1//! Provides the [`assert_unsafe_precondition`] macro as well as some utility functions that cover
2//! common preconditions.
3
4use crate::intrinsics::{self, const_eval_select};
5
6/// Checks that the preconditions of an unsafe function are followed.
7///
8/// The check is enabled at runtime if debug assertions are enabled when the
9/// caller is monomorphized. In const-eval/Miri checks implemented with this
10/// macro for language UB are always ignored.
11///
12/// This macro should be called as
13/// `assert_unsafe_precondition!(check_{library,language}_ub, "message", (ident: type = expr, ident: type = expr) => check_expr)`
14/// where each `expr` will be evaluated and passed in as function argument `ident: type`. Then all
15/// those arguments are passed to a function with the body `check_expr`.
16/// Pick `check_language_ub` when this is guarding a violation of language UB, i.e., immediate UB
17/// according to the Rust Abstract Machine. Pick `check_library_ub` when this is guarding a violation
18/// of a documented library precondition that does not *immediately* lead to language UB.
19///
20/// If `check_library_ub` is used but the check is actually guarding language UB, the check will
21/// slow down const-eval/Miri and we'll get the panic message instead of the interpreter's nice
22/// diagnostic, but our ability to detect UB is unchanged.
23/// But if `check_language_ub` is used when the check is actually for library UB, the check is
24/// omitted in const-eval/Miri and thus if we eventually execute language UB which relies on the
25/// library UB, the backtrace Miri reports may be far removed from original cause.
26///
27/// These checks are behind a condition which is evaluated at codegen time, not expansion time like
28/// [`debug_assert`]. This means that a standard library built with optimizations and debug
29/// assertions disabled will have these checks optimized out of its monomorphizations, but if a
30/// caller of the standard library has debug assertions enabled and monomorphizes an expansion of
31/// this macro, that monomorphization will contain the check.
32///
33/// Since these checks cannot be optimized out in MIR, some care must be taken in both call and
34/// implementation to mitigate their compile-time overhead. Calls to this macro always expand to
35/// this structure:
36/// ```ignore (pseudocode)
37/// if ::core::intrinsics::check_language_ub() {
38/// precondition_check(args)
39/// }
40/// ```
41/// where `precondition_check` is monomorphic with the attributes `#[rustc_nounwind]`, `#[inline]` and
42/// `#[rustc_no_mir_inline]`. This combination of attributes ensures that the actual check logic is
43/// compiled only once and generates a minimal amount of IR because the check cannot be inlined in
44/// MIR, but *can* be inlined and fully optimized by a codegen backend.
45///
46/// Callers should avoid introducing any other `let` bindings or any code outside this macro in
47/// order to call it. Since the precompiled standard library is built with full debuginfo and these
48/// variables cannot be optimized out in MIR, an innocent-looking `let` can produce enough
49/// debuginfo to have a measurable compile-time impact on debug builds.
50#[macro_export]
51#[unstable(feature = "ub_checks", issue = "none")]
52macro_rules! assert_unsafe_precondition {
53 ($kind:ident, $message:expr, ($($name:ident:$ty:ty = $arg:expr),*$(,)?) => $e:expr $(,)?) => {
54 {
55 // This check is inlineable, but not by the MIR inliner.
56 // The reason for this is that the MIR inliner is in an exceptionally bad position
57 // to think about whether or not to inline this. In MIR, this call is gated behind `debug_assertions`,
58 // which will codegen to `false` in release builds. Inlining the check would be wasted work in that case and
59 // would be bad for compile times.
60 //
61 // LLVM on the other hand sees the constant branch, so if it's `false`, it can immediately delete it without
62 // inlining the check. If it's `true`, it can inline it and get significantly better performance.
