Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Exploiting #57893 ICEs Miri #127667

Closed
saethlin opened this issue Jul 12, 2024 · 2 comments
Closed

Exploiting #57893 ICEs Miri #127667

saethlin opened this issue Jul 12, 2024 · 2 comments
Labels
A-const-eval Area: Constant evaluation, covers all const contexts (static, const fn, ...) C-bug Category: This is a bug. I-ICE Issue: The compiler panicked, giving an Internal Compilation Error (ICE) ❄️ T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@saethlin
Copy link
Member

saethlin commented Jul 12, 2024

The following code is the reproducer for #57893, but with a little main to actually run it. I found this example by testing https://crates.io/crates/transmutter.

trait Object<U> {
    type Output;
}

impl<T: ?Sized, U> Object<U> for T {
    type Output = U;
}

fn foo<T: ?Sized, U>(x: <T as Object<U>>::Output) -> U {
    x
}

fn transmute<T, U>(x: T) -> U {
    foo::<dyn Object<U, Output = T>, U>(x)
} 

fn main() {
    transmute::<u8, u16>(0);
}

This ICEs Miri:

thread 'rustc' panicked at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/compiler/rustc_const_eval/src/interpret/terminator.rs:478:9:
assertion `left == right` failed
  left: Layout { size: Size(1 bytes), align: AbiAndPrefAlign { abi: Align(1 bytes), pref: Align(1 bytes) }, abi: Scalar(Initialized { value: Int(I8, false), valid_range: 0..=255 }), fields: Primitive, largest_niche: None, variants: Single { index: 0 }, max_repr_align: None, unadjusted_abi_align: Align(1 bytes) }
 right: Layout { size: Size(2 bytes), align: AbiAndPrefAlign { abi: Align(2 bytes), pref: Align(2 bytes) }, abi: Scalar(Initialized { value: Int(I16, false), valid_range: 0..=65535 }), fields: Primitive, largest_niche: None, variants: Single { index: 0 }, max_repr_align: None, unadjusted_abi_align: Align(2 bytes) }
stack backtrace:
   0:     0x791ede74d655 - std::backtrace_rs::backtrace::libunwind::trace::h7c8130cf668cd2df
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
   1:     0x791ede74d655 - std::backtrace_rs::backtrace::trace_unsynchronized::h0593e29235367313
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x791ede74d655 - std::sys::backtrace::_print_fmt::h9c959c88a5792c72
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:68:5
   3:     0x791ede74d655 - <std::sys::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hb5e9dd9933899cdf
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:44:22
   4:     0x791ede79cd3b - core::fmt::rt::Argument::fmt::hdf68f7545fee2f30
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/fmt/rt.rs:173:76
   5:     0x791ede79cd3b - core::fmt::write::h65925b8134316067
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/fmt/mod.rs:1182:21
   6:     0x791ede741f8f - std::io::Write::write_fmt::h3df49cb2c5fcbe98
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/io/mod.rs:1835:15
   7:     0x791ede74d42e - std::sys::backtrace::_print::h2a2b37094354d148
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:47:5
   8:     0x791ede74d42e - std::sys::backtrace::print::h84df2cea0dec0944
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:34:9
   9:     0x791ede74fd79 - std::panicking::default_hook::{{closure}}::h2483527c2d7a28f6
  10:     0x791ede74fb1c - std::panicking::default_hook::hc23b5282a1966150
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:292:9
  11:     0x791edac2303a - std[e0c9ac1b253a0bb3]::panicking::update_hook::<alloc[6004caa25d76aabb]::boxed::Box<rustc_driver_impl[524901b926d9261b]::install_ice_hook::{closure#0}>>::{closure#0}
  12:     0x791ede75069f - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h5bdb1a0d960811e2
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2078:9
  13:     0x791ede75069f - std::panicking::rust_panic_with_hook::h9eafc41f20d7c2c8
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:804:13
  14:     0x791ede7502c7 - std::panicking::begin_panic_handler::{{closure}}::h9ecaee3d680b9e79
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:670:13
  15:     0x791ede74db19 - std::sys::backtrace::__rust_end_short_backtrace::hfc51790abe5bc525
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:171:18
  16:     0x791ede74ff54 - rust_begin_unwind
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:661:5
  17:     0x791ede7992f3 - core::panicking::panic_fmt::h43c6bf7b4f5c72c3
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/panicking.rs:74:14
  18:     0x791ede7997fe - core::panicking::assert_failed_inner::hc3b929dc1da8123b
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/panicking.rs:410:17
  19:     0x64507640ccf8 - core[d1817cabf3b8b437]::panicking::assert_failed::<rustc_target[7e7b29852472a2f]::abi::Layout, rustc_target[7e7b29852472a2f]::abi::Layout>
  20:     0x6450763fa02f - <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::pass_argument::<core[d1817cabf3b8b437]::iter::adapters::filter::Filter<core[d1817cabf3b8b437]::iter::adapters::zip::Zip<core[d1817cabf3b8b437]::slice::iter::Iter<rustc_const_eval[fa70aa40b61cc382]::interpret::terminator::FnArg<miri[fb90a162573eff15]::machine::Provenance>>, core[d1817cabf3b8b437]::slice::iter::Iter<rustc_target[7e7b29852472a2f]::abi::call::ArgAbi<rustc_middle[f6c758e5256b5404]::ty::Ty>>>, <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::eval_fn_call::{closure#2}>>
  21:     0x645076456965 - <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::eval_fn_call
  22:     0x6450764c77e3 - miri[fb90a162573eff15]::eval::eval_entry
  23:     0x6450763864c9 - <miri[510a8e9519e7aa10]::MiriCompilerCalls as rustc_driver_impl[524901b926d9261b]::Callbacks>::after_analysis
  24:     0x791edd01f50e - rustc_interface[e1b63cfc5891fe09]::interface::run_compiler::<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}
  25:     0x791edcfcaf49 - std[e0c9ac1b253a0bb3]::sys::backtrace::__rust_begin_short_backtrace::<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_with_globals<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_pool_with_globals<rustc_interface[e1b63cfc5891fe09]::interface::run_compiler<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>
  26:     0x791edcfcacfa - <<std[e0c9ac1b253a0bb3]::thread::Builder>::spawn_unchecked_<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_with_globals<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_pool_with_globals<rustc_interface[e1b63cfc5891fe09]::interface::run_compiler<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#2} as core[d1817cabf3b8b437]::ops::function::FnOnce<()>>::call_once::{shim:vtable#0}
  27:     0x791ede75a4fb - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h822ca6d991226ae6
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
  28:     0x791ede75a4fb - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h3705e91470912c31
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
  29:     0x791ede75a4fb - std::sys::pal::unix::thread::Thread::new::thread_start::hd12020e7ee8cf5e8
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/pal/unix/thread.rs:108:17
  30:     0x791ed76a6ded - <unknown>
  31:     0x791ed772a0dc - <unknown>
  32:                0x0 - <unknown>

