c_variadic: use Clone instead of LLVM va_copy

[folkertdev]

tracking issue: #44930

Implement va_copy as (the rust equivalent of) memcpy, which is the behavior of all current LLVM targets. By providing our own implementation, we can guarantee its behavior. These guarantees are important for implementing c-variadics in e.g. const-eval.

Discussed in #t-compiler/const-eval > c-variadics in const-eval.

I've also updated the comment for Drop a bit. The background here is that the C standard requires that va_end is used in the same function (and really, in the same scope) as the corresponding va_start or va_copy. That is because historically va_start would start a scope, which va_end would then close. e.g.

https://softwarepreservation.computerhistory.org/c_plus_plus/cfront/release_3.0.3/source/incl-master/proto-headers/stdarg.sol

#define         va_start(ap, parmN)     {\
        va_buf  _va;\
        _vastart(ap = (va_list)_va, (char *)&parmN + sizeof parmN)
#define         va_end(ap)      }
#define         va_arg(ap, mode)        *((mode *)_vaarg(ap, sizeof (mode)))

The C standard still has to consider such implementations, but for rust they are irrelevant. Hence we can use Clone for va_copy and Drop for va_end.

[folkertdev]

https://github.com/llvm/llvm-project/blob/87e8e7d8f0db53060ef2f6ef4ab612fc0f2b4490/llvm/lib/Transforms/IPO/ExpandVariadics.cpp#L127-L129

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/Hexagon/HexagonISelLowering.cpp#L1087

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/Xtensa/XtensaISelLowering.cpp#L1260

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/SystemZ/SystemZISelLowering.h#L339

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/PowerPC/PPCISelLowering.h#L713

[folkertdev]

https://github.com/llvm/llvm-project/blob/5aee01a3df011e660f26660bc30a8c94a1651d8e/llvm/lib/Target/AArch64/AArch64ISelLowering.h#L709

[folkertdev]

r? @workingjubilee

The codegen of VaList::clone is target-specific now, and because minicore does not define VaList it is hard to test. I think it's fine to just test the behavior, and have LLVM use a memcpy when VaList is a struct, or just re-use the pointer value if it's just a pointer.

[rustbot]

workingjubilee is currently at their maximum review capacity.
They may take a while to respond.

[rustbot]

Some changes occurred in compiler/rustc_codegen_cranelift

cc @bjorn3

Some changes occurred to the intrinsics. Make sure the CTFE / Miri interpreter
gets adapted for the changes, if necessary.

cc @rust-lang/miri, @RalfJung, @oli-obk, @lcnr

Some changes occurred in compiler/rustc_codegen_gcc

cc @antoyo, @GuillaumeGomez

[RalfJung]

Implement va_copy as (the rust equivalent of) memcpy, which is the behavior of all current LLVM targets. By providing our own implementation, we can guarantee its behavior.

Didn't we say we would avoid that assumption and also support implementations that do malloc/free in va_copy / va_end? See #t-compiler/const-eval > c-variadics in const-eval @ 💬.

[folkertdev]

That's right, we don't actually impl Copy for VaList, so that a future target could implement a meaningful Clone and Drop. It's just that in practice for all current targets Clone happens to be a memcpy and Drop a no-op

[workingjubilee]

Offering a suggested historical note.

Please feel free to trim it or move it into the PR description itself, down to the amounts you find worthwhile or just amusing to keep (including 0 lines).

r=me after

Thanks!

View changes since this review

[workingjubilee]

Suggested change

	}
	// The only target with a possibly-non-conformant C implementation
	// was Pyramid Technology (usually `#ifdef pyr` in old C headers)
	// which used `#define`s to replace `va_start` and `va_end` with `{ }`
	// and thus needed to be called in the same scope.
	// This should still be irrelevant for *binary* compatibility.
	//
	// Pyramid Technology was acquired by Siemens AG in 1995.
	// Its proprietary arch was replaced by MIPS in 1991[^1][^2]
	// and DCOS/X, its Unix implementation, was replaced by SINIX in 1995[^3].
	//
	// [^1]: ComputerWorld, Vol XXV, No. 16, 1991 April 22nd, from digitized text: https://archive.org/stream/computerworld2516unse/computerworld2516unse_djvu.txt
	// [^2]: "Pyramid Server Uses Mips Chip" from digitized collection: https://archive.computerhistory.org/resources/access/text/2022/03/102739303-05-01-acc.pdf
	// [^3]: https://en.wikipedia.org/wiki/DC/OSx
	}

[folkertdev]

This is fun, but I don't think it is relevant for this comment. The same-scope restriction is a C implementation detail (portable macro assembler and all that), rust (and modern C implementations) don't have that problem.

[workingjubilee]

I'm satisfied with it being part of the PR history, then.

I just wanted to make sure it was incredibly, completely, totally dead. :^)

[RalfJung]

@folkertdev what is your plan for va_copy regarding the const-eval support for this?
ISTM that without the intrinsic, it'll not be possible to catch a bunch of the UB that we had planned to catch?

[RalfJung]

The docs for va_end still reference va_copy. Does va_end even still make sense after this PR?

Also, seems like it is now newly legal to call va_arg multiple times on the same raw VaList representation after duplicating it. The entire protocol for how the code may interact with va_arg is changed quite a bit. That should also be reflected in the docs.

[rustbot]

This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[folkertdev]

Based on further discussion in #t-compiler/const-eval > c-variadics in const-eval, a slight change of plans

• we still no longer call LLVM's va_copy
• we do still have our own va_copy intrinsic that serves as a hook for const evaluation
• va_copy has a fallback body, code generation backends should not provide their own implementation

I've changed the signature of the intrinsic to be more ergonomic, and made it safe because while the hook is used to detect UB, the intrinsic itself is completely safe.

[workingjubilee]

Typo in a field name?

[workingjubilee]

cool!

@bors r+

[rust-bors]

📌 Commit 97e26cb has been approved by workingjubilee

It is now in the queue for this repository.

[workingjubilee]

Actually, hm, right this second, I'm not sure if I...

@bors r-

You! The one who is reviewing now! Answer!
r? @RalfJung

[rust-bors]

Commit 97e26cb has been unapproved.

[folkertdev]

Locally with #150601 I can now get this to emit the error from the comment. So this setup should work in practice.

fn manual_copy() {
    const unsafe extern "C" fn helper(ap: ...) {
        // A copy created using Clone is valid, and can be used to read arguments.
        let mut copy = ap.clone();
        assert!(copy.arg::<i32>() == 1i32);

        let mut u = core::mem::MaybeUninit::uninit();
        unsafe { core::ptr::copy_nonoverlapping(&ap, u.as_mut_ptr(), 1) };

        // Manually creating the copy is fine.
        let mut copy = unsafe { u.assume_init() };

        // Even using it is fine.
        let _ = copy.arg::<i32>();

        // But then using (or dropping) the original is not.
        drop(copy);
        drop(ap);
    }

    const { unsafe { helper(1, 2, 3) } };
    //~^ ERROR va_end on unknown va_list allocation ALLOC0 [E0080]
}

The above also requires some changes to va_end (like having Drop actually call it), but I want to handle that separately because I suspect LLVM may be finicky about that.