Insert null checks for pointer dereferences when debug assertions are enabled

[1c3t3a]

Similar to how the alignment is already checked, this adds a check
for null pointer dereferences in debug mode. It is implemented similarly
to the alignment check as a MirPass.

This inserts checks in the same places as the CheckAlignment pass and additionally
also inserts checks for Borrows, so code like

let ptr: *const u32 = std::ptr::null();
let val: &u32 = unsafe { &*ptr };

will have a check inserted on dereference. This is done because null references
are UB. The alignment check doesn't cover these places, because in &(*ptr).field,
the exact requirement is that the final reference must be aligned. This is something to
consider further enhancements of the alignment check.

For now this is implemented as a separate MirPass, to make it easy to disable
this check if necessary.

This is related to a 2025H1 project goal for better UB checks in debug
mode: rust-lang/rust-project-goals#177.

r? @saethlin

[rustbot]

This PR changes Stable MIR

cc @oli-obk, @celinval, @ouz-a

This PR changes MIR

cc @oli-obk, @RalfJung, @JakobDegen, @davidtwco, @celinval, @vakaras

Some changes occurred to the CTFE machinery

cc @rust-lang/wg-const-eval

Some changes occurred to MIR optimizations

cc @rust-lang/wg-mir-opt

Some changes occurred in compiler/rustc_codegen_cranelift

cc @bjorn3

rust-analyzer is developed in its own repository. If possible, consider making this change to rust-lang/rust-analyzer instead.

cc @rust-lang/rust-analyzer

[oli-obk]

@bors try @rust-timer queue

[bors]

⌛ Trying commit 52b1360 with merge 61e98dc...

[bors]

☀️ Try build successful - checks-actions
Build commit: 61e98dc (61e98dc17f0786f1c120ea5366e1680772b3aa14)

[rust-timer]

Finished benchmarking commit (61e98dc): comparison URL.

Overall result: no relevant changes - no action needed

Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf.

@bors rollup=never
@rustbot label: -S-waiting-on-perf -perf-regression

Instruction count

This benchmark run did not return any relevant results for this metric.

Max RSS (memory usage)

Results (primary 3.0%, secondary 3.8%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	3.0%	[2.6%, 3.5%]	2
Regressions ❌ (secondary)	3.8%	[2.4%, 5.1%]	2
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	3.0%	[2.6%, 3.5%]	2

Cycles

Results (secondary -3.4%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	-	-	0
Regressions ❌ (secondary)	-	-	0
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-3.4%	[-3.4%, -3.4%]	1
All ❌✅ (primary)	-	-	0

Binary size

Results (primary -0.1%, secondary -0.1%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	0.1%	[0.0%, 0.3%]	10
Regressions ❌ (secondary)	-	-	0
Improvements ✅ (primary)	-0.2%	[-0.6%, -0.1%]	9
Improvements ✅ (secondary)	-0.1%	[-0.1%, -0.1%]	1
All ❌✅ (primary)	-0.1%	[-0.6%, 0.3%]	19

Bootstrap: 768.397s -> 772.491s (0.53%)
Artifact size: 330.36 MiB -> 330.37 MiB (0.00%)

[saethlin]

For PRs like this that change codegen, x test ui is almost always better to work off than trying to look at CI, because running the whole UI test suite will exercise your change on a lot of small programs, so if something in your change is broken it's usually pretty easy to narrow it down.

CI always tests using a stage2 build, so if you break codegen, you'll often get a CI failure while using your new compiler to build itself, which is hard to debug from.

[RalfJung]

Is there a specific reason that this is a separate MIR pass from the null ptr check? Together they form the pointer validity checks, so I don't quite see why those would be checked separately.

[1c3t3a]

Is there a specific reason that this is a separate MIR pass from the null ptr check? Together they form the pointer validity checks, so I don't quite see why those would be checked separately.

My reasoning here was that this is two separate checks that people maybe want to enable or disable separately (lets say they only like to pay the overhead for alignment and don't care about null). My thinking was that two separate MIR passes solve this problem the most straightforward way, but I am happy to discuss this.