Miri: non-deterministic floating point operations in `foreign_items` #143906

LorrensP-2158466 · 2025-07-13T20:52:02Z

Part of rust-lang/miri/#3555, this pr does the foreign_items work.

Some things have changed since #138062 and #142514. I moved the "helpers" used for creating fixed outputs and clamping operations to their defined ranges to math.rs. These are now also extended to handle the floating-point operations in foreign_items. Tests in miri/tests/float.rs were changed/added.

Failing tests in std were extracted, run under miri with -Zmiri-many-seeds=0..1000 and changed accordingly. Double checked with -Zmiri-many-seeds.

I noticed that the C standard doesn't specify the output ranges for all of its mathematical operations; it just specifies them as:

Returns
The sinh functions return sinh x.

So I used Wolfram|Alpha.

rustbot · 2025-07-13T20:52:07Z

r? @tgross35

rustbot has assigned @tgross35.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

rustbot · 2025-07-13T20:52:09Z

The Miri subtree was changed

cc @rust-lang/miri

LorrensP-2158466 · 2025-07-13T20:52:48Z

There are some holes in the behaviour of some operations, because I did not know how I could efficiently handle them, I'll mark them and add some explanation.

Also,
r? @RalfJung

src/tools/miri/src/helpers.rs

src/tools/miri/tests/pass/float.rs

src/tools/miri/src/helpers.rs

oli-obk · 2025-07-14T08:02:47Z

Please create a PR for the libstd changes on their own so a libs reviewer can review it. Once that is done and synced, you can open a PR against the miri repo with the miri changes.

RalfJung · 2025-07-14T10:43:28Z

In a previous PR we had both in one PR with two reviewers since we needed to go back and forth a bit. We could do that again? I think it worked well.

LorrensP-2158466 · 2025-07-14T10:57:32Z

It's the same for me, I kept the commits for Miri and stdlib separate, so if I have to split it up, it's pretty straightforward.

RalfJung · 2025-07-14T11:59:03Z

🤷 I'm also fine either way, it'll just be a bunch of work to port the commits to the Miri repo.

I noticed that the C standard doesn't specify the output ranges for all of its mathematical operations; it just specifies them as:

Functions where C does not give an output range shouldn't get their value clamped, I would say.

src/tools/miri/src/helpers.rs

RalfJung · 2025-07-14T12:00:38Z

I moved the "helpers" used for creating fixed outputs and clamping operations to their defined ranges to helpers.rs. These are now also extended to handle the floating-point operations in foreign_items. Tests in miri/tests/float.rs were changed/added.

Please don't, that file is already too big.^^

If the helpers are only needed in one file, keep them there.
Otherwise, add them in src/tools/miri/src/math.rs.

src/tools/miri/src/math.rs

LorrensP-2158466 · 2025-07-14T20:17:29Z

Reopening.

LorrensP-2158466 · 2025-07-14T20:35:25Z

Functions where C does not give an output range shouldn't get their value clamped, I would say.

You're right, but this has some consequences. For example, the sin operation doesn't have an explicitly defined fixed output range, yet we guarantee and test this in Miri: rust-lang/miri#4207.

The C standard for the return values of sin is:

Returns
The sin functions return sin x.

The range of sine x is [-1, 1], but is not explicitly defined.

But asin has the following description:

Returns
The asin functions return arcsin x in the interval [−π/2, +π/2] radians.

I think we have 2 approaches:

We say this is implementation-defined and revert all the clamps that are not explicitly defined
We implicitly read the mathematically defined output ranges of those operations.

tgross35 · 2025-07-14T21:19:33Z

If we run into libm implementations that can't even guarantee to return a value within the math function's output domain, tbh I would consider that downright broken and worthy of a bug report, or strong reason to just always use our libm on that platform. I'd be a bit hesitant to encourage users to think about this via Miri unless we think there is a chance this is actually a problem in practice (do we know of any platforms where this has been a problem?).

If it's mostly a concern about following the specification to the letter, I think it might be worth a defect report to see if the C committee is willing to codeify the output domain.

RalfJung · 2025-07-14T21:20:02Z

I think we have 2 approaches:

I would suggest a third:

We do this kind of clamping wherever C mandates it, plus wherever it is easy and/or useful. So, fine to do it for sin and cos, but not for the gamma function ;)

RalfJung · 2025-07-14T21:21:23Z

But asin has the following description:

The arcsin function likely states this not as a means of guaranteeing precision, but because the inverse sine of x is under-defined -- infinitely many different inputs map to x (for x in [-1, 1]). By giving the interval, the answer becomes uniquely defined.

rustbot · 2025-08-06T15:22:05Z

⚠️ Warning ⚠️

This PR is based on an upstream commit that is 18 days old.

