Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

miri error in safe code when mutating the bool inside Option<RefCell<bool>> #68303

Closed
rodrimati1992 opened this issue Jan 17, 2020 · 4 comments · Fixed by #68491
Closed

miri error in safe code when mutating the bool inside Option<RefCell<bool>> #68303

rodrimati1992 opened this issue Jan 17, 2020 · 4 comments · Fixed by #68491
Labels
A-miri Area: The miri tool C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@rodrimati1992
Copy link
Contributor

rodrimati1992 commented Jan 17, 2020
edited
Loading

Running this code in miri(2019-12-27) in the playground:

use std::cell::RefCell;

fn main() {
    let optional=Some(RefCell::new(false));
    let mut handle=optional.as_ref().unwrap().borrow_mut();
    optional.is_some();
    *handle=true;
}

https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=3e8c5326890889354418d3161294d0fe

Results in this MIRI error:


error: Miri evaluation error: trying to reborrow for Unique, but parent tag <1307> does not have an appropriate item in the borrow stack
    --> /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/cell.rs:1388:9
     |
1388 |         self.value
     |         ^^^^^^^^^^ Miri evaluation error: trying to reborrow for Unique, but parent tag <1307> does not have an appropriate item in the borrow stack
     |
note: inside call to `<std::cell::RefMut<bool> as std::ops::DerefMut>::deref_mut` at src/main.rs:7:5
    --> src/main.rs:7:5
     |
7    |     *handle=true;
     |     ^^^^^^^
     = note: inside call to `main` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:67:34
     = note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:73
     = note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/sys_common/backtrace.rs:129:5
     = note: inside call to `std::sys_common::backtrace::__rust_begin_short_backtrace::<[closure@DefId(1:6016 ~ std[49a3]::rt[0]::lang_start_internal[0]::{{closure}}[0]::{{closure}}[0]) 0:&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:52:13
     = note: inside call to closure at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:296:40
     = note: inside call to `std::panicking::r#try::do_call::<[closure@DefId(1:6015 ~ std[49a3]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panicking.rs:272:13
     = note: inside call to `std::panicking::r#try::<i32, [closure@DefId(1:6015 ~ std[49a3]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe]>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/panic.rs:394:14
     = note: inside call to `std::panic::catch_unwind::<[closure@DefId(1:6015 ~ std[49a3]::rt[0]::lang_start_internal[0]::{{closure}}[0]) 0:&&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe], i32>` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:51:25
     = note: inside call to `std::rt::lang_start_internal` at /root/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libstd/rt.rs:67:5
     = note: inside call to `std::rt::lang_start::<()>`
@jonas-schievink jonas-schievink added A-miri Area: The miri tool C-bug Category: This is a bug. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. labels Jan 17, 2020
@jonas-schievink
Copy link
Contributor

Is this related to #68206?

@Centril
Copy link
Contributor

Centril commented Jan 17, 2020

cc @RalfJung @rust-lang/lang

@Centril Centril added the I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness label Jan 17, 2020
@RalfJung
Copy link
Member

At a first glance yes, this seems very related to #68206. I think what happens is that borrow_mut creates a mutable reference to the content, asserting uniqueness. Then optional.is_some() reads from that same location, ending the lifetime of the mutable reference. And finally, *handle = true uses the mutable reference again, causing the failure.

@RalfJung
Copy link
Member

@rodrimati1992 this is a great catch, and with perfect timing :)

@RalfJung RalfJung mentioned this issue Jan 17, 2020
Closed
@pnkfelix pnkfelix mentioned this issue Jan 23, 2020
Merged
pnkfelix added a commit to pnkfelix/rust that referenced this issue Jan 30, 2020
@pnkfelix
Add repr(no_niche) to UnsafeCell. Fix rust-lang#68303.
ee633e8
Dylan-DPC-zz pushed a commit to Dylan-DPC-zz/rust that referenced this issue Jan 30, 2020
@Dylan-DPC
Rollup merge of rust-lang#68491 - pnkfelix:hide-niches-under-unsafe-c…
37de63d 
…ell, r=oli

Hide niches under UnsafeCell

Hide any niche of T from type-construction context of `UnsafeCell<T>`.

Fix rust-lang#68303
Fix rust-lang#68206
bors added a commit that referenced this issue Feb 11, 2020
@bors
Auto merge of #68491 - pnkfelix:hide-niches-under-unsafe-cell, r=oli
fc23a81 
Hide niches under UnsafeCell

Hide any niche of T from type-construction context of `UnsafeCell<T>`.

Fix #68303
Fix #68206
@bors bors closed this as completed in 3e04722 Feb 11, 2020
@RalfJung RalfJung mentioned this issue Feb 12, 2020
Merged
bors added a commit to rust-lang/miri that referenced this issue Feb 12, 2020
@bors
Auto merge of #1172 - RalfJung:rustup, r=RalfJung
8a7e553 
Rustup

and also a test for rust-lang/rust#68303
bors added a commit to rust-lang/miri that referenced this issue Feb 12, 2020
@bors
Auto merge of #1172 - RalfJung:rustup, r=RalfJung
49aafad 
Rustup

and also a test for rust-lang/rust#68303
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-miri Area: The miri tool C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Hide niches under UnsafeCell pnkfelix/rust
4 participants
@RalfJung @Centril @jonas-schievink @rodrimati1992