lint ImproperCTypes: refactor linting architecture (part 3)

[niacdoial]

View all comments

This is the third PR in an effort to split #134697 (refactor plus overhaul of the ImproperCTypes family of lints) into individually-mergeable parts.

Contains:

• the changes of the first two PRs
• other user-invisible changes,
• the prevention of stack overflows while checking irregular recursive types.

Fixes: #130310
Superset of: #146271 and its superset #146273

[tgross35]

Looked at the final commit here "add recursion limit"; I think the method should be adjusted, but this can land pretty easily.

I don't think "add architecture for layered reasoning in lints" can land yet, there is a lot added here that is dead code and untested for now. Can it be moved to just before a commit that makes use of it?

Edit: actually, no need to move it anywhere specific yet since I'm still going through the commits at #134697 one-by-one. Just dropping it from this PR is sufficient, so the recursion limit can merge without being blocked.

View changes since this review

[tgross35]

I don't follow the original implementation here. If you have

extern "C" fn foo(a: NotFfiSafe, b: NotFfiSafe)

Why is it that the b doesn't get marked FfiSafe since the cache insert will fail?

[niacdoial]

this is because the cache is set up per visitor.
One of those gets set up for each extern static variable, each extern non-fnptr-function argument, each extern non-fnptr-function return, and each extern fnptr in a non-extern context.
Here specifically, a and b each get a visitor.

[tgross35]

Why is the cache still necessary if you have the depth?

[niacdoial]

The cache allows to stop processing regular-recursive types (say, some LinkedListNode struct) after a single iteration rather than after 1024.
The depth limit is really needed for irregular recursive types, like in #130310.

[tgross35]

It's probably cleaner to continue passing this around as &mut and avoiding the RefCell if possible, which will make it easier to store more in the visitor in the future if needed. Is it possible to just pass a depth argument to the needed functions? This also avoids the guard complexity, and makes it easy to avoid resetting the depth if you need to construct a new ImproperCTypesVisitor.

Alternatively you can make a type RecursionCount = Rc<()> and store it in the visitor and clone it for each guard, which allows Rc::strong_count(that_rc) to tell you the recursion count. But that's not quite as clean.

[niacdoial]

I guess? I thought it would be annoying, performance-wise, to add 8 bytes to each method's stack. which... I end up half-doing anyway. huh.
Sure, I'll add a "depth" argument.

[tgross35]

For context, this suggestion was how it looks like we do this sort of thing in Miri and Clippy.

I thought it would be annoying, performance-wise, to add 8 bytes to each method's stack

Accounting for this would be an arch-specific extreme micro-optimization, no real need to think about that kind of thing :)

[tgross35]

For the limit we may as well use the global recursion limit here, I think that's available via cx.tcx.recursion_limit(). Should give you a Limit, and you can use value_within_limit to check

rust/compiler/rustc_session/src/session.rs

Lines 65 to 87 in f4b2f68

	/// New-type wrapper around `usize` for representing limits. Ensures that comparisons against
	/// limits are consistent throughout the compiler.
	#[derive(Clone, Copy, Debug, HashStable_Generic)]
	pub struct Limit(pub usize);
	impl Limit {
	/// Create a new limit from a `usize`.
	pub fn new(value: usize) -> Self {
	Limit(value)
	}
	/// Create a new unlimited limit.
	pub fn unlimited() -> Self {
	Limit(usize::MAX)
	}
	/// Check that `value` is within the limit. Ensures that the same comparisons are used
	/// throughout the compiler, as mismatches can cause ICEs, see #72540.
	#[inline]
	pub fn value_within_limit(&self, value: usize) -> bool {
	value <= self.0
	}
	}

[bors]

☔ The latest upstream changes (presumably #146271) made this pull request unmergeable. Please resolve the merge conflicts.

[niacdoial]

I'm not sure I addressed everything you asked in reviews, but I figures I should push what I have so far (in both branches,
leaving aside the commit on layered lint messages), before I go offline for most of the weekend.