It's recommended to update your branch according to the rustc-dev-guide.

LorrensP-2158466 · 2025-08-06T19:07:41Z

Now that I think of it, did you mean without --keep-base?

RalfJung · 2025-08-06T20:48:47Z

No, --keep-base is fine. GH CI still checks your branch merged with latest master so I think the bot is a bit overeager here.

Thanks!
@bors r+

bors · 2025-08-06T20:48:49Z

📌 Commit 71add2f has been approved by RalfJung

It is now in the queue for this repository.

…-foreign-items, r=RalfJung Miri: non-deterministic floating point operations in `foreign_items` Part of [rust-lang/miri/rust-lang#3555](rust-lang/miri#3555 (comment)), this pr does the `foreign_items` work. Some things have changed since rust-lang#138062 and rust-lang#142514. I moved the "helpers" used for creating fixed outputs and clamping operations to their defined ranges to `math.rs`. These are now also extended to handle the floating-point operations in `foreign_items`. Tests in `miri/tests/float.rs` were changed/added. Failing tests in `std` were extracted, run under miri with `-Zmiri-many-seeds=0..1000` and changed accordingly. Double checked with `-Zmiri-many-seeds`. I noticed that the C standard doesn't specify the output ranges for all of its mathematical operations; it just specifies them as: ``` Returns The sinh functions return sinh x. ``` So I used [Wolfram|Alpha](https://www.wolframalpha.com/).

Rollup of 20 pull requests Successful merges: - #137831 (Tweak auto trait errors) - #143028 (emit `StorageLive` and schedule `StorageDead` for `let`-`else`'s bindings after matching) - #143764 (lower pattern bindings in the order they're written and base drop order on primary bindings' order) - #143808 (Port `#[should_panic]` to the new attribute parsing infrastructure ) - #143906 (Miri: non-deterministic floating point operations in `foreign_items`) - #143929 (Mark all deprecation lints in name resolution as deny-by-default and report-in-deps) - #144133 (Stabilize const TypeId::of) - #144439 (Introduce ModernIdent type to unify macro 2.0 hygiene handling) - #144473 (Address libunwind.a inconsistency issues in the bootstrap program) - #144659 (bootstrap: refactor mingw dist and fix gnullvm) - #144705 (compiler-builtins: plumb LSE support for aarch64 on linux/gnu when optimized-compiler-builtins not enabled) - #144807 (Streamline config in bootstrap) - #144900 (Stabilize `unsigned_signed_diff` feature) - #144903 (Rename `begin_panic_handler` to `panic_handler`) - #144931 ([win][arm64ec] Fix msvc-wholearchive for Arm64EC) - #144974 (compiler-builtins subtree update) - #144997 (bump bootstrap compiler to 1.90 beta) - #145004 (Couple of minor cleanups) - #145009 (A couple small changes for rust-analyzer next-solver work) - #145014 (Revert "Preserve the .debug_gdb_scripts section") r? `@ghost` `@rustbot` modify labels: rollup

Rollup of 19 pull requests Successful merges: - #137831 (Tweak auto trait errors) - #138689 (add nvptx_target_feature) - #140267 (implement continue_ok and break_ok for ControlFlow) - #143028 (emit `StorageLive` and schedule `StorageDead` for `let`-`else`'s bindings after matching) - #143764 (lower pattern bindings in the order they're written and base drop order on primary bindings' order) - #143808 (Port `#[should_panic]` to the new attribute parsing infrastructure ) - #143906 (Miri: non-deterministic floating point operations in `foreign_items`) - #143929 (Mark all deprecation lints in name resolution as deny-by-default and report-in-deps) - #144133 (Stabilize const TypeId::of) - #144369 (Upgrade semicolon_in_expressions_from_macros from warn to deny) - #144439 (Introduce ModernIdent type to unify macro 2.0 hygiene handling) - #144473 (Address libunwind.a inconsistency issues in the bootstrap program) - #144601 (Allow `cargo fix` to partially apply `mismatched_lifetime_syntaxes`) - #144650 (Additional tce tests) - #144659 (bootstrap: refactor mingw dist and fix gnullvm) - #144682 (Stabilize `strict_overflow_ops`) - #145026 (Update books) - #145033 (Reimplement `print_region` in `type_name.rs`.) - #145040 (rustc-dev-guide subtree update) Failed merges: - #143857 (Port #[macro_export] to the new attribute parsing infrastructure) r? `@ghost` `@rustbot` modify labels: rollup

