Description
Just following up from this comment I made here: #85532 (comment)
While LLVM compiled with asserts ensures that no undefined behaviour occurs when calling methods, it does not when compiled without asserts, and this should really be reflected in the signatures for all the various internal methods that just call out to LLVM FFI.
Right now, it's very easy to trigger UB when you're writing an intrinsic, and while it's common for C functions to have all sorts of undocumented preconditions, we should not extend this habit into Rust.
For example, const_array will trivially trigger UB if any of the Values passed into it are not actually constant:
- https://doc.rust-lang.org/nightly/nightly-rustc/rustc_codegen_llvm/builder/struct.Builder.html#method.const_array
- https://llvm.org/doxygen/group__LLVMCCoreValueConstantComposite.html#ga3e37d5cc97d6e4da63f6eaa22e469075
And extract_value will trigger UB if the index is out of bounds for the given Value:
- https://doc.rust-lang.org/nightly/nightly-rustc/src/rustc_codegen_llvm/builder.rs.html#978-981
- https://llvm.org/doxygen/group__LLVMCCoreInstructionBuilder.html#ga21935fb1e744e161e726611778ac1618
Whereas something like type_i1 is fine and will always be safe to call:
- https://doc.rust-lang.org/nightly/nightly-rustc/rustc_codegen_llvm/context/struct.CodegenCx.html#method.type_i1
- https://llvm.org/doxygen/group__LLVMCCoreTypeInt.html#ga390b4c486c780eed40002b07933d13df
Sure, this will "introduce" unsafe code to, for example, the intrinsics lowering, but the code was already unsafe, and this is just documenting that.
@rustbot label T-compiler