Add a stable flag to control codegen UB checks

Author: saethlin

compiler/rustc_interface/src/tests.rs

@@ -607,6 +607,7 @@ fn test_codegen_options_tracking_hash() {
     tracked!(profile_generate, SwitchWithOptPath::Enabled(None));
     tracked!(profile_use, Some(PathBuf::from("abc")));
     tracked!(relocation_model, Some(RelocModel::Pic));
+    tracked!(sanitizer, Some(SanitizerSet::UNDEFINED));
     tracked!(soft_float, true);
     tracked!(split_debuginfo, Some(SplitDebuginfo::Packed));
     tracked!(symbol_mangling_version, Some(SymbolManglingVersion::V0));

compiler/rustc_mir_transform/src/check_alignment.rs

@@ -9,12 +9,17 @@ use rustc_middle::mir::{
 };
 use rustc_middle::ty::{Ty, TyCtxt, TypeAndMut};
 use rustc_session::Session;
+use rustc_target::spec::SanitizerSet;
 
 pub struct CheckAlignment;
 
 impl<'tcx> MirPass<'tcx> for CheckAlignment {
     fn is_enabled(&self, sess: &Session) -> bool {
-        sess.opts.debug_assertions
+        sess.opts
+            .cg
+            .sanitizer
+            .map(|san| san.contains(SanitizerSet::UNDEFINED))
+            .unwrap_or(sess.opts.debug_assertions)
     }
 
     fn run_pass(&self, tcx: TyCtxt<'tcx>, body: &mut Body<'tcx>) {

compiler/rustc_session/src/options.rs

@@ -372,7 +372,9 @@ mod desc {
     pub const parse_opt_panic_strategy: &str = parse_panic_strategy;
     pub const parse_oom_strategy: &str = "either `panic` or `abort`";
     pub const parse_relro_level: &str = "one of: `full`, `partial`, or `off`";
-    pub const parse_sanitizers: &str = "comma separated list of sanitizers: `address`, `cfi`, `hwaddress`, `kcfi`, `kernel-address`, `leak`, `memory`, `memtag`, `safestack`, `shadow-call-stack`, or `thread`";
+    pub const parse_sanitizers: &str = "comma separated list of sanitizers: `address`, `cfi`, `hwaddress`, `kcfi`, `kernel-address`, `leak`, `memory`, `memtag`, `safestack`, `shadow-call-stack`, `thread`, or `undefined`";
+    pub const parse_sanitizers_stable: &str =
+        "comma separated list of sanitizers: `none` or `undefined`";
     pub const parse_sanitizer_memory_track_origins: &str = "0, 1, or 2";
     pub const parse_cfguard: &str =
         "either a boolean (`yes`, `no`, `on`, `off`, etc), `checks`, or `nochecks`";
@@ -695,6 +697,7 @@ mod parse {
                     "thread" => SanitizerSet::THREAD,
                     "hwaddress" => SanitizerSet::HWADDRESS,
                     "safestack" => SanitizerSet::SAFESTACK,
+                    "undefined" => SanitizerSet::UNDEFINED,
                     _ => return false,
                 }
             }
@@ -722,6 +725,32 @@ mod parse {
         }
     }
 
+    pub(crate) fn parse_sanitizers_stable(
+        slot: &mut Option<SanitizerSet>,
+        v: Option<&str>,
+    ) -> bool {
+        if let Some(v) = v {
+            let mut sanitizer = SanitizerSet::empty();
+            let mut got_none = false;
+            for s in v.split(',') {
+                sanitizer |= match s {
+                    "none" => {
+                        got_none = true;
+                        SanitizerSet::empty()
+                    }
+                    "undefined" => SanitizerSet::UNDEFINED,
+                    _ => return false,
+                }
+            }
+            if got_none {
+                *slot = Some(SanitizerSet::empty());
+            }
+        } else {
+            *slot = None;
+        }
+        true
+    }
+
     pub(crate) fn parse_strip(slot: &mut Strip, v: Option<&str>) -> bool {
         match v {
             Some("none") => *slot = Strip::None,
@@ -1320,6 +1349,8 @@ options! {
         "print remarks for these optimization passes (space separated, or \"all\")"),
     rpath: bool = (false, parse_bool, [UNTRACKED],
         "set rpath values in libs/exes (default: no)"),
+    sanitizer: Option<SanitizerSet> = (None, parse_sanitizers_stable, [TRACKED],
+        "use a sanitizer"),
     save_temps: bool = (false, parse_bool, [UNTRACKED],
         "save all temporary output files during compilation (default: no)"),
     soft_float: bool = (false, parse_bool, [TRACKED],

