Add core::ptr::assume_moved

[mrkajetanp]

Add a helper for primitive pointer types to facilitate modifying the address of a pointer. This
mechanism is intended to enable the use of architecture features such as AArch64 Top-Byte Ignore
(TBI) to facilitate use-cases such as high-bit pointer tagging. An example application of this
mechanism would be writing a tagging memory allocator.

Rendered

[ChayimFriedman2]

Is there a reason we can not just say changing the upper bits has no impact on a pointer if an appropriate tagging scheme is available, without need for additional methods?

[mrkajetanp]

Yes, the reason is that even if the hardware understands a particular tagging scheme, the memory model in Rust and LLVM does not. Setting a tag on a pointer, even though it has no impact on the hardware side, makes the memory model think the pointer has now been offset outside of its original allocation and thus any access to it is Undefined Behaviour.

To be able to do this we need a helper method that simulates a "realloc" from the untagged address to the tagged address to make the memory model happy.
Specifically, we need the helper method to return a pointer that LLVM IR will annotate as noalias.
Relevant section from the linked LLVM doc:

On function return values, the noalias attribute indicates that the function acts like a system memory allocation function, returning a pointer to allocated storage disjoint from the storage for any other object accessible to the caller.

[RalfJung]

Cc @rust-lang/opsem

[lolbinarycat]

these should probably be associated functions, not methods.

also, this seems to ignore another type of pointer tagging, often used by interpreters, where the bottom bits (otherwise always zero because of alignment) are used to tag the type of the object.

[RalfJung]

Is there a reason we can not just say changing the upper bits has no impact on a pointer if an appropriate tagging scheme is available, without need for additional methods?

This question should indeed be answered in the RFC text, not just in the discussion thread.

(This RFC could have benefited from a pre-RFC phase, posting it on the forum to get some feedback to ensure that it has all the expected details.)

[RalfJung]

Thanks for posting the RFC! However, I think it wasn't quite ready yet. Here's some first feedback. This RFC is still lacking most of the relevant details, so I didn't proceed beyond the reference-level section.

[RalfJung]

The term "tag of a pointer" means a lot of different things, and often it means something different from how you are using the term here. So the RFC should clarify the terminology it uses. This is, AFAIK, not meant to be a general pointer tagging mechanism. No RFC is even needed for that. It is specific for working with hardware that ignores certain bits of a pointer.

[mrkajetanp]

The thinking is that hardware that ignores certain bits of a pointer is only relevant if you're setting those bits to some values, i.e. in the context of pointer tagging. Thus, the way to add support for such hardware is through a mechanism for pointer tagging. Does that reasoning make sense?

This is still a bit of an open question, there are several directions we could go with this. The tricky part is that different architectures have support for something similar, but the details (which exact bits are ignored) may vary.
On that account I'm not sure whether it'd be better to try and make a general high-bit pointer tagging mechanism that could be used across architectures, or whether it'd be better to just upstream e.g. aarch64-specific functions into core_arch and maybe then think about a generic one that just calls into those depending on the platform.
I don't really have very strong opinions here.

[RalfJung]

I'm just pointing out the RFC is written in a confusing way. I would suggest to make it very targeted specifically for "supporting hardware that ignores some bits in a pointer", rather than general pointer tagging. This should become clear already in the summary and the first paragraph of the motivation.

[RalfJung]

To be clear, userspace can already do that without hardware support, trivially. By masking out those bots for each load. The hardware feature just makes this slightly more efficient.

I find the introduction to be a bit confusing due to this.

[RalfJung]

Suggested change

	Currently, Rust does not acknowledge TBI and related architecture extensions that enable the use of
	tagged pointers. This could potentially cause issues in cases such as working with TBI-enabled C/C++
	components over FFI, or when writing a tagging memory allocator.
	Currently, Rust does not support directly using TBI and related architecture extensions that simplify the use of
	tagged pointers. This could potentially cause issues in cases such as working with TBI-enabled C/C++
	components over FFI, or when writing a tagging memory allocator.

