panic when an interpreter error gets unintentionally discarded #130885
Conversation
rustbot
added
S-waiting-on-review
|
Some changes occurred to the CTFE / Miri interpreter cc @rust-lang/miri The Miri subtree was changed cc @rust-lang/miri Some changes occurred to MIR optimizations cc @rust-lang/wg-mir-opt Some changes occurred to the CTFE / Miri interpreter cc @rust-lang/miri |
There was a problem hiding this comment.
The annoying thing is that all the MIR transforms need to use discard_interp_error() instead of ok() now, and if they forget that that's a lurking ICE.
An alternative approach would be to use TLS to track whether the current interpreter has raised an error, and then on the next interpreter step complain if we are still running. But that means more global state, and we'll have to handle the situation of multiple interpreters on the same thread (they should be well-nested, at least) -- so it's not beautiful either.
There was a problem hiding this comment.
Could we configure whether InterpErrors are "explosive" in the InterpCx? I'd ideally like to see MIR opts just do InterpCx::new(...).ignore_interp_errors() or something when interfacing with const eval. Or would this still be violating some invariant you'd like to see enforced in MIR opts?
RalfJung
force-pushed
the
interp-error-discard
branch
from
120e9f9
to
b742eda
Compare
This comment has been minimized.
This comment has been minimized.
|
Ah damn, a clippy failure... those are always so painful to fix due to #78717 :/ |
RalfJung
force-pushed
the
interp-error-discard
branch
from
b742eda
to
4557061
Compare
| @@ -573,7 +587,7 @@ impl<'a, 'tcx> Collector<'a, 'tcx> { | |||
| map: &Map<'tcx>, | |||
| ) -> Option<Const<'tcx>> { | |||
| let ty = place.ty(self.local_decls, self.patch.tcx).ty; | |||
| let layout = ecx.layout_of(ty).ok()?; | |||
| let layout = ecx.layout_of(ty).discard_interp_error()?; | |||
There was a problem hiding this comment.
I wonder if this should just call into self.tcx.layout_of -- having a layout_of query return an InterpResult that needs to be defused seems odd, imo.
There was a problem hiding this comment.
We could do that but then we have to pass the ParamEnv by hand. It doesn't mak the code shorter, overall.
There's a lot of code that has TyCtx + ParamEnv but sadly no commonly used type to pack the two leading to a lot of issues like this. :/
There was a problem hiding this comment.
Could we configure whether InterpErrors are "explosive" in the InterpCx? I'd ideally like to see MIR opts just do InterpCx::new(...).ignore_interp_errors() or something when interfacing with const eval. Or would this still be violating some invariant you'd like to see enforced in MIR opts?
| TrackElem::Field(idx) => self.ecx.project_field(op, idx.as_usize()).ok(), | ||
| TrackElem::Variant(idx) => self.ecx.project_downcast(op, idx).ok(), | ||
| TrackElem::Field(idx) => { | ||
| self.ecx.project_field(op, idx.as_usize()).discard_interp_error() |
There was a problem hiding this comment.
Bikeshed: If we can't get rid of all these calls in rustc_mir_transform, perhaps we could at least find a shorter name than discard_interp_error.
There was a problem hiding this comment.
The name must be somewhat scary though or else people might use it in const-eval / miri and not realize what they are doing (and reviewers could easily miss it)...
| @@ -557,7 +571,9 @@ impl<'a, 'tcx> TOFinder<'a, 'tcx> { | |||
| // `SetDiscriminant` may be a no-op if the assigned variant is the untagged variant | |||
| // of a niche encoding. If we cannot ensure that we write to the discriminant, do | |||
| // nothing. | |||
| let Ok(enum_layout) = self.ecx.layout_of(enum_ty) else { return }; | |||
| let Some(enum_layout) = self.ecx.layout_of(enum_ty).discard_interp_error() else { | |||
There was a problem hiding this comment.
This seems really easy to mix up by writing let Ok(_), as noted above.
I'm not certain the best way to avoid this, except for going way overkill and implementing some custom struct (like not a Result but a struct wrapper that makes the Result inaccessible) that implements Try and forces you to deal with the error by either doing ? (via Try) or .discard_interp_error...
There was a problem hiding this comment.
Yeah that's the only type-based alternative I can think of.