63 #[rustc_no_mir_inline]
64 #[inline]
65 #[rustc_nounwind]
66 #[track_caller]
67 const fn precondition_check($($name:$ty),*) {
68 if !$e {
69 let msg = concat!("unsafe precondition(s) violated: ", $message,
70 "\n\nThis indicates a bug in the program. \
71 This Undefined Behavior check is optional, and cannot be relied on for safety.");
72 ::core::panicking::panic_nounwind_fmt(::core::fmt::Arguments::new_const(&[msg]), false);
73 }
74 }
75
76 if ::core::ub_checks::$kind() {
77 precondition_check($($arg,)*);
78 }
79 }
80 };
81}
82#[unstable(feature = "ub_checks", issue = "none")]
83pub use assert_unsafe_precondition;
84/// Checking library UB is always enabled when UB-checking is done
85/// (and we use a reexport so that there is no unnecessary wrapper function).
86#[unstable(feature = "ub_checks", issue = "none")]
87pub use intrinsics::ub_checks as check_library_ub;
88
89/// Determines whether we should check for language UB.
90///
91/// The intention is to not do that when running in the interpreter, as that one has its own
92/// language UB checks which generally produce better errors.
93#[inline]
94#[rustc_allow_const_fn_unstable(const_eval_select)]
95pub(crate) const fn check_language_ub() -> bool {
96 // Only used for UB checks so we may const_eval_select.
97 intrinsics::ub_checks()
98 && const_eval_select!(
99 @capture { } -> bool:
100 if const {
101 // Always disable UB checks.
102 false
103 } else {
104 // Disable UB checks in Miri.
105 !cfg!(miri)
106 }
107 )
108}
109
110/// Checks whether `ptr` is properly aligned with respect to the given alignment, and
111/// if `is_zst == false`, that `ptr` is not null.
112///
113/// In `const` this is approximate and can fail spuriously. It is primarily intended
114/// for `assert_unsafe_precondition!` with `check_language_ub`, in which case the
115/// check is anyway not executed in `const`.
116#[inline]
117#[rustc_allow_const_fn_unstable(const_eval_select)]
118pub(crate) const fn maybe_is_aligned_and_not_null(
119 ptr: *const (),
120 align: usize,
121 is_zst: bool,
122) -> bool {
123 // This is just for safety checks so we can const_eval_select.
124 const_eval_select!(
125 @capture { ptr: *const (), align: usize, is_zst: bool } -> bool:
126 if const {
127 is_zst || !ptr.is_null()
128 } else {
129 ptr.is_aligned_to(align) && (is_zst || !ptr.is_null())
130 }
131 )
132}
133
134#[inline]
135pub(crate) const fn is_valid_allocation_size(size: usize, len: usize) -> bool {
136 let max_len: usize = if size == 0 { usize::MAX } else { isize::MAX as usize / size };
137 len <= max_len
138}
139
140/// Checks whether the regions of memory starting at `src` and `dst` of size
141/// `count * size` do *not* overlap.
142///
143/// Note that in const-eval this function just returns `true` and therefore must
144/// only be used with `assert_unsafe_precondition!`, similar to `is_aligned_and_not_null`.
145#[inline]
146#[rustc_allow_const_fn_unstable(const_eval_select)]
147pub(crate) const fn maybe_is_nonoverlapping(
148 src: *const (),
149 dst: *const (),
150 size: usize,
151 count: usize,
152) -> bool {
153 // This is just for safety checks so we can const_eval_select.
154 const_eval_select!(
155 @capture { src: *const (), dst: *const (), size: usize, count: usize } -> bool:
156 if const {
157 true
158 } else {
159 let src_usize = src.addr();
160 let dst_usize = dst.addr();
161 let Some(size) = size.checked_mul(count) else {
162 crate::panicking::panic_nounwind(
163 "is_nonoverlapping: `size_of::<T>() * count` overflows a usize",
164 )
165 };
166 let diff = src_usize.abs_diff(dst_usize);
167 // If the absolute distance between the ptrs is at least as big as the size of the buffer,
168 // they do not overlap.
169 diff >= size
170 }
171 )
172}
173