[RalfJung]

The RFC should explain what the problem with the use of these extensions in Rust is.

Also, it is very odd to see interop with C/C++ as the motivation here, given that those languages do not support TBI either (which is another relevant fact the RFC should mention).

[mrkajetanp]

Well they don't support it "fully" on a language level, as in you can't just tag arbitrary pointers with no issues, but they sort of do in that there are currently C/C++ components running in production that operate on TBI-enabled pointers.
I want to make it possible to, say, write a custom allocator which internally just calls malloc, puts some tag in the pointer it got from malloc and then returns that pointer to the user.

[RalfJung]

I don't doubt there's C/C++ code in production that causes UB and works anyway, but since we are going for a UB-free approach here as we always do, it is not a fair comparison to claim that C/C++ already supports this in a way Rust wouldn't.

[RalfJung]

The guide-level explanation should give a guide for how to think about these functions and what they do.

This is where you have to explain that tag is basically realloc. Currently, realloc suddenly appears in "drawbacks", which nobody reading the RFC will understand.

Remember that an RFC is supposed to be a self-contained document such that everyone who is reasonably well-versed in Rust but knows nothing about the particular problem domain can understand what problem the RFC is trying to solve, and how it is trying to solve it. Your RFC is missing a lot of background and explanation to make it satisfy this requirement.

[RalfJung]

Suggested change

	its original allocation, making any use of it Undefined Behaviour.
	its original allocation, making any load/store with that pointer Undefined Behaviour.

"any use" is not correct, e.g. wrapping_offset or == on such a pointer are completely fine.

[RalfJung]

This section should contain the full signature of the newly proposed methods, and their doc comments (see the existing pointer methods for how our doc comments look like), so that we have an exact description of what the proposal even is. You can't just propose two function names and leave the details for later, when the entire reason that an RFC is even needed is that those details are far from simple.

[mrkajetanp]

Yes for sure, the reason they're not there yet is that I wanted to ask for outside opinions before settling in on what those signatures should be and what the exact methods should actually look like. My bad that it didn't come across as intended.
The concrete part of the proposal is that we should have a function/method to set the high-bit tag of a pointer & one to retrieve it, the other details such as the name, where it should live or what it should entail are still in flux.

[RalfJung]

That's not correct. Pointer tagging works perfectly fine and is a commonly used technique in Rust. The memory model is just not compatible with loading from a tagged pointer without first removing the tag.

[mrkajetanp]

That's why I wrote "not fully compatible" - you can make it work, just not as smoothly as one would like given what the hardware can support.
Besides, if you remove the tag, would that not make the result a different pointer? They won't compare equal after all.
Either way, I can clarify for sure if it's not self evident.

[Diggsey]

Why can't this be done by the backend?

ie. I write my code as *(ptr & mask), and then the backend optimizes that to *ptr if it's known that the CPU automatically ignores the bits that were masked out? (This has the obvious benefit that the code is automatically portable to other architectures without that feature...)

[matthieu-m]

To be able to do this we need a helper method that simulates a "realloc" from the untagged address to the tagged address to make the memory model happy.

Is simulating a realloc correct, though?

Consider the following code:

void *original = /*...*/;

void *copy = original;

void *tagged = realloc(original, ...);

Now, according to the semantics of realloc, it is guaranteed that tagged has no alias, and indeed this is the reason why at LLVM level the noalias attribute is specified.

However, if my understanding of TBI is correct, this is not what happens here.

Specifically, copy and tagged are alias of each others! And if codegen assumes that update through copy do not modify what tagged points to (or vice-versa), we'll have Undefined Behavior.

Am I misunderstanding TBI or noalias?

[programmerjake]

To be able to do this we need a helper method that simulates a "realloc" from the untagged address to the tagged address to make the memory model happy.

Is simulating a realloc correct, though?

