c_variadic: impl va_copy and va_end as Rust intrinsics

[folkertdev]

tracking issue: #44930

Implement va_copy as (the rust equivalent of) memcpy, which is the behavior of all current LLVM targets. By providing our own implementation, we can guarantee its behavior. These guarantees are important for implementing c-variadics in e.g. const-eval.

Discussed in #t-compiler/const-eval > c-variadics in const-eval.

I've also updated the comment for Drop a bit. The background here is that the C standard requires that va_end is used in the same function (and really, in the same scope) as the corresponding va_start or va_copy. That is because historically va_start would start a scope, which va_end would then close. e.g.

https://softwarepreservation.computerhistory.org/c_plus_plus/cfront/release_3.0.3/source/incl-master/proto-headers/stdarg.sol

#define         va_start(ap, parmN)     {\
        va_buf  _va;\
        _vastart(ap = (va_list)_va, (char *)&parmN + sizeof parmN)
#define         va_end(ap)      }
#define         va_arg(ap, mode)        *((mode *)_vaarg(ap, sizeof (mode)))

The C standard still has to consider such implementations, but for Rust they are irrelevant. Hence we can use Clone for va_copy and Drop for va_end.

[folkertdev]

https://github.com/llvm/llvm-project/blob/87e8e7d8f0db53060ef2f6ef4ab612fc0f2b4490/llvm/lib/Transforms/IPO/ExpandVariadics.cpp#L127-L129

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/Hexagon/HexagonISelLowering.cpp#L1087

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/Xtensa/XtensaISelLowering.cpp#L1260

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/SystemZ/SystemZISelLowering.h#L339

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/PowerPC/PPCISelLowering.h#L713

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/AArch64/AArch64ISelLowering.h#L709

[RalfJung]

That's just a declaration, how does the link confirm that this can be copied?

Is it worth putting these links in the code for future reference?

[folkertdev]

ah sorry that should link to https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/AArch64/AArch64ISelLowering.cpp#L12682-L12700, where the implementation is just memcpy.

The links are kind of unwieldy, but I can put them in.

[folkertdev]

r? @workingjubilee

The codegen of VaList::clone is target-specific now, and because minicore does not define VaList it is hard to test. I think it's fine to just test the behavior, and have LLVM use a memcpy when VaList is a struct, or just re-use the pointer value if it's just a pointer.

[rustbot]

workingjubilee is currently at their maximum review capacity.
They may take a while to respond.

[rustbot]

Some changes occurred in compiler/rustc_codegen_cranelift

cc @bjorn3

Some changes occurred to the intrinsics. Make sure the CTFE / Miri interpreter
gets adapted for the changes, if necessary.

cc @rust-lang/miri, @RalfJung, @oli-obk, @lcnr

Some changes occurred in compiler/rustc_codegen_gcc

cc @antoyo, @GuillaumeGomez

[RalfJung]

Implement va_copy as (the rust equivalent of) memcpy, which is the behavior of all current LLVM targets. By providing our own implementation, we can guarantee its behavior.

Didn't we say we would avoid that assumption and also support implementations that do malloc/free in va_copy / va_end? See #t-compiler/const-eval > c-variadics in const-eval @ 💬.

[folkertdev]

That's right, we don't actually impl Copy for VaList, so that a future target could implement a meaningful Clone and Drop. It's just that in practice for all current targets Clone happens to be a memcpy and Drop a no-op

[workingjubilee]

Offering a suggested historical note.

Please feel free to trim it or move it into the PR description itself, down to the amounts you find worthwhile or just amusing to keep (including 0 lines).

r=me after

Thanks!

View changes since this review

[RalfJung]

@folkertdev what is your plan for va_copy regarding the const-eval support for this?
ISTM that without the intrinsic, it'll not be possible to catch a bunch of the UB that we had planned to catch?

