Emit retags in codegen to support BorrowSanitizer.

[icmccorm]

Tracking issue: #154760

Retags are the core operation of Stacked and Tree Borrows—they update the tags of references within a place. Knowing when to retag requires information that is not available below the MIR level. BorrowSanitizer, and any similar tool, needs a way to represent retags in lower-level representations of Rust programs to be able to find aliasing bugs with native instrumentation.

This PR adds experimental support for emitting retags during codegen as function calls. This is enabled by the flag -Zcodegen-emit-retag. These functions are not implemented anywhere. They are just a useful vehicle for carrying type information.

There are two variants of the retag function. We use the first variant to retag pointers that are already loaded into a register. It returns an alias with the same address, but different provenance.

ptr __rust_retag_reg(ptr, ..)

We use the second variant to retag pointers that are stored within a place. Its first parameter is a pointer to the place where the pointer that needs the retag is stored.

void __rust_retag_mem(ptr, ..)

We need this for compatibility with LLVM's readonly annotation. Otherwise, we'd be loading the pointer, retagging it with the reg variant, and storing it back to the place that it came from, which would be undefined behavior. The other parameters are the same across both variants and are documented in the relevant module. These are slightly different than what's appeared in all prior proposals.

These retags follow Tree Borrows semantics. We retag Box and reference-type arguments, return values, and rvalues of assignments. Raw pointers are not retagged. We recurse into fields and branch on the variants of each type.

Questions/Concerns:

• This adds support for emitting phi nodes through codegen_ssa.
• I expect this will need more documentation (unstable book?) and possibly more tests, pending feedback.

Related:

• change the type of the argument of drop_in_place lang item to &mut _ #154327 - We don't need a special case for drop glue once it takes &mut _
• Make retags an implicit part of typed copies #154341 - We can skip retagging Rvalue::Use(_, WithRetag::No)

cc: @RalfJung, @tmandry

[rustbot]

The GCC codegen subtree was changed

cc @antoyo, @GuillaumeGomez

[rustbot]

r? @jieyouxu

rustbot has assigned @jieyouxu.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

Why was this reviewer chosen?

The reviewer was selected based on:

• Owners of files modified in this PR: codegen, compiler
• codegen, compiler expanded to 73 candidates
• Random selection from 20 candidates

[bjorn3]

A pointer to a constant array, right?

View changes since the review

[bjorn3]

Mind giving these fields names? A plain bool doesn't explain what it means.

View changes since the review

[bjorn3]

I intentionally remove the phi method a while back in b71c429 as not every codegen backend uses phi nodes for SSA. Cranelift for example uses block params instead. I replaced the only use of it with a single method representing the high level operation where it was previously whose cg_llvm implementation uses phi nodes: write_operand_repeatedly

View changes since the review

[icmccorm]

It sounds like we will need to introduce a temporary alloca, instead.

[jieyouxu]

@rustbot reroll

[rust-log-analyzer]

The job aarch64-gnu-llvm-21-2 failed! Check out the build log: (web) (plain enhanced) (plain)

Click to see the possible cause of the failure (guessed by this bot)

##[endgroup]
Executing "/scripts/stage_2_test_set2.sh"
+ /scripts/stage_2_test_set2.sh
+ '[' 1 == 1 ']'
+ echo 'PR_CI_JOB set; skipping tidy'
+ SKIP_TIDY='--skip tidy'
PR_CI_JOB set; skipping tidy
+ ../x.py --stage 2 test --skip tidy --skip tests --skip coverage-map --skip coverage-run --skip library --skip tidyselftest
##[group]Building bootstrap
    Finished `dev` profile [unoptimized] target(s) in 0.04s
##[endgroup]
---
   Compiling rustc_interface v0.0.0 (/checkout/compiler/rustc_interface)
error[E0433]: cannot find type `CodegenRetagOptions` in this scope
   --> compiler/rustc_interface/src/tests.rs:778:39
    |
778 |     tracked!(codegen_emit_retag, Some(CodegenRetagOptions::default()));
    |                                       ^^^^^^^^^^^^^^^^^^^ use of undeclared type `CodegenRetagOptions`
    |
help: consider importing this struct
    |
  2 + use rustc_session::config::CodegenRetagOptions;
    |

[RUSTC-TIMING] rustc_macros test:true 7.972
   Compiling rustc_public v0.1.0-preview (/checkout/compiler/rustc_public)
error[E0609]: no field `llvm_emit_lifetime_markers` on type `rustc_session::config::UnstableOptions`
   --> compiler/rustc_interface/src/tests.rs:819:14
    |
754 |             assert_ne!(opts.unstable_opts.$name, $non_default_value);
    |                                           ----- due to this macro variable
...
819 |     tracked!(llvm_emit_lifetime_markers, true);
    |              ^^^^^^^^^^^^^^^^^^^^^^^^^^ unknown field
    |
    = note: available fields are: `allow_features`, `allow_partial_mitigations`, `always_encode_mir`, `annotate_moves`, `assert_incr_state` ... and 95 others

[RUSTC-TIMING] rustc_driver_impl test:true 2.099
   Compiling rustc_passes v0.0.0 (/checkout/compiler/rustc_passes)
Some errors have detailed explanations: E0433, E0609.
For more information about an error, try `rustc --explain E0433`.

[icmccorm]

At @RalfJung's suggestion, I'll be closing this in favor of multiple, smaller PRs. @bjorn3, I'll make sure to integrate your comments in the subsequent versions.