Consider the following code:

void *original = /*...*/;

void *copy = original;

void *tagged = realloc(original, ...);

Now, according to the semantics of realloc, it is guaranteed that tagged has no alias, and indeed this is the reason why at LLVM level the noalias attribute is specified.

However, if my understanding of TBI is correct, this is not what happens here.

Specifically, copy and tagged are alias of each others! And if codegen assumes that update through copy do not modify what tagged points to (or vice-versa), we'll have Undefined Behavior.

you have UB if you try to do any accesses through original or anything derived from it, a realloc essentially marks original as deallocated memory inside the compiler. so it is still noalias since after the realloc, the only valid pointer is tagged, even though you're just changing the pointer tag.

[RalfJung]

@matthieu-m this model definitely makes some code UB that would be correct when using TBI in an assembly program. However, we have to impose some restrictions to make TBI compatible with higher-level language models such as Rust (and the same goes for C and C++). realloc is the best plan we came up with so far -- and yes, this means that after choosing a new tag, all previous pointers to this memory are now invalid. Including the ones that used the same tag! This operation returns a fresh provenance, and all future accesses must be done with pointers that are derived from the pointer returned by with_tag.

[matthieu-m]

The discrepancy caused by LLVM (and Rust) not understanding the concept of TBI is fairly unfortunate.

I think it should be noted in Future Possibilities that the choice of using a realloc-like method for now is future-compatible with LLVM and Rust gaining an understanding that only the bottom 56 bits of the pointer matter, and that when they do the constraints could be relaxed -- if we so wish -- to allow original & copy to still be valid (and aliased).

That is, while overly restrictive today, the drawback of the selected model is not painting us into a corner as far as I can see.

[Diggsey]

realloc is the best plan we came up with so far

Why is this better than explicitly masking off the bits and then having that mask be optimized away?

[RalfJung]

gaining an understanding that only the bottom 56 bits of the pointer matter,

Well, sometimes they get ignored, and sometimes all bits matter. This seems highly non-trivial, but I am not an expert on the relevant LLVM passes.

Why is this better than explicitly masking off the bits and then having that mask be optimized away?

That also sounds like an option, if LLVM supports it.

[Diggsey]

That also sounds like an option, if LLVM supports it.

It seems like LLVM knows about it, but doesn't currently have a pass that optimizes for it:
https://github.com/search?q=repo%3Allvm%2Fllvm-project%20UseAddressTopByteIgnored&type=code

Seems like it would make more sense to add this functionality to LLVM rather than Rust though.

[mrkajetanp]

(This RFC could have benefited from a pre-RFC phase, posting it on the forum to get some feedback to ensure that it has all the expected details.)

Indeed, I should have at least marked it as draft from the get-go, or started with the forum as you suggest. This was intended as a conversation starter, it's by no means a ready proposal. I'm fully expecting to re-write this with more information, just want to get some outside opinions and fresh eyes on the direction first.

[mrkajetanp]

Why can't this be done by the backend?

ie. I write my code as *(ptr & mask), and then the backend optimizes that to *ptr if it's known that the CPU automatically ignores the bits that were masked out? (This has the obvious benefit that the code is automatically portable to other architectures without that feature...)

That does sound like something that could be a useful LLVM pass, especially for compatibility with different platforms.
But I think that's a different aspect from the use-case that this PR is meant to support. What we want here is a "Rust-way" to do the following:

let addr = &value as *const _ as usize;
let tag = 60;
let tagged_addr = addr | (tag << 56);
let ptr = tagged_addr as *const i32;
let val = unsafe { *ptr };

The snippet above will currently compile & work "fine" on a TBI system, except that Miri will rightly complain that the code has UB. The end goal of this proposal is to create an interface for top-byte tagging that does not break the memory model. This is separate from making those always safe to dereference, for which the LLVM pass would be helpful.

[Diggsey]

@mrkajetanp

But I think that's a different aspect from the use-case that this PR is meant to support.

