search

rust-lang / rust

Empowering everyone to build reliable and efficient software.
https://www.rust-lang.org
Other
97.66k stars 12.63k forks source link

Exploiting #57893 ICEs Miri #127667

Closed saethlin closed 2 months ago

saethlin commented 3 months ago

The following code is the reproducer for https://github.com/rust-lang/rust/issues/57893, but with a little main to actually run it. I found this example by testing https://crates.io/crates/transmutter.

trait Object<U> {
    type Output;
}

impl<T: ?Sized, U> Object<U> for T {
    type Output = U;
}

fn foo<T: ?Sized, U>(x: <T as Object<U>>::Output) -> U {
    x
}

fn transmute<T, U>(x: T) -> U {
    foo::<dyn Object<U, Output = T>, U>(x)
} 

fn main() {
    transmute::<u8, u16>(0);
}

This ICEs Miri:

thread 'rustc' panicked at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/compiler/rustc_const_eval/src/interpret/terminator.rs:478:9:
assertion `left == right` failed
  left: Layout { size: Size(1 bytes), align: AbiAndPrefAlign { abi: Align(1 bytes), pref: Align(1 bytes) }, abi: Scalar(Initialized { value: Int(I8, false), valid_range: 0..=255 }), fields: Primitive, largest_niche: None, variants: Single { index: 0 }, max_repr_align: None, unadjusted_abi_align: Align(1 bytes) }
 right: Layout { size: Size(2 bytes), align: AbiAndPrefAlign { abi: Align(2 bytes), pref: Align(2 bytes) }, abi: Scalar(Initialized { value: Int(I16, false), valid_range: 0..=65535 }), fields: Primitive, largest_niche: None, variants: Single { index: 0 }, max_repr_align: None, unadjusted_abi_align: Align(2 bytes) }
stack backtrace:
   0:     0x791ede74d655 - std::backtrace_rs::backtrace::libunwind::trace::h7c8130cf668cd2df
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/../../backtrace/src/backtrace/libunwind.rs:116:5
   1:     0x791ede74d655 - std::backtrace_rs::backtrace::trace_unsynchronized::h0593e29235367313
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x791ede74d655 - std::sys::backtrace::_print_fmt::h9c959c88a5792c72
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:68:5
   3:     0x791ede74d655 - <std::sys::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::hb5e9dd9933899cdf
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:44:22
   4:     0x791ede79cd3b - core::fmt::rt::Argument::fmt::hdf68f7545fee2f30
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/fmt/rt.rs:173:76
   5:     0x791ede79cd3b - core::fmt::write::h65925b8134316067
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/fmt/mod.rs:1182:21
   6:     0x791ede741f8f - std::io::Write::write_fmt::h3df49cb2c5fcbe98
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/io/mod.rs:1835:15
   7:     0x791ede74d42e - std::sys::backtrace::_print::h2a2b37094354d148
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:47:5
   8:     0x791ede74d42e - std::sys::backtrace::print::h84df2cea0dec0944
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:34:9
   9:     0x791ede74fd79 - std::panicking::default_hook::{{closure}}::h2483527c2d7a28f6
  10:     0x791ede74fb1c - std::panicking::default_hook::hc23b5282a1966150
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:292:9
  11:     0x791edac2303a - std[e0c9ac1b253a0bb3]::panicking::update_hook::<alloc[6004caa25d76aabb]::boxed::Box<rustc_driver_impl[524901b926d9261b]::install_ice_hook::{closure#0}>>::{closure#0}
  12:     0x791ede75069f - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::h5bdb1a0d960811e2
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2078:9
  13:     0x791ede75069f - std::panicking::rust_panic_with_hook::h9eafc41f20d7c2c8
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:804:13
  14:     0x791ede7502c7 - std::panicking::begin_panic_handler::{{closure}}::h9ecaee3d680b9e79
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:670:13
  15:     0x791ede74db19 - std::sys::backtrace::__rust_end_short_backtrace::hfc51790abe5bc525
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/backtrace.rs:171:18
  16:     0x791ede74ff54 - rust_begin_unwind
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/panicking.rs:661:5
  17:     0x791ede7992f3 - core::panicking::panic_fmt::h43c6bf7b4f5c72c3
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/panicking.rs:74:14
  18:     0x791ede7997fe - core::panicking::assert_failed_inner::hc3b929dc1da8123b
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/core/src/panicking.rs:410:17
  19:     0x64507640ccf8 - core[d1817cabf3b8b437]::panicking::assert_failed::<rustc_target[7e7b29852472a2f]::abi::Layout, rustc_target[7e7b29852472a2f]::abi::Layout>
  20:     0x6450763fa02f - <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::pass_argument::<core[d1817cabf3b8b437]::iter::adapters::filter::Filter<core[d1817cabf3b8b437]::iter::adapters::zip::Zip<core[d1817cabf3b8b437]::slice::iter::Iter<rustc_const_eval[fa70aa40b61cc382]::interpret::terminator::FnArg<miri[fb90a162573eff15]::machine::Provenance>>, core[d1817cabf3b8b437]::slice::iter::Iter<rustc_target[7e7b29852472a2f]::abi::call::ArgAbi<rustc_middle[f6c758e5256b5404]::ty::Ty>>>, <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::eval_fn_call::{closure#2}>>
  21:     0x645076456965 - <rustc_const_eval[fa70aa40b61cc382]::interpret::eval_context::InterpCx<miri[fb90a162573eff15]::machine::MiriMachine>>::eval_fn_call
  22:     0x6450764c77e3 - miri[fb90a162573eff15]::eval::eval_entry
  23:     0x6450763864c9 - <miri[510a8e9519e7aa10]::MiriCompilerCalls as rustc_driver_impl[524901b926d9261b]::Callbacks>::after_analysis
  24:     0x791edd01f50e - rustc_interface[e1b63cfc5891fe09]::interface::run_compiler::<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}
  25:     0x791edcfcaf49 - std[e0c9ac1b253a0bb3]::sys::backtrace::__rust_begin_short_backtrace::<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_with_globals<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_pool_with_globals<rustc_interface[e1b63cfc5891fe09]::interface::run_compiler<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>
  26:     0x791edcfcacfa - <<std[e0c9ac1b253a0bb3]::thread::Builder>::spawn_unchecked_<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_with_globals<rustc_interface[e1b63cfc5891fe09]::util::run_in_thread_pool_with_globals<rustc_interface[e1b63cfc5891fe09]::interface::run_compiler<core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>, rustc_driver_impl[524901b926d9261b]::run_compiler::{closure#0}>::{closure#1}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[d1817cabf3b8b437]::result::Result<(), rustc_span[943dcb0449bc5e91]::ErrorGuaranteed>>::{closure#2} as core[d1817cabf3b8b437]::ops::function::FnOnce<()>>::call_once::{shim:vtable#0}
  27:     0x791ede75a4fb - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h822ca6d991226ae6
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
  28:     0x791ede75a4fb - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h3705e91470912c31
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/alloc/src/boxed.rs:2064:9
  29:     0x791ede75a4fb - std::sys::pal::unix::thread::Thread::new::thread_start::hd12020e7ee8cf5e8
                               at /rustc/5315cbe15b79533f380bbb6685aa5480d5ff4ef5/library/std/src/sys/pal/unix/thread.rs:108:17
  30:     0x791ed76a6ded - <unknown>
  31:     0x791ed772a0dc - <unknown>
  32:                0x0 - <unknown>

