Segfault from mir-opt-level >= 3 (EnumSizeOpt) #118283

cbeuw · 2023-11-25T13:52:51Z

Fuzzer generated custom MIR. Apologies I couldn't reduce it much further:

#![feature(custom_mir, core_intrinsics)]
#![allow(unused_parens, unused_assignments)]
extern crate core;
use core::intrinsics::mir::*;

fn print() {
    println!("here");
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn0() -> Adt58 {
    mir! {
    type RET = Adt58;
    let _26: ();
    {
    Call(RET.fld7.2 = fn1(), bb10, UnwindUnreachable())
    }
    bb10 = {
    Call(_26 = print(), bb11, UnwindUnreachable())
    }
    bb11 = {
    Return()
    }

    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
fn fn1() -> ((usize, u32, isize),) {
    mir! {
    type RET = ((usize, u32, isize),);
    let r: isize;
    let _12: Adt58;
    {
    RET.0 = (5_usize, 3938888967_u32, 121_isize);
    _12.fld0.0 = core::ptr::addr_of_mut!(RET.0.2);
    Call(r = fn6(_12.fld0.0), bb2, UnwindUnreachable())
    }
    bb2 = {
    Return()
    }
    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn6(mut _1: *mut isize) -> isize {
    mir! {
    let _6: *mut isize;
    let _11: [i8; 8];
    let _12: isize;
    let _19: Adt63;
    let _20: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64);
    let _23: (u128, [i128; 2]);
    let _24: Adt49;
    let _26: f32;
    {
    _6 = _1;
    Goto(bb1)
    }
    bb1 = {
    _12 = -(*_1);
    Call(_11 = core::intrinsics::transmute((*_1)), bb5, UnwindUnreachable())
    }
    bb5 = {
    _19.fld5.fld7.1 = (15794702092393743318_usize, 3565415235_u32, _12);
    _19.fld5.fld7.2.0 = _19.fld5.fld7.1;
    _1 = _6;
    _20.2 = _19.fld5.fld7.2;
    match _20.2.0.0 {
    0 => bb1,
    15794702092393743318 => bb6,
    _ => bb5
    }
    }
    bb6 = {
    _19.fld5.fld5 = _20.2.0.0;
    Call(_19.fld5.fld7.3 = fn7(_1, _1), bb7, UnwindUnreachable())
    }
    bb7 = {
    _24 = Adt49::Variant0 { fld0: _19.fld5.fld5,fld1: _23,fld2: _23.0,fld3: 0 };
    _19.fld0 = Adt60::Variant3 { fld0: 0,fld1: (-2414910124516489307_i64),fld2: 10387225622116096231080460783541968851_i128,fld3: _26,fld4: 275_i16 };
    _6 = core::ptr::addr_of_mut!(_19.fld5.fld7.1.2);
    _19.fld5.fld0 = (_1,);
    Goto(bb8)
    }
    bb8 = {
    match Field::<i128>(Variant(_19.fld0, 3), 2) {
    10387225622116096231080460783541968851 => bb10,
    _ => bb5
    }
    }
    bb10 = {
    match Field::<usize>(Variant(_24, 0), 0) {
    15794702092393743318 => bb11,
    _ => bb5
    }
    }
    bb11 = {
    Return()
    }