It's not different. Methods already exist to do what you are trying to do:

fn mask_addr(addr: usize) -> usize {
    addr & 0xFFFFFFFFFFFFFF
}
let tag = 60;
let tagged_ptr = (&value as *const _).map_addr(|addr| addr | (tag << 56));
let val = unsafe { *tagged_ptr.map_addr(mask_addr) };

This is completely sound under MIRI and doesn't require any extensions to the Rust abstract machine. The only bit that's missing is a compiler optimization that erases the .map_addr(mask_addr) on platforms where that is a no-op.

[mrkajetanp]

This is completely sound under MIRI and doesn't require any extensions to the Rust abstract machine

If I'm understanding what you're suggesting correctly, under this model the users would need to write out ptr.map_addr(mask_addr) for every single pointer access, no? Because without that even on a platform that ignores those bits Miri will complain as within the memory model ptr is currently pointing outside of its allocation.
If this was done inside some allocator wrapper (as it is currently being used in Android for instance) then every single pointer returned to the user would be UB to access unless the user explicitly masked those bits out. Surely that can't be a good approach?

[mrkajetanp]

@RalfJung Should I then re-write this based on the already received comments and then post on Rust Internals?

[Diggsey]

If this was done inside some allocator wrapper (as it is currently being used in Android for instance) then every single pointer returned to the user would be UB to access unless the user explicitly masked those bits out.

Fair enough - the proposed API seems a bit too high level for this allocator use-case though? Wouldn't the primitive operation be something like "realloc" but where you specify the target address? And there doesn't need to be an explicit tag() method, since you can always safely access the address of a pointer.

[mrkajetanp]

Wouldn't the primitive operation be something like "realloc" but where you specify the target address?

It certainly could be if that's the community consensus, I don't have very strong views on what the exact API should look like - my intention when posting this was to get opinions on that exact question. Next time around I'll go through Internals first, I suppose I took the request for comments term a bit too literally for how it's used here :)

And there doesn't need to be an explicit tag() method

True as well, the intent there is just for convenience. Because different architectures can use different bits for the tagging it'd make sense to have a corresponding tag() method just so that the user can set and retrieve tags without having to write code for a specific architecture.
If we just want to support something like realloc(target_addr) but for tagging then the explicit tag() method is not needed as we're leaving it up to the user to work out the specific bits to get and set anyway.

[RalfJung]

I also think a lower-level API that focuses on the realloc-like operation is better, but I am not a t-libs-api member. I also sadly don't have the capacity to be much further involved in this. I think I gave some good starting points for how the RFC could be improved, and clarified what we generally expect from RFCs. Posting an improved version to IRLO sounds like a good plan. :)

[Diggsey]

The realloc approach would also support cases where virtual memory mappings are used for a similar purpose on platforms without hardware support for pointer tagging (ie. where you map the same physical memory to two or more virtual address ranges).

[RalfJung]

The realloc approach would also support cases where virtual memory mappings are used for a similar purpose on platforms without hardware support for pointer tagging (ie. where you map the same physical memory to two or more virtual address ranges).

I don't think Rust will have standard APIs for manipulating page tables? ;)

I was going to say, I don't think this is ready yet for a portable API. It makes little sense to try and sketch a portable API that has exactly one target implementation. The RFC should focus in providing APIs for platform-specific capabilities, e.g. in core::arch. A portable API can be experimented with as a user crate, since some experimentation will be required before it becomes clear what a good API looks like.

[programmerjake]

I don't think Rust will have standard APIs for manipulating page tables? ;)

that doesn't matter if you can still use mmap or similar to make two mappings for the same piece of memory -- it would be nice if rust can handle that case.