compiler/rustc_target/src/spec/mod.rs

@@ -906,6 +906,7 @@ bitflags::bitflags! {
         const KCFI    = 1 << 8;
         const KERNELADDRESS = 1 << 9;
         const SAFESTACK = 1 << 10;
+        const UNDEFINED = 1 << 11;
     }
 }
 
@@ -926,6 +927,7 @@ impl SanitizerSet {
             SanitizerSet::SHADOWCALLSTACK => "shadow-call-stack",
             SanitizerSet::THREAD => "thread",
             SanitizerSet::HWADDRESS => "hwaddress",
+            SanitizerSet::UNDEFINED => "undefined",
             _ => return None,
         })
     }
@@ -964,6 +966,7 @@ impl IntoIterator for SanitizerSet {
             SanitizerSet::HWADDRESS,
             SanitizerSet::KERNELADDRESS,
             SanitizerSet::SAFESTACK,
+            SanitizerSet::UNDEFINED,
         ]
         .iter()
         .copied()

src/doc/rustc/src/codegen-options/index.md

@@ -500,6 +500,17 @@ enabled. It takes one of the following values:
 * `y`, `yes`, `on`, `true` or no value: enable rpath.
 * `n`, `no`, `off` or `false`: disable rpath (the default).
 
+## sanitizer
+
+* `none`: disables all sanitizers
+* `undefined`
+
+The only stable sanitizer is `undefined`. This flag does no do what clang/gcc's
+`-fsanitize=undefined` does, but it enables something generally equivalent in Rust:
+runtime checks for Undefined Behavior that do not require additional runtime state.
+
+If not specified, `-Csanitizer=undefined` is automatically enabled by debug assertions.
+
 ## save-temps
 
 This flag controls whether temporary files generated during compilation are

src/tools/miri/src/lib.rs

@@ -132,5 +132,5 @@ pub const MIRI_DEFAULT_ARGS: &[&str] = &[
     "-Zmir-emit-retag",
     "-Zmir-keep-place-mention",
     "-Zmir-opt-level=0",
-    "-Zmir-enable-passes=-CheckAlignment",
+    "-Csanitizer=none",
 ];

src/tools/miri/tests/fail/unaligned_pointers/alignment.rs

@@ -1,5 +1,4 @@
 //@normalize-stderr-test: "\| +\^+" -> "| ^"
-//@compile-flags: -Cdebug-assertions=no
 
 fn main() {
     // No retry needed, this fails reliably.

src/tools/miri/tests/fail/unaligned_pointers/atomic_unaligned.rs

@@ -1,4 +1,4 @@
-//@compile-flags: -Zmiri-symbolic-alignment-check -Cdebug-assertions=no
+//@compile-flags: -Zmiri-symbolic-alignment-check
 #![feature(core_intrinsics)]
 
 fn main() {

src/tools/miri/tests/fail/unaligned_pointers/drop_in_place.rs

@@ -1,5 +1,3 @@
-//@compile-flags: -Cdebug-assertions=no
-
 #[repr(transparent)]
 struct HasDrop(u8);
 

src/tools/miri/tests/fail/unaligned_pointers/dyn_alignment.rs

@@ -1,5 +1,5 @@
 // should find the bug even without validation and stacked borrows, but gets masked by optimizations
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Zmir-opt-level=0 -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Zmir-opt-level=0
 