    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn7(
    mut _1: *mut isize,
    mut _2: *mut isize,
) -> u64 {
    mir! {
    let _7: (u8, (*mut isize,), i16, i8, i64, (usize, u32, isize));
    let _8: f64;
    let _10: f32;
    let _11: i32;
    let _12: [i128; 2];
    let _13: isize;
    let _14: isize;
    let _17: ((isize, f64), i8);
    let _20: isize;
    let _21: Adt63;
    {
    _7.4 = !3370110814453801772_i64;
    _7.5.0 = 7_usize & 1304353824105351931_usize;
    _8 = 0.;
    _7.5.2 = _8 as isize;
    _7.5 = (3302905616188524396_usize, 1150340430_u32, (-9223372036854775808_isize));
    _7.1.0 = core::ptr::addr_of_mut!((*_2));
    _7.5.2 = _8 as isize;
    _7.2 = -29299_i16;
    _7.3 = 40_i8;
    _7.2 = (-1339_i16);
    _7.3 = (-44_i8) * (-68_i8);
    _7.1.0 = core::ptr::addr_of_mut!(_7.5.2);
    _7.5 = (6_usize, 1690308138_u32, (-9223372036854775808_isize));
    _7.0 = 227_u8;
    _7.4 = (-8049829723332252308_i64);
    _7.3 = _7.0 as i8;
    _7.5.2 = 9223372036854775807_isize;
    _7.0 = 207_u8;
    (*_2) = _7.0 as isize;
    RET = 0;
    _7.3 = _7.5.1 as i8;
    _7.1 = (_1,);
    _7.5 = (3231788080604669159_usize, 268874823_u32, (-9223372036854775808_isize));
    _7.1 = (_2,);
    (*_2) = (-9223372036854775808_isize);
    _10 = (*_2) as f32;
    _7.1 = (_2,);
    _7.5.1 = 1559352357_u32;
    (*_1) = 9223372036854775807_isize - (-9223372036854775808_isize);
    _7.5 = (12370566778207505070_usize, 1393399085_u32, (-59_isize));
    _7.5.0 = 1_usize & 5_usize;
    _7.2 = !17549_i16;
    _7.5.0 = !2_usize;
    _13 = !(*_2);
    _17.0.0 = (-159775293299709533892712067148515424088_i128) as isize;
    _7.1.0 = _2;
    _14 = _7.5.2;
    Call(_7.5.2 = core::intrinsics::bswap(_14), bb7, UnwindUnreachable())
    }
    bb7 = {
    _7.1.0 = _2;
    _7.5.0 = 0_usize & 5_usize;
    (*_2) = _7.3 as isize;
    _7.0 = !14_u8;
    _7.3 = RET as i8;
    Call((*_2) = core::intrinsics::transmute(_7.4), bb8, UnwindUnreachable())
    }
    bb8 = {
    _7.0 = !188_u8;
    _20 = !_7.5.2;
    _7.2 = _10 as i16;
    _11 = !585373290_i32;
    (*_2) = _17.0.0 * _17.0.0;
    _21.fld2.0 = [(-78467358730145228102713254453611538061_i128),(-76811762829508806080346431520353784840_i128)];
    _21.fld5.fld7.1.1 = _7.5.1 % _7.5.1;
    _21.fld5.fld7.2.0.1 = !_21.fld5.fld7.1.1;
    _21.fld5.fld5 = _7.5.0 & _7.5.0;
    _21.fld4 = core::ptr::addr_of!(_7.2);
    (*_2) = !_20;
    _21.fld2.1.1 = _21.fld5.fld7.1.1;
    _21.fld5.fld7.1.2 = _11 as isize;
    _21.fld5.fld7.1 = _7.5;
    _21.fld5.fld7.2.0.0 = _21.fld5.fld7.1.0 + _21.fld5.fld7.1.0;
    _21.fld2.1.1 = !_21.fld5.fld7.2.0.1;
    _21.fld5.fld7.2.0 = (_7.5.0, _7.5.1, _13);
    _21.fld2.1 = (_21.fld5.fld7.2.0.0, _7.5.1, _7.5.2);
    place!(Field::<(((usize, u32, isize),),)>(Variant(_21.fld0, 1), 4)).0.0 = (_21.fld2.1.0, _21.fld5.fld7.2.0.1, _14);
    _21.fld5.fld4 = Move(Field::<Adt58>(Variant(_21.fld0, 1), 3).fld4);
    place!(Field::<Adt58>(Variant(_21.fld0, 1), 3)).fld7 = (_12, Field::<(((usize, u32, isize),),)>(Variant(_21.fld0, 1), 4).0.0, _21.fld5.fld7.2, RET);
    RET = Field::<Adt58>(Variant(_21.fld0, 1), 3).fld7.1.0 as u64;
    _21.fld5.fld2 = core::ptr::addr_of!(place!(Field::<i128>(Variant(_21.fld0, 1), 1)));
    Return()
    }