This is kinda similar to how Rust doesn't have a std thread API on some targets (because they're #![no_std]), but Rust still needs to properly handle running code in different threads that were started by some mechanism outside of the Rust standard library (unless the target is specifically single-threaded only, such as wasm32-unknown-unknown)

[RalfJung]

that doesn't matter if you can still use mmap or similar to make two mappings for the same piece of memory -- it would be nice if rust can handle that case.

mmap is an opaque operation to Rust. If you use it to relocate an allocation, you can already treat it like a realloc. You just have to make sure that you stop using the old pointer after the realloc, and instead use the one returned by mmap.

[programmerjake]

that doesn't matter if you can still use mmap or similar to make two mappings for the same piece of memory -- it would be nice if rust can handle that case.

mmap is an opaque operation to Rust. If you use it to relocate an allocation, you can already treat it like a realloc. You just have to make sure that you stop using the old pointer after the realloc, and instead use the one returned by mmap.

i meant that you'd mmap the exact same memory to two locations and then use the realloc intrinsic to access both of them without any further mmap calls needed:
https://play.rust-lang.org/?version=stable&mode=release&edition=2021&gist=27b03de9ba18d73a1e60badc1e5b3267

[mrkajetanp]

Updated the RFC based on the discussion on internals:
https://internals.rust-lang.org/t/pre-rfc-core-simulate-realloc/21745

[RalfJung]

Bikeshed: I find "assume" to be not a great choice here, since usually "assume(X)" means "either X is true or we have UB". But here it's actually fine for the allocation to not have moved at all.

It's more like, we are telling the AM that a move happened. I found "simulate" a better term than "assume". We could also use some other term of art like "axiomatic_move" or "abstract_move".

[mrkajetanp]

I think this is mostly subjective, arguments can be made for several different names. As I said in the internals thread, if someone from the libs/opsem team blesses a particular name I'm happy to just change it to that, whatever it may be. I don't have a particularly strong preference of my own.

[RalfJung]

It's also easy to rename later so the name does not have to be final in the RFC. (That should be mentioned under "open questions".)

[mrkajetanp]

Added that section back as requested :)

[traviscross]

since usually "assume(X)" means "either X is true or we have UB". But here it's actually fine for the allocation to not have moved at all.

The assume_moved name is growing on me, since I'm struggling to come up with a better one. The way I read it in this context is that the compiler gets to assume that the programmer is treating the "move" as having happened, and in particular, that 1) the memory was copied and 2) the programmer is not going to dereference that original pointer after the call.

So in your model, that's what I fill in for "X" here. Either the programmer set things up as though for a move and, after this call, will behave as though a move happened, or we have UB.

That seems to align with the current safety comment:

SAFETY: Users must ensure that new_address actually contains the same memory as the original... after using this function, users must ensure that the underlying memory is only ever accessed through the newly created pointer. Any accesses through the original pointer (or any pointers derived from it) would be undefined behavior.

[RalfJung]

FWIW doing this in the global_allocator in Rust is "probably also fine", same as in C/C++. Those are not inlined and so the compiler won't see the problematic pointer manipulations. The allocator is already special and it could be possible to fold this magic into that existing magic. (It'd still be nicer to do something proper. I just don't want there to be the impression that Rust somehow supports this less than C/C++ do.)

The main case where new language support is required is when doing this inside regular code.

[mrkajetanp]

Should I ping someone or make a thread on Zulip or something of the sort? There's been no movement for a good while, just wanna make sure it doesn't get lost.

[RalfJung]

Is this equivalent to just calling black_box?

Give that black_box is documented as just a hint, this should be marked as a hack that we use for codegen backends which don't have a proper way to represent this operation.

We probably want to make this an intrinsic, and then each backend can decide to implement this either like black_box or in a more direct way. The RFC shouldn't specify the exact implementation, but instead describe the concerns backends have to be aware of here.

[mrkajetanp]

I'm not sure whether it's 1:1 equivalent to black_box, this was originally suggested by @Amanieu as a solution to the problem. I'll update the RFC with a note about this being just an example implementation and the concerns as requested.