error: the compiler unexpectedly panicked. this is a bug.

note: we would appreciate a bug report: https://github.com/rust-lang/miri/issues/new

note: please make sure that you have updated to the latest nightly

note: rustc 1.81.0-nightly (5315cbe15 2024-07-11) running on x86_64-unknown-linux-gnu

note: compiler flags: --crate-type bin -C embed-bitcode=no -C debuginfo=2 -C incremental=[REDACTED]

note: some of the compiler flags provided by cargo are hidden

query stack during panic:
end of query stack

Miri caused an ICE during evaluation. Here's the interpreter backtrace at the time of the panic:
note: the place in the program where the ICE was triggered
  --> src/main.rs:9:22
   |
9  | fn foo<T: ?Sized, U>(x: <T as Object<U>>::Output) -> U {
   |                      ^
   |
   = note: BACKTRACE:
   = note: inside `foo::<dyn Object<u16, Output = u8>, u16>` at src/main.rs:9:22: 9:23
note: inside `transmute::<u8, u16>`
  --> src/main.rs:14:5
   |
14 |     foo::<dyn Object<U, Output = T>, U>(x)
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: inside `main`
  --> src/main.rs:18:5
   |
18 |     transmute::<u8, u16>(0);
   |     ^^^^^^^^^^^^^^^^^^^^^^^
   = note: inside `<fn() as std::ops::FnOnce<()>>::call_once - shim(fn())` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:250:5: 250:71
   = note: inside `std::sys::backtrace::__rust_begin_short_backtrace::<fn(), ()>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/sys/backtrace.rs:155:18: 155:21
   = note: inside closure at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:159:18: 159:75
   = note: inside `std::ops::function::impls::<impl std::ops::FnOnce<()> for &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>::call_once` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ops/function.rs:284:13: 284:31
   = note: inside `std::panicking::r#try::do_call::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:553:40: 553:43
   = note: inside `std::panicking::r#try::<i32, &dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:517:19: 517:88
   = note: inside `std::panic::catch_unwind::<&dyn std::ops::Fn() -> i32 + std::marker::Sync + std::panic::RefUnwindSafe, i32>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:350:14: 350:33
   = note: inside closure at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:141:48: 141:73
   = note: inside `std::panicking::r#try::do_call::<{closure@std::rt::lang_start_internal::{closure#2}}, isize>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:553:40: 553:43
   = note: inside `std::panicking::r#try::<isize, {closure@std::rt::lang_start_internal::{closure#2}}>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panicking.rs:517:19: 517:88
   = note: inside `std::panic::catch_unwind::<{closure@std::rt::lang_start_internal::{closure#2}}, isize>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/panic.rs:350:14: 350:33
   = note: inside `std::rt::lang_start_internal` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:141:20: 141:98
   = note: inside `std::rt::lang_start::<()>` at /home/ben/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/std/src/rt.rs:158:17: 163:6
RalfJung commented 2 months ago

That's this assertion.

Fun, so after normalization the type of the argument and the type given in the function signature at the call site do not have the same layout. That's clearly invalid MIR, I think an ICE is a completely appropriate reaction to that.

saethlin commented 2 months ago

Makes sense. I'll close this and just post a comment on the precipitating issue.