/rust#89062 [89174]: rust-lang/rust#89174 [89542]: rust-lang/rust#89542 [89551]: rust-lang/rust#89551 [89558]: rust-lang/rust#89558 [89580]: rust-lang/rust#89580 [89652]: rust-lang/rust#89652 [89677]: rust-lang/rust#89677 [89951]: rust-lang/rust#89951 [90041]: rust-lang/rust#90041 [90058]: rust-lang/rust#90058 [90104]: rust-lang/rust#90104 [90117]: rust-lang/rust#90117 [90175]: rust-lang/rust#90175 [90183]: rust-lang/rust#90183 [90297]: rust-lang/rust#90297 [90329]: rust-lang/rust#90329 [90361]: rust-lang/rust#90361 [90417]: rust-lang/rust#90417 [90473]: rust-lang/rust#90473 [90491]: rust-lang/rust#90491 [90733]: rust-lang/rust#90733 [90833]: rust-lang/rust#90833 [90846]: rust-lang/rust#90846 [90896]: rust-lang/rust#90896 [91026]: rust-lang/rust#91026 [91207]: rust-lang/rust#91207 [91255]: rust-lang/rust#91255 [91301]: rust-lang/rust#91301 [cargo/10082]: rust-lang/cargo#10082 [cargo/10107]: rust-lang/cargo#10107 [`Metadata::is_symlink`]: https://doc.rust-lang.org/stable/std/fs/struct.Metadata.html#method.is_symlink [`Path::is_symlink`]: https://doc.rust-lang.org/stable/std/path/struct.Path.html#method.is_symlink [`{integer}::saturating_div`]: https://doc.rust-lang.org/stable/std/primitive.i8.html#method.saturating_div [`Option::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/option/enum.Option.html#method.unwrap_unchecked [`Result::unwrap_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_unchecked [`Result::unwrap_err_unchecked`]: https://doc.rust-lang.org/stable/std/result/enum.Result.html#method.unwrap_err_unchecked [`NonZero{unsigned}::is_power_of_two`]: https://doc.rust-lang.org/stable/std/num/struct.NonZeroU8.html#method.is_power_of_two [`File::options`]: https://doc.rust-lang.org/stable/std/fs/struct.File.html#method.options [`unix::process::ExitStatusExt::core_dumped`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.core_dumped [`unix::process::ExitStatusExt::stopped_signal`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.stopped_signal [`unix::process::ExitStatusExt::continued`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.continued [`unix::process::ExitStatusExt::into_raw`]: https://doc.rust-lang.org/stable/std/os/unix/process/trait.ExitStatusExt.html#tymethod.into_raw [`Duration::new`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.new [`Duration::checked_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_add [`Duration::saturating_add`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_add [`Duration::checked_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_sub [`Duration::saturating_sub`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_sub [`Duration::checked_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_mul [`Duration::saturating_mul`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.saturating_mul [`Duration::checked_div`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.checked_div [`Duration::as_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f64 [`Duration::as_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.as_secs_f32 [`Duration::from_secs_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f64 [`Duration::from_secs_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.from_secs_f32 [`Duration::mul_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f64 [`Duration::mul_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.mul_f32 [`Duration::div_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f64 [`Duration::div_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_f32 [`Duration::div_duration_f64`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f64 [`Duration::div_duration_f32`]: https://doc.rust-lang.org/stable/std/time/struct.Duration.html#method.div_duration_f32 [`MaybeUninit::as_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_ptr [`MaybeUninit::as_mut_ptr`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.as_mut_ptr [`MaybeUninit::assume_init`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init [`MaybeUninit::assume_init_ref`]: https://doc.rust-lang.org/stable/std/mem/union.MaybeUninit.html#method.assume_init_ref
This commit re-enables the debug checks for valid usages of the two functions
copy()andcopy_nonoverlapping(). Those checks were commented out in #79684 in order to make the functions const. All that's been left was a FIXME, that could not be resolved until there is was way to only do the checks at runtime.Since #89247 there is such a way:
const_eval_select(). This commit uses that new intrinsic in order to either do nothing (at compile time) or to do the old checks (at runtime).The change itself is rather small: in order to make the checks usable with
const_eval_select, they are moved into a local function (one forcopyand one forcopy_nonoverlappingto keep symmetry).The change does not break referential transparency, as there is nothing you can do at compile time, which you cannot do on runtime without getting undefined behavior. The CTFE-engine won't allow missuses. The other way round is also fine.
I've refactored the code to use
#[cfg(debug_assertions)]on the new items. If that is not desired, the second commit can be dropped.I haven't added any checks, as I currently don't know, how to test this properly.
Closes #90012.
cc @rust-lang/lang, @rust-lang/libs and @rust-lang/wg-const-eval (as those teams are linked in the issue above).