[programmerjake]

i expect it to not be equivalent to black_box (since that's documented to be just a hint), but to be equivalent to the inline asm that black_box is currently implemented with since rustc and llvm theoretically have no way of knowing you aren't calling realloc from inside the inline asm.

[RalfJung]

Yes that's what I meant, I should have been more precise -- a backend can decide that its black_box impl is sufficient for this purpose, but a user cannot assume them to be equivalent.

[RalfJung]

From an opsem perspective this is coherent, as far as I can tell. @rust-lang/opsem please chime in if you have any comments.

Nominating for @rust-lang/lang to get some idea of their thoughts on this language extension.

[traviscross]

Nominating for @rust-lang/lang to get some idea of their thoughts on this language extension.

@rustbot labels -I-lang-nominated +I-lang-radar

We discussed this in the lang call today with 2/5 present (and with @Amanieu). We generally felt positively about this. We understood and agreed with the use case.

On the name, while there was some initial skepticism of "move" being in there, it ended up growing on everyone after considering how this is tied in with making a guarantee about (the lack of) aliasing. Separately, we agreed with RalfJ's reservations about "assume", given the signature.

[mrkajetanp]

We discussed this in the lang call today with 2/5 present (and with @Amanieu). We generally felt positively about this. We understood and agreed with the use case.

Thank you for the update! Is there anything I should do on that account, or are we giving it more time before taking any specific steps?

[traviscross]

We didn't have any specific asks. We'll probably just need to have a closer look, and maybe bikeshed the name a bit, before proposing FCP.

[traviscross]

Suggested change

	makes loads and stores using the pointer Undefined Behaviour, despite the fact that if such loads
	makes loads and stores using the pointer undefined behavior, despite the fact that if such loads

Please change this throughout. We don't capitalize "undefined behavior" just as we don't capitalize "race condition". (And we generally go with the American English spelling.)

[kennytm]

there are lots of capitalized "Undefined Behavior" in the libstd doc e.g. https://doc.rust-lang.org/1.86.0/std/primitive.pointer.html#safety-9 maybe those should also be lowercased

[traviscross]

Yes, we've been cleaning this up incrementally. Feel free to put in a PR there (and ping me on it).

[the8472]

So how does this interact with allocation-eliding optimizations?

[programmerjake]

I expect it doesn't have any allocation-eliding optimizations in LLVM, since those require more than just noalias on the return type, e.g. malloc has the additional function attributes:
allockind("alloc,uninitialized") allocsize(0) "alloc-family"="malloc"

[RalfJung]

The sentence in the RFC makes little sense: a noalias return attribute only adds more UB. So this attribute can never be required to ensure desired behavior, it can only be required to ensure more optimizations.

[traviscross]

Let's please move discussion of the name to the rationale and alternatives section. I'd prefer we make a presumptive decision on this at the RFC step and not leave it as an unanswered question.

[traviscross]

@RalfJung, what are your thoughts on this? Do we need to leave this as an open question, or do we have any answers here? It would seem a substantial open question to leave.

[RalfJung]

I can't follow the arguments in the text as all -- what it proposes for LLVM makes little sense to me. I'd like to hear from @nikic what the best way would be to model this for LLVM; my proposal would be an inline asm block.

From the Rust side, we can just say that this is a realloc with a chosen address (and it is UB if that would make the allocation overlap with some other allocation). I don't know which potential problems with strict provenance the RFC refers to.

[traviscross]

Suggested change

	```
	```rust

Please add this below as well.

[traviscross]

I've now had the opportunity to review this thoroughly. It's well written and well motivated. Thanks both to the author for that and to @RalfJung, who asked a lot of the right questions above to sharpen this up.

As discussed above, I'd like us to pare down the unanswered questions to the degree possible. Personally, I'm happy enough with the name assume_moved as proposed. And to the degree that we could speak more now about the interaction of this with strict provenance, I think that would be good to do in terms of making a complete and self-contained proposal here.

After those points are addressed, I'm planning to propose FCP merge on this RFC.