Rollup merge of #143906 - LorrensP-2158466:miri-float-nondet-foreign-items, r=RalfJung Miri: non-deterministic floating point operations in `foreign_items` Part of [rust-lang/miri/#3555](rust-lang/miri#3555 (comment)), this pr does the `foreign_items` work. Some things have changed since #138062 and #142514. I moved the "helpers" used for creating fixed outputs and clamping operations to their defined ranges to `math.rs`. These are now also extended to handle the floating-point operations in `foreign_items`. Tests in `miri/tests/float.rs` were changed/added. Failing tests in `std` were extracted, run under miri with `-Zmiri-many-seeds=0..1000` and changed accordingly. Double checked with `-Zmiri-many-seeds`. I noticed that the C standard doesn't specify the output ranges for all of its mathematical operations; it just specifies them as: ``` Returns The sinh functions return sinh x. ``` So I used [Wolfram|Alpha](https://www.wolframalpha.com/).

Rollup of 19 pull requests Successful merges: - rust-lang/rust#137831 (Tweak auto trait errors) - rust-lang/rust#138689 (add nvptx_target_feature) - rust-lang/rust#140267 (implement continue_ok and break_ok for ControlFlow) - rust-lang/rust#143028 (emit `StorageLive` and schedule `StorageDead` for `let`-`else`'s bindings after matching) - rust-lang/rust#143764 (lower pattern bindings in the order they're written and base drop order on primary bindings' order) - rust-lang/rust#143808 (Port `#[should_panic]` to the new attribute parsing infrastructure ) - rust-lang/rust#143906 (Miri: non-deterministic floating point operations in `foreign_items`) - rust-lang/rust#143929 (Mark all deprecation lints in name resolution as deny-by-default and report-in-deps) - rust-lang/rust#144133 (Stabilize const TypeId::of) - rust-lang/rust#144369 (Upgrade semicolon_in_expressions_from_macros from warn to deny) - rust-lang/rust#144439 (Introduce ModernIdent type to unify macro 2.0 hygiene handling) - rust-lang/rust#144473 (Address libunwind.a inconsistency issues in the bootstrap program) - rust-lang/rust#144601 (Allow `cargo fix` to partially apply `mismatched_lifetime_syntaxes`) - rust-lang/rust#144650 (Additional tce tests) - rust-lang/rust#144659 (bootstrap: refactor mingw dist and fix gnullvm) - rust-lang/rust#144682 (Stabilize `strict_overflow_ops`) - rust-lang/rust#145026 (Update books) - rust-lang/rust#145033 (Reimplement `print_region` in `type_name.rs`.) - rust-lang/rust#145040 (rustc-dev-guide subtree update) Failed merges: - rust-lang/rust#143857 (Port #[macro_export] to the new attribute parsing infrastructure) r? `@ghost` `@rustbot` modify labels: rollup

Kobzol · 2025-08-08T17:14:52Z

This (probably) caused non-deterministic failures on CI: #144787 (comment). I'll post a revert.

…t-nondet-foreign-items, r=RalfJung" This reverts commit 71f0469, reversing changes made to 995ca3e.

Revert #143906 try-job: x86_64-gnu-aux

LorrensP-2158466 · 2025-08-08T17:23:03Z

Weird how that one wasn't caught with many-seeds.

I'll run a much larger seed ranges this weekend to fetch them out. Or I can add the Miri constant to every approx_eq test.

Revert #143906 This reverts commit 71f0469, reversing changes made to 995ca3e. Reverts #143906, which was merged in #145043. It seems like it is causing test failures on CI that block merges (#144787 (comment). try-job: x86_64-gnu-aux

Revert #143906 This reverts commit 71f04692c32e181ab566c01942f1418dec8662d4, reversing changes made to 995ca3e532b48b689567533e6b736675e38b741e. Reverts rust-lang/rust#143906, which was merged in rust-lang/rust#145043. It seems like it is causing test failures on CI that block merges (rust-lang/rust#144787 (comment). try-job: x86_64-gnu-aux