    }
}
pub fn main() {
    fn0();
}
#[derive(Debug, Copy, Clone)]
pub enum Adt49 {
    Variant0 {
        fld0: usize,
        fld1: (u128, [i128; 2]),
        fld2: u128,
        fld3: u16,
    },
    Variant1 {},
}
#[derive(Debug)]
pub struct Adt51 {
    fld2: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
    fld3: [i128; 6],
}
#[derive(Debug)]
pub struct Adt52 {}
#[derive(Debug)]
pub enum Adt53 {
    Variant0 { fld3: Adt51 },
    Variant1 {},
    Variant2 {},
}
#[derive(Debug)]
pub struct Adt56 {}
#[derive(Debug)]
pub struct Adt58 {
    fld0: (*mut isize,),
    fld1: (bool,),
    fld2: *const i128,
    fld4: Adt53,
    fld5: usize,
    fld7: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
}
#[derive(Debug)]
pub enum Adt60 {
    Variant0 {},
    Variant1 {
        fld0: [u64; 2],
        fld1: i128,
        fld2: usize,
        fld3: Adt58,
        fld4: (((usize, u32, isize),),),
    },
    Variant2 {},
    Variant3 {
        fld0: u16,
        fld1: i64,
        fld2: i128,
        fld3: f32,
        fld4: i16,
    },
}
#[derive(Debug)]
pub struct Adt63 {
    fld0: Adt60,
    fld2: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
    fld4: *const i16,
    fld5: Adt58,
}

$ rustc -Zmir-opt-level=2 -Copt-level=2 repro.rs && ./repro
here
$ rustc -Zmir-opt-level=3 -Copt-level=2 repro.rs && ./repro
Segmentation fault (core dumped)

(the segfault is from the compiled program, not the compiler)

Miri reports no UB under Tree Borrows.

$ rustc --version -v
rustc 1.76.0-nightly (a1a37735c 2023-11-23)
binary: rustc
commit-hash: a1a37735cbc3db359d0b24ba9085c9fcbe1bc274
commit-date: 2023-11-23
host: x86_64-unknown-linux-gnu
release: 1.76.0-nightly
LLVM version: 17.0.5

saethlin · 2023-11-25T15:53:26Z

I can minimize the MIR opts to:

rustc +nightly -Zmir-opt-level=0 -Zmir-enable-passes=+EnumSizeOpt -Copt-level=2 repro.rs && ./repro

saethlin · 2023-11-25T16:00:50Z

EnumSizeOpt has this strange is_enabled predicate:

        sess.opts.unstable_opts.unsound_mir_opts || sess.mir_opt_level() >= 3

which I do not understand. If the pass is unsound, -Zunsound-mir-opts should be required regardless of -Zmir-opt-level.

That logic is original to the PR where this pass was merged: #85158

where @wesleywiser said this:

Having said of that, our policy right now is to be willing to merge new MIR passes that are disabled by default and give them time to mature in-tree.

So I suppose this pass has matured in-tree?

asquared31415 · 2023-11-25T21:08:32Z

Miri is reporting UB with or without TB on rustc 1.76.0-nightly (37b2813a7 2023-11-24).

cbeuw · 2023-11-25T21:24:48Z

Oops indeed my unreduced program also has UB. I have disabled a validation I shouldn't have. Closing this issue for now

rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Nov 25, 2023

rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Nov 25, 2023

saethlin changed the title ~~Segfault from mir-opt-level >= 3~~ Segfault from mir-opt-level >= 3 (EnumSizeOpt) Nov 25, 2023

cbeuw closed this as completed Nov 25, 2023

cbeuw closed this as not planned Won't fix, can't repro, duplicate, stale Nov 25, 2023

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Segfault from mir-opt-level >= 3 (EnumSizeOpt) #118283

Segfault from mir-opt-level >= 3 (EnumSizeOpt) #118283

cbeuw commented Nov 25, 2023 •

edited

Loading

saethlin commented Nov 25, 2023 •

edited

Loading

saethlin commented Nov 25, 2023

asquared31415 commented Nov 25, 2023

cbeuw commented Nov 25, 2023

Segfault from mir-opt-level >= 3 (EnumSizeOpt) #118283

Segfault from mir-opt-level >= 3 (EnumSizeOpt) #118283

Comments

cbeuw commented Nov 25, 2023 • edited Loading

saethlin commented Nov 25, 2023 • edited Loading

saethlin commented Nov 25, 2023

asquared31415 commented Nov 25, 2023

cbeuw commented Nov 25, 2023

cbeuw commented Nov 25, 2023 •

edited

Loading

saethlin commented Nov 25, 2023 •

edited

Loading