Rewrite pointer::with_addr implementation

[WaffleLapkin]

This commit changes the impl from (essentially)

ptr.wrapping_byte_offset(new_addr - self.addr())

to

ptr.wrapping_byte_sub(self.addr()).wrapping_byte_add(new_addr)

While being essentially the same (a-a+b vs a+(b-a)) new implementation generation 2 GEPs, instead of an arithmetic + 1 GEP, which turns out to be easier for LLVM to optimize and reason about.
_{(ptradd instead of getelementptr when .-.)}

---

Idea by @scottmcm, should fix the problem I've found while working on #110243, which I documented in the LLVM issue: llvm/llvm-project#62093 (TL;DR: the code for .map_addr(|a| a << 2) does not get optimized properly).

• Here is a comparison specifically for addr << 2: https://rust.godbolt.org/z/T4oWfx4sb
• LLVM-IR comparison between different impls: https://rust.godbolt.org/z/WhKa7b8dd (the new impl is technically more llvm-ir, but it looks like this form is easier to optimize/reason about/etc at least atm)

[rustbot]

r? @m-ou-se

(rustbot has picked a reviewer for you, use r? to override)

[nikic]

Upstream patch: https://reviews.llvm.org/D148341

I'm not sure this is a good idea -- I expect that this will optimize worse in cases where you aren't doing something extremely weird.

Also worth noting that this formulation is not CHERI compatible.

[scottmcm]

As I was playing yesterday, I noticed another possible implementation:

Suggested change

	self.wrapping_byte_sub(self.addr()).wrapping_byte_add(addr)
	self.mask(0).wrapping_byte_add(addr)

That's again just two IR instructions (https://rust.godbolt.org/z/EeraoxKnh), and it has the bonus of never doing a ptrtoint.

Any thoughts on whether that's reasonable or horrible, @nikic?

[nikic]

That's very horrible. ptrmask has about zero optimization support.

[WaffleLapkin]

@nikic why is it not CHERI compatible, does it not allow to temporary create invalid pointers? 🤔

[nikic]

@nikic why is it not CHERI compatible, does it not allow to temporary create invalid pointers? thinking

I don't think so, but probably @jrtc27 can clarify.

[jrtc27]

This will take the pointer temporarily way out of bounds, which is not supported on CHERI due to the bounds compression scheme in use. Depending on what IR this maps to I would expect LLVM to be able to perform the transformation you want on non-CHERI architectures for you.

[WaffleLapkin]

This will take the pointer temporarily way out of bounds, which is not supported on CHERI due to the bounds compression scheme in use.

Well, TIL. Does this also mean that no pointer tagging is ever possible on CHERI?

Anyway, I'm not particularly attached to this change. IMO it is a bit nicer code-wise and looks more logical to me. But if it adds problems for CHERI and even LLVM, we can just close this (especially given the candidate patch which should probably fix the original issue).

[jrtc27]

This will take the pointer temporarily way out of bounds, which is not supported on CHERI due to the bounds compression scheme in use.

Well, TIL. Does this also mean that no pointer tagging is ever possible on CHERI?

Anyway, I'm not particularly attached to this change. IMO it is a bit nicer code-wise and looks more logical to me. But if it adds problems for CHERI and even LLVM, we can just close this (especially given the candidate patch which should probably fix the original issue).

Pointer tagging works provided you use low bits. Some implementations may also provide a way to set high bits without affecting bounds (e.g. as seen in Morello) but that is not portable across CHERI implementations. If you want to start performing arbitrary transformations on addresses and expect to be able to recover a usable pointer then CHERI cannot do that in its current form due to the compression scheme employed (we used to have an uncompressed variant that could, but quadrupling the pointer size is rather less acceptable than merely doubling).

[WaffleLapkin]

Pointer tagging works provided you use low bits.

Can't this also move the pointer out of the allocation? Or is the change of value in low bits small enough that it doesn't break compression?

[jrtc27]

Pointer tagging works provided you use low bits.

Can't this also move the pointer out of the allocation?

Yes.

Or is the change of value in low bits small enough that it doesn't break compression?

Yes. Note I said way out of bounds before, not just out of bounds. The architecture gives you 1/8th range either side (one direction is in fact 1/4, though I forget if above or below), with a minimum for small allocations that varies based on the number of bits of precision used (think mantissa width for floating point), but is on the order of KiB for all current 64-bit implementations.

(I’m ignoring Microsoft’s CHERIoT here which is far stricter and thus more hostile to code that likes to play games with pointers, but can get away with it due to being used in an embedded context where you have much greater control over the code being compiled and people are more willing to adapt to weird and wonderful architectures)

[WaffleLapkin]

@jrtc27 I see, thanks for the explanation! <3

[WaffleLapkin]

Closing as per the concerns above, given that LLVM issue was fixed.