Rollup of 19 pull requests Successful merges: - rust-lang/rust#137831 (Tweak auto trait errors) - rust-lang/rust#138689 (add nvptx_target_feature) - rust-lang/rust#140267 (implement continue_ok and break_ok for ControlFlow) - rust-lang/rust#143028 (emit `StorageLive` and schedule `StorageDead` for `let`-`else`'s bindings after matching) - rust-lang/rust#143764 (lower pattern bindings in the order they're written and base drop order on primary bindings' order) - rust-lang/rust#143808 (Port `#[should_panic]` to the new attribute parsing infrastructure ) - rust-lang/rust#143906 (Miri: non-deterministic floating point operations in `foreign_items`) - rust-lang/rust#143929 (Mark all deprecation lints in name resolution as deny-by-default and report-in-deps) - rust-lang/rust#144133 (Stabilize const TypeId::of) - rust-lang/rust#144369 (Upgrade semicolon_in_expressions_from_macros from warn to deny) - rust-lang/rust#144439 (Introduce ModernIdent type to unify macro 2.0 hygiene handling) - rust-lang/rust#144473 (Address libunwind.a inconsistency issues in the bootstrap program) - rust-lang/rust#144601 (Allow `cargo fix` to partially apply `mismatched_lifetime_syntaxes`) - rust-lang/rust#144650 (Additional tce tests) - rust-lang/rust#144659 (bootstrap: refactor mingw dist and fix gnullvm) - rust-lang/rust#144682 (Stabilize `strict_overflow_ops`) - rust-lang/rust#145026 (Update books) - rust-lang/rust#145033 (Reimplement `print_region` in `type_name.rs`.) - rust-lang/rust#145040 (rustc-dev-guide subtree update) Failed merges: - rust-lang/rust#143857 (Port #[macro_export] to the new attribute parsing infrastructure) r? `@ghost` `@rustbot` modify labels: rollup

…-foreign-items, r=RalfJung Miri: non-deterministic floating point operations in `foreign_items` Part of [rust-lang/miri/rust-lang#3555](rust-lang/miri#3555 (comment)), this pr does the `foreign_items` work. Some things have changed since rust-lang#138062 and rust-lang#142514. I moved the "helpers" used for creating fixed outputs and clamping operations to their defined ranges to `math.rs`. These are now also extended to handle the floating-point operations in `foreign_items`. Tests in `miri/tests/float.rs` were changed/added. Failing tests in `std` were extracted, run under miri with `-Zmiri-many-seeds=0..1000` and changed accordingly. Double checked with `-Zmiri-many-seeds`. I noticed that the C standard doesn't specify the output ranges for all of its mathematical operations; it just specifies them as: ``` Returns The sinh functions return sinh x. ``` So I used [Wolfram|Alpha](https://www.wolframalpha.com/).

Rollup of 19 pull requests Successful merges: - rust-lang#137831 (Tweak auto trait errors) - rust-lang#138689 (add nvptx_target_feature) - rust-lang#140267 (implement continue_ok and break_ok for ControlFlow) - rust-lang#143028 (emit `StorageLive` and schedule `StorageDead` for `let`-`else`'s bindings after matching) - rust-lang#143764 (lower pattern bindings in the order they're written and base drop order on primary bindings' order) - rust-lang#143808 (Port `#[should_panic]` to the new attribute parsing infrastructure ) - rust-lang#143906 (Miri: non-deterministic floating point operations in `foreign_items`) - rust-lang#143929 (Mark all deprecation lints in name resolution as deny-by-default and report-in-deps) - rust-lang#144133 (Stabilize const TypeId::of) - rust-lang#144369 (Upgrade semicolon_in_expressions_from_macros from warn to deny) - rust-lang#144439 (Introduce ModernIdent type to unify macro 2.0 hygiene handling) - rust-lang#144473 (Address libunwind.a inconsistency issues in the bootstrap program) - rust-lang#144601 (Allow `cargo fix` to partially apply `mismatched_lifetime_syntaxes`) - rust-lang#144650 (Additional tce tests) - rust-lang#144659 (bootstrap: refactor mingw dist and fix gnullvm) - rust-lang#144682 (Stabilize `strict_overflow_ops`) - rust-lang#145026 (Update books) - rust-lang#145033 (Reimplement `print_region` in `type_name.rs`.) - rust-lang#145040 (rustc-dev-guide subtree update) Failed merges: - rust-lang#143857 (Port #[macro_export] to the new attribute parsing infrastructure) r? `@ghost` `@rustbot` modify labels: rollup

…t-nondet-foreign-items, r=RalfJung" This reverts commit 71f0469, reversing changes made to 995ca3e.

rustbot assigned tgross35 Jul 13, 2025

rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Jul 13, 2025

rustbot assigned RalfJung and unassigned tgross35 Jul 13, 2025