mem::uninitialized: mitigate many incorrect uses of this function

[RalfJung]

Alternative to #98966: fill memory with 0x01 rather than leaving it uninit. This is definitely bitewise valid for all bool and nonnull types, and also those Option<&T> that we started putting noundef on. However it is still invalid for char and some enums, and on references the dereferenceable attribute is still violated, so the generated LLVM IR still has UB -- but in fewer cases, and dereferenceable is hopefully less likely to cause problems than clearly incorrect range annotations.

This can make using mem::uninitialized a lot slower, but that function has been deprecated for years and we keep telling everyone to move to MaybeUninit because it is basically impossible to use mem::uninitialized correctly. For the cases where that hasn't helped (and all the old code out there that nobody will ever update), we can at least mitigate the effect of using this API. Note that this is not in any way a stable guarantee -- it is still UB to call mem::uninitialized::<bool>(), and Miri will call it out as such.

This is somewhat similar to #87032, which proposed to make uninitialized return a buffer filled with 0x00. However

• That PR also proposed to reduce the situations in which we panic, which I don't think we should do at this time.
• The 0x01 bit pattern means that nonnull requirements are satisfied, which (due to references) is the most common validity invariant.

@5225225 I hope I am using cfg(sanitize) the right way; I was not sure for which ones to test here.
Cc #66151
Fixes #87675

[rustbot]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[rust-highfive]

r? @kennytm

(rust-highfive has picked a reviewer for you, use r? to override)

[5225225]

I don't think address sanitizer cares about uninit memory, I believe it's just memory sanitizer.

I'm away from a computer at the moment so i'll test that once I get a chance. But I think the result of a deref of an uninit pointer will just say you can't use a pointer with that value, not that the pointer itself is uninit.

And use of an all-0x1 filled pointer would be obvious in the asan error, so I think as long as it doesn't impair any checks that asan does, we should only fill for msan

[RalfJung]

we should only fill for msan

You mean only skip the fill for msan?

[5225225]

Ah, yes. only not fill for miri and msan. my bad :)

[Noratrieb]

I really like this idea, but I think this should be reflected in the docs like "using this function may be slower than using MaybeUninit", to discourage use further and avoid surprises for people (even if they shouldn't use it anyways, I can imagine people complaining).

[thomcc]

This might need some lang decision on whether this is the right approach (not sure if it does), and I think kenny tends to be too busy for reviews.

r? @joshtriplett

[RalfJung]

Prior work I forgot to mention: #87032 proposed to make uninitialized return a buffer filled with 0x00. However

• That PR also proposed to reduce the situations in which we panic, which I don't think we should do at this time.
• The 0x01 bit pattern means that nonnull requirements are satisfied, which (due to references) is the most common validity invariant.

[clarfonthey]

However it is still invalid for char

Are you sure? U+1 is a valid character: https://unicode-table.com/en/0001/

[thomcc]

Right, but this will be 0x01010101, which is not.

[RalfJung]

It was just pointed out on Zulip that while this still has LLVM UB for some references (due to 0x01010101 having bad alignment and not being dereferenceable), it does not have LLVM UB for slices of types with alignment one! There we only say dereferenceable(0), since we can only talk about the statically-known part of the size. So that means this PR actually removes LLVM UB entirely from the old versions of hyper that are using mem::uninitiailized.

That makes me even more convinced that this PR is a good step to take. :)

[scottmcm]

I think that, technically, this is just libs -- it's already officially deprecated, so changing the implementation to something slower but less error-prone is a reasonable and logical thing to do entirely in their purview.

IMHO this is a great step. It's simple, it'll plausibly help, and it's naïve enough to not incentivize people to call it, the way a fancy implementation might.

Given that the realistic cases we know about for this are fixed by updating dependencies, let's do it.

[RalfJung]

@scottmcm so, would you like to be the reviewer for this PR? Or should we nominate it for some team(s)?

[rust-timer]

Finished benchmarking commit (48316df): comparison url.

Instruction count

• Primary benchmarks: no relevant changes found
• Secondary benchmarks: 🎉 relevant improvement found

	mean1	max	count2
Regressions 😿 (primary)	N/A	N/A	0
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	-1.0%	-1.0%	1
All 😿🎉 (primary)	N/A	N/A	0

Max RSS (memory usage)

Results

• Primary benchmarks: 🎉 relevant improvements found
• Secondary benchmarks: 🎉 relevant improvements found

	mean1	max	count2
Regressions 😿 (primary)	N/A	N/A	0
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	-1.6%	-2.6%	34
Improvements 🎉 (secondary)	-2.3%	-2.7%	4
All 😿🎉 (primary)	-1.6%	-2.6%	34

Cycles

Results

• Primary benchmarks: 😿 relevant regressions found
• Secondary benchmarks: 🎉 relevant improvement found

	mean1	max	count2
Regressions 😿 (primary)	2.3%	2.6%	2
Regressions 😿 (secondary)	N/A	N/A	0
Improvements 🎉 (primary)	N/A	N/A	0
Improvements 🎉 (secondary)	-1.6%	-1.6%	1
All 😿🎉 (primary)	2.3%	2.6%	2

If you disagree with this performance assessment, please file an issue in rust-lang/rustc-perf.

@rustbot label: -perf-regression

Footnotes

1. the arithmetic mean of the percent change ↩ ↩² ↩³

2. number of relevant changes ↩ ↩² ↩³

[deltoro05]

However it is still invalid for char

Are you sure? U+1 is a valid character: https://unicode-table.com/en/0001/

This URL https://unicode-table.com/ has changed to https://symbl.cc/

[asquared31415]

edit: whoops, i thought this was someone confused about the value, i didn't realize it was a reply updating some info, my bad.

The value used will be 0x01010101_u32, not 0x00000001_u32, and the former is not a valid char.