Unfortunately not, since the code that creates InterpError has no access to the (Sorry for replying out-of-thread, github as usually has a terrible UI when a review adds a new comment to an existing thread and doesn't make it clear where to reply to a message like this.) |
|
I think this is just going to be a constant source of ICEs. I can already hear the humming of Matthias's fuzzers. I don't think TLS for a sanity assertion is a problem and would prefer that solution |
What about the "newtyped |
|
I like it most but assumed from your comments that it was not to your liking. |
|
Global state is also not to my liking ;) |
|
Argh I wish we had implicit Ok-wrapping, that would make this so much nicer... |
RalfJung
force-pushed
the
interp-error-discard
branch
2 times, most recently
from
f07f8d3
to
afa5a66
Compare
|
Okay, I did that now. :D That made the PR... big... The new Note that we panic on drop even if the operation succeeded, so while this does risk ICEs, the ICE should occur always when some code is executed, not just sometimes, making it easier to find with tests. And this has indeed found one discarded UB issue in Miri. |
| @@ -135,7 +135,7 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> { | |||
| // The only supported flags are GRND_RANDOM and GRND_NONBLOCK, | |||
| // neither of which have any effect on our current PRNG. | |||
| // See <https://github.com/rust-lang/rust/pull/79196> for a discussion of argument sizes. | |||
| let _flags = this.read_scalar(&args[3])?.to_i32(); | |||
| let _flags = this.read_scalar(&args[3])?.to_i32()?; | |||
There was a problem hiding this comment.
This is the discarded UB issue that was now found -- the final ? was missing.
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
interp-error-discard
branch
from
afa5a66
to
59c4659
Compare
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy |
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
interp-error-discard
branch
2 times, most recently
from
f5c5e1f
to
fc32fe9
Compare
|
☔ The latest upstream changes (presumably #131036) made this pull request unmergeable. Please resolve the merge conflicts. |
RalfJung
force-pushed
the
interp-error-discard
branch
from
fc32fe9
to
dc0281f
Compare
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
interp-error-discard
branch
from
dc0281f
to
80c5d99
Compare
|
r=me with or without any more applications of your last change if you want them. |
RalfJung
force-pushed
the
interp-error-discard
branch
from
80c5d99
to
d46aa2a
Compare
RalfJung
force-pushed
the
interp-error-discard
branch
from
d46aa2a
to
c4ce8c1
Compare
|
@bors r=oli-obk |
bors
added
S-waiting-on-bors
…li-obk panic when an interpreter error gets unintentionally discarded One important invariant of Miri is that when an interpreter error is raised (*in particular* a UB error), those must not be discarded: it's not okay to just check `foo().is_err()` and then continue executing. This seems to catch new contributors by surprise fairly regularly, so this PR tries to make it so that *if* this ever happens, we get a panic rather than a silent missed UB bug. The interpreter error type now contains a "guard" that panics on drop, and that is explicitly passed to `mem::forget` when an error is deliberately discarded. Fixes rust-lang/miri#3855
…kingjubilee Rollup of 3 pull requests Successful merges: - rust-lang#130885 (panic when an interpreter error gets unintentionally discarded) - rust-lang#131108 (Revert rust-lang#131060 "Drop conditionally applied cargo `-Zon-broken-pipe=kill` flags") - rust-lang#131121 (A couple of fixes for dataflow graphviz dumps) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#130885 - RalfJung:interp-error-discard, r=oli-obk panic when an interpreter error gets unintentionally discarded One important invariant of Miri is that when an interpreter error is raised (*in particular* a UB error), those must not be discarded: it's not okay to just check `foo().is_err()` and then continue executing. This seems to catch new contributors by surprise fairly regularly, so this PR tries to make it so that *if* this ever happens, we get a panic rather than a silent missed UB bug. The interpreter error type now contains a "guard" that panics on drop, and that is explicitly passed to `mem::forget` when an error is deliberately discarded. Fixes rust-lang/miri#3855
…=jieyouxu mark InterpResult as must_use This was forgotten in rust-lang#130885
Rollup merge of rust-lang#131596 - RalfJung:interp-result-must-use, r=jieyouxu mark InterpResult as must_use This was forgotten in rust-lang#130885
One important invariant of Miri is that when an interpreter error is raised (in particular a UB error), those must not be discarded: it's not okay to just check
foo().is_err()and then continue executing.This seems to catch new contributors by surprise fairly regularly, so this PR tries to make it so that if this ever happens, we get a panic rather than a silent missed UB bug. The interpreter error type now contains a "guard" that panics on drop, and that is explicitly passed to
mem::forgetwhen an error is deliberately discarded.Fixes rust-lang/miri#3855