 #[repr(align(256))]
 #[derive(Debug)]

src/tools/miri/tests/fail/unaligned_pointers/intptrcast_alignment_check.rs

@@ -1,4 +1,4 @@
-//@compile-flags: -Zmiri-symbolic-alignment-check -Zmiri-permissive-provenance -Cdebug-assertions=no
+//@compile-flags: -Zmiri-symbolic-alignment-check -Zmiri-permissive-provenance
 // With the symbolic alignment check, even with intptrcast and without
 // validation, we want to be *sure* to catch bugs that arise from pointers being
 // insufficiently aligned. The only way to achieve that is not to let programs

src/tools/miri/tests/fail/unaligned_pointers/reference_to_packed.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation/SB
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 
 #![allow(dead_code, unused_variables)]
 

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr1.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation or Stacked Borrows.
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 
 fn main() {
     // Try many times as this might work by chance.

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr2.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation or Stacked Borrows.
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 
 fn main() {
     // No retry needed, this fails reliably.

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr3.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation or Stacked Borrows.
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 
 fn main() {
     // Try many times as this might work by chance.

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr4.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation or Stacked Borrows.
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 
 fn main() {
     // Make sure we notice when a u16 is loaded at offset 1 into a u8 allocation.

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr_addr_of.rs

@@ -1,5 +1,5 @@
 // This should fail even without validation or Stacked Borrows.
-//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-validation -Zmiri-disable-stacked-borrows
 use std::ptr;
 
 fn main() {

src/tools/miri/tests/fail/unaligned_pointers/unaligned_ptr_zst.rs

@@ -1,6 +1,6 @@
 // This should fail even without validation
 // Some optimizations remove ZST accesses, thus masking this UB.
-//@compile-flags: -Zmir-opt-level=0 -Zmiri-disable-validation -Cdebug-assertions=no
+//@compile-flags: -Zmir-opt-level=0 -Zmiri-disable-validation
 
 fn main() {
     // Try many times as this might work by chance.

src/tools/miri/tests/pass/disable-alignment-check.rs

@@ -1,6 +1,6 @@
 //@revisions: stack tree
 //@[tree]compile-flags: -Zmiri-tree-borrows
-//@compile-flags: -Zmiri-disable-alignment-check -Cdebug-assertions=no
+//@compile-flags: -Zmiri-disable-alignment-check
 
 fn main() {
     let mut x = [0u8; 20];

tests/assembly/static-relocation-model.rs

@@ -1,12 +1,12 @@
 // revisions: x64 A64 ppc64le
 // assembly-output: emit-asm
+// compile-flags: -Csanitizer=none
 // [x64] compile-flags: --target x86_64-unknown-linux-gnu -Crelocation-model=static
 // [x64] needs-llvm-components: x86
 // [A64] compile-flags: --target aarch64-unknown-linux-gnu -Crelocation-model=static
 // [A64] needs-llvm-components: aarch64
 // [ppc64le] compile-flags: --target powerpc64le-unknown-linux-gnu -Crelocation-model=static
 // [ppc64le] needs-llvm-components: powerpc
-// ignore-debug: alignment checks insert panics that we don't have a lang item for
 
 #![feature(no_core, lang_items)]
 #![no_core]

tests/codegen/issues/issue-37945.rs

@@ -1,6 +1,5 @@
 // compile-flags: -O -Zmerge-functions=disabled
 // ignore-32bit LLVM has a bug with them
-// ignore-debug
 
 // Check that LLVM understands that `Iter` pointer is not null. Issue #37945.
 

tests/codegen/virtual-function-elimination.rs

@@ -1,6 +1,5 @@
-// compile-flags: -Zvirtual-function-elimination -Clto -O -Csymbol-mangling-version=v0
+// compile-flags: -Zvirtual-function-elimination -Clto -O -Csymbol-mangling-version=v0 -Csanitizer=none
 // ignore-32bit
-// ignore-debug
 
 // CHECK: @vtable.0 = {{.*}}, !type ![[TYPE0:[0-9]+]], !vcall_visibility ![[VCALL_VIS0:[0-9]+]]
 // CHECK: @vtable.1 = {{.*}}, !type ![[TYPE1:[0-9]+]], !vcall_visibility ![[VCALL_VIS0:[0-9]+]]