Ensure miri only uses fallback bodies that have manually been vetted to preserve all UB that the native intrinsic would have

oli-obk · oli-obk · commit e646e70788ed · 2024-05-03T09:16:57.000Z
diff --git a/src/shims/intrinsics/atomic.rs b/src/shims/intrinsics/atomic.rs
@@ -14,6 +14,7 @@ pub enum AtomicOp {
 impl<'mir, 'tcx: 'mir> EvalContextExt<'mir, 'tcx> for crate::MiriInterpCx<'mir, 'tcx> {}
 pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
     /// Calls the atomic intrinsic `intrinsic`; the `atomic_` prefix has already been removed.
+    /// Returns `Ok(true)` if the intrinsic was handled.
     fn emulate_atomic_intrinsic(
         &mut self,
         intrinsic_name: &str,
diff --git a/src/shims/intrinsics/mod.rs b/src/shims/intrinsics/mod.rs
@@ -11,6 +11,7 @@ use rustc_middle::{
     ty::{self, FloatTy},
 };
 use rustc_target::abi::Size;
+use rustc_span::{sym, Symbol};
 
 use crate::*;
 use atomic::EvalContextExt as _;
@@ -48,6 +49,7 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
 
         // All remaining supported intrinsics have a return place.
         let ret = match ret {
+            // FIXME: add fallback body support once we actually have a diverging intrinsic with a fallback body
             None => throw_unsup_format!("unimplemented (diverging) intrinsic: `{intrinsic_name}`"),
             Some(p) => p,
         };
@@ -63,9 +65,14 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
 
         // The rest jumps to `ret` immediately.
         if !this.emulate_intrinsic_by_name(intrinsic_name, instance.args, args, dest)? {
+            // We haven't handled the intrinsic, let's see if we can use a fallback body.
             if this.tcx.intrinsic(instance.def_id()).unwrap().must_be_overridden {
                 throw_unsup_format!("unimplemented intrinsic: `{intrinsic_name}`")
             }
+            let intrinsic_fallback_checks_ub = Symbol::intern("intrinsic_fallback_checks_ub");
+            if this.tcx.get_attrs_by_path(instance.def_id(), &[sym::miri, intrinsic_fallback_checks_ub]).next().is_none() {
+                throw_unsup_format!("miri can only use intrinsic fallback bodies that check UB. After verifying that `{intrinsic_name}` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that");
+            }
             return Ok(Some(ty::Instance {
                 def: ty::InstanceDef::Item(instance.def_id()),
                 args: instance.args,
@@ -78,6 +85,7 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
     }
 
     /// Emulates a Miri-supported intrinsic (not supported by the core engine).
+    /// Returns `Ok(true)` if the intrinsic was handled.
     fn emulate_intrinsic_by_name(
         &mut self,
         intrinsic_name: &str,
diff --git a/src/shims/intrinsics/simd.rs b/src/shims/intrinsics/simd.rs
@@ -16,6 +16,7 @@ pub(crate) enum MinMax {
 impl<'mir, 'tcx: 'mir> EvalContextExt<'mir, 'tcx> for crate::MiriInterpCx<'mir, 'tcx> {}
 pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriInterpCxExt<'mir, 'tcx> {
     /// Calls the simd intrinsic `intrinsic`; the `simd_` prefix has already been removed.
+    /// Returns `Ok(true)` if the intrinsic was handled.
     fn emulate_simd_intrinsic(
         &mut self,
         intrinsic_name: &str,
diff --git a/tests/fail/intrinsic_fallback_checks_ub.rs b/tests/fail/intrinsic_fallback_checks_ub.rs
@@ -0,0 +1,14 @@
+#![feature(rustc_attrs, effects)]
+
+#[rustc_intrinsic]
+#[rustc_nounwind]
+#[rustc_do_not_const_check]
+#[inline]
+pub const fn ptr_guaranteed_cmp<T>(ptr: *const T, other: *const T) -> u8 {
+    (ptr == other) as u8
+}
+
+fn main() {
+    ptr_guaranteed_cmp::<()>(std::ptr::null(), std::ptr::null());
+    //~^ ERROR: can only use intrinsic fallback bodies that check UB.
+}
diff --git a/tests/fail/intrinsic_fallback_checks_ub.stderr b/tests/fail/intrinsic_fallback_checks_ub.stderr
@@ -0,0 +1,14 @@
+error: unsupported operation: miri can only use intrinsic fallback bodies that check UB. After verifying that `ptr_guaranteed_cmp` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that
+  --> $DIR/intrinsic_fallback_checks_ub.rs:LL:CC
+   |
+LL |     ptr_guaranteed_cmp::<()>(std::ptr::null(), std::ptr::null());
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ miri can only use intrinsic fallback bodies that check UB. After verifying that `ptr_guaranteed_cmp` does so, add the `#[miri::intrinsic_fallback_checks_ub]` attribute to it; also ping @rust-lang/miri when you do that
+   |
+   = help: this is likely not a bug in the program; it indicates that the program performed an operation that the interpreter does not support
+   = note: BACKTRACE:
+   = note: inside `main` at $DIR/intrinsic_fallback_checks_ub.rs:LL:CC
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+