(also I know there are be two commits that should be squashed together in the other PR, but I'll need to resolve a bunch of conflicts in the rest of the commit chain before doing this)

[rustbot]

This PR changes a file inside tests/crashes. If a crash was fixed, please move into the corresponding ui subdir and add 'Fixes #' to the PR description to autoclose the issue upon merge.

[tgross35]

It should also raise the lint here right? If so, a global #![deny(improper_ctypes)] with a local #[expect(improper_ctypes)] would be good to add.

Also I think the mustpass- test name prefix is only for tests named after issues (which we're trying to get rid of)

[niacdoial]

No, there shouldn't be an error here.

When the depth limit is reached, the type visitor assumes it managed to visit everything there was to visit. Therefore, if no error has be found until now, it must mean that the recursive pile of types is FFI-safe, somehow.

For the test names, this is something I fixed way down the commit chain, but yeah, I can at least give better names this for the lints I added myself.

[tgross35]

Ah, you're right. I guess maybe it would just be good to deny(improper_ctypes, improper_ctypes_definitions) to verify that.

[jdonszelmann]

unless the recursion limit is reached traversing to many different types right? If you keep encountering more and more different types, the last one might make it ffi unsafe

[niacdoial]

not sure what statement you're tagging this "unless" onto but...
The assumption is that whenever the recursion depth is reached, it is because something technically recurses infinitely. (excluding tests where this limit is very low on purpose.)
So there wouldn't really be a "last" type to speak of? I cannot think of a way where the FFI-unsafety of a type would come from the [arbitrarily large N]th type coming from the same struct A<..> definition.

[tgross35]

For context, this suggestion was how it looks like we do this sort of thing in Miri and Clippy.

I thought it would be annoying, performance-wise, to add 8 bytes to each method's stack

Accounting for this would be an arch-specific extreme micro-optimization, no real need to think about that kind of thing :)

[tgross35]

What exactly is this expected to test? There doesn't seem to be any recursion here.

[tgross35]

Maybe this would be good to run twice with different limits:

//@ revisions: limit5 limit10
#![deny(improper_ctypes)]
#![cfg_attr(limit6, recursion_limit = "10")]
#![cfg_attr(limit5, recursion_limit = "5")]

Then add something that passes with the limit of 10 but needs #[cfg_attr(limit5, expect(improper_ctypes))] to pass with a limit of 5.

[niacdoial]

not sure why git is saying I wrote this test, it comes from 9050b33.
let me check what it was about...

[niacdoial]

ah got it.
it's linked to pull #130758, so the test is here to check that the next attempt to add a recursion limit wouldn't make the same mistakes as the previous one

[jdonszelmann]

Like in this test, if the last type wasn't #[repr(C)] but we hit the recursion limit, the lint wouldn't trigger on an ffi-unsafe type right?

[niacdoial]

the goal of this test is to show that no matter how many fields we have in a single struct definition, we don't hit the recursion limit.
(the attempt from pull 130758 didn't count the recursion level properly, and the f6 field believed it was on the 7th recursion level rather than the 2nd)

[tgross35]

Same as at #146273 (comment),

r? compiler

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[niacdoial]

@rustbot review

[jdonszelmann]

I left some comments before, related to the recursion limit. Otherwise the impl looks good to me, though no warning on recursion limit scares me. Sorry for the long review delay!

View changes since this review

[rustbot]

Reminder, once the PR becomes ready for a review, use @rustbot ready.

[jdonszelmann]

Don't think this conflicts with #156399, but good to be aware of

[niacdoial]

I answered your comments, let me know if this cleared things up!
And no worries for the delay, I don't have anything that's waiting on this.

And also thanks for the other PR link! I'm glad I managed to land my previous PR before that one started.
...wait a minute. ah. I was the one to cause that regression wasn't I.
I will keep the new solver in mind from now on.