Segfault while improperly storing trait object pointer

[robert-w-gries]

Summary

I attempted to pop a trait object pointer off the stack and cast the raw pointer into a trait object. My first stab at this code was incorrect, but it strangely triggered a segfault in rustc instead of returning a compilation error. The incorrect code involves popping *mut &MyTrait pointer value into a data type of *mut MyTrait. Fixing the incorrect code avoids the segfault issue.

Error Message

[rob@localhost rxinu]$ RUST_BACKTRACE=1 rustc --crate-name rxinu src/lib.rs --crate-type staticlib --emit=dep-info,link -C debuginfo=2 --cfg 'feature="default"' --cfg 'feature="serial"' -C metadata=31a0723d36405193 -C extra-filename=-31a0723d36405193 --out-dir /home/rob/rxinu/target/x86_64-rxinu/debug/deps --target x86_64-rxinu -L dependency=/home/rob/rxinu/target/x86_64-rxinu/debug/deps -L dependency=/home/rob/rxinu/target/debug/deps --extern bitflags=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libbitflags-6b084702002cf111.rlib --extern x86=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libx86-455753b7dd6b85e3.rlib --extern spin=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libspin-9bd689ac3bbcfdfa.rlib --extern multiboot2=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libmultiboot2-542aac65ec57e3e0.rlib --extern linked_list_allocator=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/liblinked_list_allocator-ef23ed764b8b68b8.rlib --extern volatile=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libvolatile-39e0b219e05681b4.rlib --extern bit_field=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libbit_field-677c54a61c03a33f.rlib --extern lazy_static=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/liblazy_static-870f43b7a19a5d5a.rlib --extern rlibc=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/librlibc-8eabc116dc6e8246.rlib --extern once=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libonce-2c4225e39ad50031.rlib --sysroot /home/rob/.xargo
Segmentation fault (core dumped)

Rust Playground Reproduction

Reproduction of incorrect code sample

#![feature(asm)]

trait Foo {
    fn do_something(&self) -> usize;
}

struct MyStruct;

impl Foo for MyStruct {
    fn do_something(&self) -> usize {
        10
    }
}

fn main() {
    unsafe {
        let boxed_struct: Box<&Foo> = Box::new(&MyStruct {});
        asm!("push $0" : : "r"(Box::into_raw(boxed_struct) as usize) : "memory" : "intel", "volatile");

        let struct_ptr: *mut Foo;  // This line is wrong
        asm!("pop $0" : "=r"(struct_ptr) : : "memory" : "intel", "volatile");

        let trait_object = Box::from_raw(struct_ptr);
        println!("{}", trait_object.do_something());
    }
}

Diff to fix incorrect code and avoid segfault

-let struct_ptr: *mut Foo;  // This line is wrong
+let struct_ptr: *mut &Foo;  // This line is correct

Meta

Compiler Version

[rob@localhost rxinu]$ rustc --version --verbose
rustc 1.24.0-nightly (dc39c3169 2017-12-17)
binary: rustc
commit-hash: dc39c31699a83313edf2ac096d0bf3cef871b705
commit-date: 2017-12-17
host: x86_64-unknown-linux-gnu
release: 1.24.0-nightly
LLVM version: 4.0

Backtrace

Running with RUST_BACKTRACE=1 does not print any useful information.

[rob@localhost rxinu]$ RUST_BACKTRACE=1 rustc --crate-name rxinu src/lib.rs --crate-type staticlib --emit=dep-info,link -C debuginfo=2 --cfg 'feature="default"' --cfg 'feature="serial"' -C metadata=31a0723d36405193 -C extra-filename=-31a0723d36405193 --out-dir /home/rob/rxinu/target/x86_64-rxinu/debug/deps --target x86_64-rxinu -L dependency=/home/rob/rxinu/target/x86_64-rxinu/debug/deps -L dependency=/home/rob/rxinu/target/debug/deps --extern bitflags=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libbitflags-6b084702002cf111.rlib --extern x86=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libx86-455753b7dd6b85e3.rlib --extern spin=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libspin-9bd689ac3bbcfdfa.rlib --extern multiboot2=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libmultiboot2-542aac65ec57e3e0.rlib --extern linked_list_allocator=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/liblinked_list_allocator-ef23ed764b8b68b8.rlib --extern volatile=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libvolatile-39e0b219e05681b4.rlib --extern bit_field=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libbit_field-677c54a61c03a33f.rlib --extern lazy_static=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/liblazy_static-870f43b7a19a5d5a.rlib --extern rlibc=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/librlibc-8eabc116dc6e8246.rlib --extern once=/home/rob/rxinu/target/x86_64-rxinu/debug/deps/libonce-2c4225e39ad50031.rlib --sysroot /home/rob/.xargo
Segmentation fault (core dumped)

[sfackler]

This would probably hit an LLVM assert when using a rustc build that has LLVM assertions turned on. @alexcrichton what's the easiest way to get ahold of one of those?

[arielb1]

@sfackler

I think the easiest way is to build one yourself. I happen to have an llvm assertions build locally, and the assertion is:

rustc: /home/ariel/Rust/rust-master/src/llvm/lib/IR/InlineAsm.cpp:46: llvm::InlineAsm::InlineAsm(llvm::FunctionType*, const string&, const string&, bool, bool, llvm::InlineAsm::AsmDialect): Assertion `Verify(getFunctionType(), constraints) && "Function type not legal for constraints!"' failed.
Aborted

[arielb1]

Looks like a duplicate of #37435. We basically don't have a good story for "what is a valid input/output type for inline assembly".