error: the compiler unexpectedly panicked. this is a bug.

note: we would appreciate a bug report: https://github.com/rust-lang/miri/issues/new

note: please make sure that you have updated to the latest nightly

note: rustc 1.81.0-nightly (5315cbe15 2024-07-11) running on x86_64-unknown-linux-gnu

note: compiler flags: --crate-type bin -C embed-bitcode=no -C debuginfo=2 -C incremental=[REDACTED]

note: some of the compiler flags provided by cargo are hidden

query stack during panic:
end of query stack

Miri caused an ICE during evaluation. Here's the interpreter backtrace at the time of the panic:
note: the place in the program where the ICE was triggered
  --> src/main.rs:9:22
   |
9  | fn foo<T: ?Sized, U>(x: <T as Object<U>>::Output) -> U {
   |                      ^
   |
   = note: BACKTRACE:
   = note: inside `foo::<dyn Object<u16, Output = u8>, u16>` at src/main.rs:9:22: 9:23
note: inside `transmute::<u8, u16>`
  --> src/main.rs:14:5
   |
14 |     foo::<dyn Object<U, Output = T>, U>(x)
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: inside `main`
  --> src/main.rs:18:5
   |
18 |     transmute::<u8, u16>(0);
   |     ^^^^^^^^^^^^^^^^^^^^^^^
   = note: inside `<fn() as std::ops::FnOnce<()>>::call_once - shim(fn())` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5: 250:71
   = note: inside `std::sys::backtrace::__rust_begin_short_backtrace::<fn(), ()>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs:155:18: 155:21
   = note: inside closure at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:159:18: 159:75
   = note: inside `std::ops::function::impls::<impl std::ops::FnOnce<()> for &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>::call_once` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13: 284:31
   = note: inside `std::panicking::r#try::do_call::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:553:40: 553:43
   = note: inside `std::panicking::r#try::<i32, &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:517:19: 517:88
   = note: inside `std::panic::catch_unwind::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:350:14: 350:33
   = note: inside closure at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:141:48: 141:73
   = note: inside `std::panicking::r#try::do_call::<{closure@std::rt::lang_start_internal::{closure#2}}, isize>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:553:40: 553:43
   = note: inside `std::panicking::r#try::<isize, {closure@std::rt::lang_start_internal::{closure#2}}>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:517:19: 517:88
   = note: inside `std::panic::catch_unwind::<{closure@std::rt::lang_start_internal::{closure#2}}, isize>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:350:14: 350:33
   = note: inside `std::rt::lang_start_internal` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:141:20: 141:98
   = note: inside `std::rt::lang_start::<()>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:158:17: 163:6
@saethlin saethlin added I-ICE Issue: The compiler panicked, giving an Internal Compilation Error (ICE) ❄️ T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. C-bug Category: This is a bug. A-const-eval Area: Constant evaluation, covers all const contexts (static, const fn, ...) labels Jul 12, 2024
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Jul 12, 2024
@saethlin saethlin removed the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Jul 13, 2024
@RalfJung
Copy link
Member

RalfJung commented Aug 6, 2024

That's this assertion.

Fun, so after normalization the type of the argument and the type given in the function signature at the call site do not have the same layout. That's clearly invalid MIR, I think an ICE is a completely appropriate reaction to that.

@saethlin
Copy link
Member Author

saethlin commented Aug 6, 2024

Makes sense. I'll close this and just post a comment on the precipitating issue.

@saethlin saethlin closed this as not planned Won't fix, can't repro, duplicate, stale Aug 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-const-eval Area: Constant evaluation, covers all const contexts (static, const fn, ...) C-bug Category: This is a bug. I-ICE Issue: The compiler panicked, giving an Internal Compilation Error (ICE) ❄️ T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Development

No branches or pull requests

3 participants