[folkertdev]

Based on further discussion in #t-compiler/const-eval > c-variadics in const-eval, a slight change of plans

• we still no longer call LLVM's va_copy
• we do still have our own va_copy intrinsic that serves as a hook for const evaluation
• va_copy has a fallback body, code generation backends should not provide their own implementation

I've changed the signature of the intrinsic to be more ergonomic, and made it safe because while the hook is used to detect UB, the intrinsic itself is completely safe.

[rust-bors]

Commit 97e26cb has been unapproved.

[folkertdev]

Locally with #150601 I can now get this to emit the error from the comment. So this setup should work in practice.

fn manual_copy() {
    const unsafe extern "C" fn helper(ap: ...) {
        // A copy created using Clone is valid, and can be used to read arguments.
        let mut copy = ap.clone();
        assert!(copy.arg::<i32>() == 1i32);

        let mut u = core::mem::MaybeUninit::uninit();
        unsafe { core::ptr::copy_nonoverlapping(&ap, u.as_mut_ptr(), 1) };

        // Manually creating the copy is fine.
        let mut copy = unsafe { u.assume_init() };

        // Even using it is fine.
        let _ = copy.arg::<i32>();

        // But then using (or dropping) the original is not.
        drop(copy);
        drop(ap);
    }

    const { unsafe { helper(1, 2, 3) } };
    //~^ ERROR va_end on unknown va_list allocation ALLOC0 [E0080]
}

The above also requires some changes to va_end (like having Drop actually call it), but I want to handle that separately because I suspect LLVM may be finicky about that.

[folkertdev]

Right so I've now included the changes to va_end that are required for const evaluation. In short Drop now calls va_end which has a default implementation of being a no-op.

[workingjubilee]

Hmm. Yeah, I think the names should remain the same as they are now because those are the names most familiar to C programmers, and I think that (soon-to-be-former, hopefully) C programmers poking at the source will want to see them instead of some offbeat va_list_clone call.

I do understand the implication that it is a "false friend", because someone might assume it is LLVM's impl. However, here we do document it is not, and people who learn how Rust's intrinsics work will know that it is at most a delegation to LLVM's intrinsics (and how to find what they do). They will first see the Rust source, anyways!

And in a sense, I think they aren't false friends: they are faithful implementations of va_copy and va_end... in Rust, a language which isn't C, but nonetheless implements some C semantics by assuming the C implementation can be made-compatible with Rust semantics.

We could name them rust_va_copy and rust_va_end if you really want to discourage people from assuming they are merely LLVM calls. I also do appreciate that you have spent a while with your head "in LLVM" and you have to make such a distinction between @llvm.va_copy and our code anyways. I think LLVM makes the right choice here... even if the intrinsic, in practice, isn't actually what clang uses 99.9% of the time (in terms of compiler invocations, anyways? maybe it's used for more targets in absolute count than I think it is, but then again LLVM doesn't have such a highly reified notion of target tuples like we do...).

View changes since this review

[workingjubilee]

...I also am aware that copy might be confusing to Rust-first programmers who are overcalibrating on it being a Copy, and to them I say: tough. C is allowed to use words differently, so I think we wind up with this cross-language confusion anyways, because if we rename away from va_copy, people may go "where's the va_copy making this new va_list a valid thing?" We keep things most coherent, I feel, by focusing on how our impl reflects the standard's requirements.

[folkertdev]

Makes sense, and yeah there are no obviously better names, so maybe consistency is more valuable. Let's see what Ralf thinks.

[RalfJung]

Given that this is an internal API I'd rather have it use Rust-y terms than follow C terminology. We use the LLVM names for many of the intrinsics and this can be quite confusing. We can always explain the relation to va_copy in the docs.

But given that this is an internal API I also do not care very strongly.

[folkertdev]

Because this is an internal name we can change it at any time. I'd propose to keep the names for now, actually implement const evaluation, and then re-evaluate if there is an obviously better name for what we use the intrinsic for.

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[folkertdev]

I updated a bunch of the comments

@rustbot ready

[RalfJung]

This is also just a header, not the implementation? (same for some of the other ones)

[folkertdev]

Ah now I understand what happened: i copied these links from a github search result page. I manually looked them all up now, so all links should be correct.