native-lib: allow passing structs as arguments

[nia-e]

Blocked on #4456 currently to make rebasing easier when that lands. This allows passing arbitrary structs as arguments to native code; receiving a struct as a return value is not yet implemented. Also includes a couple of tests.

I figured the review queue looked a bit too empty :D

[nia-e]

Is this correct? I think it's UB, but maybe if the user intentionally sets #[allow(improper_ctypes)] we might just want to report this as unsupported instead of UB?

[RalfJung]

Yeah, reporting this as "unsupported" is better.

[nia-e]

Think this is ready for review. I split off a bunch of the new code this introduces into a different file to not pollute native_lib/mod.rs too much more than it already is

@rustbot ready

[nia-e]

Seems like there's some trouble here, nvm.

@rustbot author

[rustbot]

Reminder, once the PR becomes ready for a review, use @rustbot ready.

[nia-e]

Should be fixed. Also bumped the libffi version since apparently there was a soundness issue that got resolved since the previous version we were on; that wasn't the cause of my test failures, but it's probably smart to include it anyways. There's a couple // TODO:s, but those are either out of scope for this first PR (unions) or things I'm just uncertain of and need advice (the other 2).

@rustbot ready

[RalfJung]

Thanks! libffi is much cooler than I expected. :)

I have some ideas for how we could unify the scalar and struct handling... but I think that's better done in a follow-up PR, so I'll post some things on Zulip.

@rustbot author

[RalfJung]

Can you explain what this means in a self-contained way, rather than referencing other concepts the reader is unlikely to know?

Also, it's odd to lead with this being a "type" when it is called "arg".

[RalfJung]

The prefixes "C" and "Ffi" don't do a great job reflecting "owned" and borrowed.

So what about OwnedArg and BorrowedArg? The "downcast" function (also an odd name, what does it downcast?) can then be called borrow.

CPrimitive could be called ScalarArg as that seems to match what we use it for.

Also, please generally define types bottom-up and with increasing complexity/subtlety, to simplify reading the file in order:

• ScalarArg
• OwnedArg
• BorrowedArg

[RalfJung]

This doesn't have to be a struct, right? It can be any type that FfiType can represent, which includes basic integers.

[nia-e]

I'll change the name, presumably the next PR idea which you brought up on Zulip would make this enum redundant anyway

[RalfJung]

Yeah, reporting this as "unsupported" is better.

[RalfJung]

The file these tests are in is called "scalar_arguments". Do these arguments you are passing here ,ook like scalars to you? :)

Please make a new file for aggregate arguments.

[RalfJung]

Yes, that would be okay. But let's leave it to a future PR, since a repr(transparent) wrapper around e.g. i32 should also be supported and that'll be a bit more interesting -- it's going to be an Immediate.

[RalfJung]

The same snippet will be needed in the struct case, so please make this a helper function.

[nia-e]

Hm, I rebased on master to make use of get_range() here as well and it seems like repr(C) structs can be immediates now (or at least, it causes tests to fail with that reason). Should I do the refactor you mentioned on Zulip in this branch? It's already mostly written locally

[rustbot]

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

[RalfJung]

Hm, I rebased on master to make use of get_range() here as well and it seems like repr(C) structs can be immediates now (or at least, it causes tests to fail with that reason). Should I do the refactor you mentioned on Zulip in this branch? It's already mostly written locally

Turns out repr(C) types cannot be Scalar, but they can be ScalarPair... so yeah we'll have to include that refactor in this PR I guess.

[RalfJung]

Here you are doing the equivalent of casting a pointer to an integer and back. Please don't. You can get the alloc ID from the pointer directly.

[RalfJung]

Specifically, please use ptr_get_alloc_id. That also gives you the offset inside the allocation.

However, you'll need to first separately handle the zero-sized case. mplace.ptr() might not point to an Allocation if the type has size 0.

[nia-e]

Are ZSTs allowed over FFI? I was under the impression that there's no way to represent them in C so I figured just erroring here makes sense

[RalfJung]

I guess erroring is fine but that still require a separate check to print a non-obscure error.

[RalfJung]

Round-tripping through a Vec seems odd?

[nia-e]

Fair, I guess it's pretty easily avoidable

[nia-e]

Should be good. I couldn't use your suggestion of write_target_uint since that only takes a u128 while a scalar pair could be up to 256 bits, so I had to adjust its logic to account for 2 scalars. Frankly that whole section could belong in a separate function to turn an immediate into bytes, but if one exists I couldn't find it.

I had also added some tests for that code (passing structs that were a: i32, b: i16 and a: i16, b: i32 so that there might be alignment padding between the fields) but removed them from here since test_pass_struct already handles the tricky case (second field with greater align than the first).

[RalfJung]

Should be good. I couldn't use your suggestion of write_target_uint since that only takes a u128 while a scalar pair could be up to 256 bits

You should be calling write_target_uint twice then, once for each scalar.

[RalfJung]

Suggested change

	throw_unsup_format!("Attempting to pass a ZST over FFI");
	throw_unsup_format!("attempting to pass a ZST over FFI");

[RalfJung]

Have a look at https://github.com/rust-lang/rust/blob/ece1397e3ff40e7f8a411981844a8214659da970/compiler/rustc_const_eval/src/interpret/place.rs#L716-L732 for how to determine the offset of the 2nd field.

[RalfJung]

You should not be doing your own endianess handling. write_target_uint can do that for you.

[RalfJung]

@rustbot author

[nia-e]

@rustbot ready

[RalfJung]

This comment is entirely in the wrong place now... previously it referred to a std::ptr::with_exposed_provenance_mut, now it stopped making any sense. Please ask before just taking random guesses as to where to put such comments.

[nia-e]

Is it wrong? If either scalar is a pointer, the code under the comment exposes provenance only in the AM; then later when visit_reachable_allocs is called it'll do alloc.get_bytes_unchecked_raw().expose_provenance() on the allocation said pointer points to. Unless I misunderstood the meaning of that comment, that's what it referred to in the first place

[RalfJung]

It's correct that the code below only exposes the ptr in the AM. But the claim that this act somehow relies on the ptr also being exposed in the "host" makes no sense. That referred to the with_exposed_provenance_mut, which as per its documentation requires a prior call to expose_provenance, and the comment was explaining where that expose_provenance happened.

The new code side-steps the with_exposed_provenance_mut, making it less clear where to put the comment. But this here is definitely the wrong spot.

[RalfJung]

I've done some refactoring and cleanup, found it easier to just edit the code than write it out.^^ Please take a look at the commit I added and use that to train your model for future Miri PRs. ;)

[RalfJung]

In particular, I got rid of some unsafe code here.

[nia-e]

Ty! Glad this is good now ^^