ICE `assertion `left == right` failed: write_cvalue_transmute: types::I32 -> types::I64`

[matthiaskrgr]

auto-reduced (treereduce-rust):

struct SliceWithHead(u8, [u8]);

fn main() {
    let buf = [0u32; 1];

    let ptr: *const SliceWithHead = unsafe { std::mem::transmute((&buf, 1)) };
}

original:

// should find the bug even without retagging
//@compile-flags: -Zmiri-disable-stacked-borrows

struct SliceWithHead(#[allow(dead_code)] u8, #[allow(dead_code)] [u8]);

fn main() {
    let buf = [0u32; 1];
    // We craft a wide pointer `*const SliceWithHead` such that the unsized tail is only partially allocated.
    // That should lead to UB, as the reference is not fully dereferenceable.
    let ptr: *const SliceWithHead = unsafe { std::mem::transmute((&buf, 1)) };
    // Re-borrow that. This should be UB.
    let _ptr = unsafe { &*ptr }; //~ ERROR: encountered a dangling reference (going beyond the bounds of its allocation)
}

Version information

rustc 1.77.0-nightly (af08c64e3 2024-01-29)
binary: rustc
commit-hash: af08c64e3800fd15f0afdb8651de8fa7dacc0026
commit-date: 2024-01-29
host: x86_64-unknown-linux-gnu
release: 1.77.0-nightly
LLVM version: 17.0.6

Command: /home/matthias/.rustup/toolchains/master/bin/rustc -Zmir-opt-level=5 -Zcodegen-backend=cranelift

Program output

``` warning: unused variable: `ptr` --> /tmp/icemaker_global_tempdir.yBSNmWzLXX3J/rustc_testrunner_tmpdir_reporting.O3jHPEVlFwXz/mvce.rs:6:9 | 6 | let ptr: *const SliceWithHead = unsafe { std::mem::transmute((&buf, 1)) }; | ^^^ help: if this is intentional, prefix it with an underscore: `_ptr` | = note: `#[warn(unused_variables)]` on by default warning: fields `0` and `1` are never read --> /tmp/icemaker_global_tempdir.yBSNmWzLXX3J/rustc_testrunner_tmpdir_reporting.O3jHPEVlFwXz/mvce.rs:1:22 | 1 | struct SliceWithHead(u8, [u8]); | ------------- ^^ ^^^^ | | | fields in this struct | = note: `#[warn(dead_code)]` on by default help: consider changing the fields to be of unit type to suppress this warning while preserving the field numbering, or remove the fields | 1 | struct SliceWithHead((), ()); | ~~ ~~ thread 'rustc' panicked at src/value_and_place.rs:555:13: assertion `left == right` failed: write_cvalue_transmute: types::I32 -> types::I64 left: 4 right: 8 stack backtrace: 0: 0x7faae7dba766 - std::backtrace_rs::backtrace::libunwind::trace::h7c7ac43538ebe472 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/../../backtrace/src/backtrace/libunwind.rs:104:5 1: 0x7faae7dba766 - std::backtrace_rs::backtrace::trace_unsynchronized::h5508b242c4c12984 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x7faae7dba766 - std::sys_common::backtrace::_print_fmt::hd639972598c59b74 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys_common/backtrace.rs:68:5 3: 0x7faae7dba766 - ::fmt::h698d6e1355cc5d61 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys_common/backtrace.rs:44:22 4: 0x7faae7e0d100 - core::fmt::rt::Argument::fmt::ha3fb3ddb557a8c28 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/core/src/fmt/rt.rs:142:9 5: 0x7faae7e0d100 - core::fmt::write::hae04493f24c53294 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/core/src/fmt/mod.rs:1120:17 6: 0x7faae7dae12f - std::io::Write::write_fmt::hf8f7af67b8ad7e8c at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/io/mod.rs:1810:15 7: 0x7faae7dba544 - std::sys_common::backtrace::_print::h06c79c4f31ffa6a6 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys_common/backtrace.rs:47:5 8: 0x7faae7dba544 - std::sys_common::backtrace::print::h0f43e94a08a21e5b at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys_common/backtrace.rs:34:9 9: 0x7faae7dbd2d7 - std::panicking::default_hook::{{closure}}::ha3f3b1b60e2c5df1 10: 0x7faae7dbd039 - std::panicking::default_hook::h4c22a752655f027b at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/panicking.rs:292:9 11: 0x7faae4b3664c - std[527f01a8ca63601b]::panicking::update_hook::>::{closure#0} 12: 0x7faae7dbda26 - as core::ops::function::Fn>::call::hd677dcfc0977411a at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/alloc/src/boxed.rs:2029:9 13: 0x7faae7dbda26 - std::panicking::rust_panic_with_hook::h30a4485d7c627d00 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/panicking.rs:785:13 14: 0x7faae7dbd772 - std::panicking::begin_panic_handler::{{closure}}::h5cee7380081e0bc7 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/panicking.rs:659:13 15: 0x7faae7dbac66 - std::sys_common::backtrace::__rust_end_short_backtrace::h5ce5b16fec0dd4af at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys_common/backtrace.rs:171:18 16: 0x7faae7dbd4c4 - rust_begin_unwind at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/panicking.rs:647:5 17: 0x7faae7e09805 - core::panicking::panic_fmt::h0ecda8cbe1cd9e47 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/core/src/panicking.rs:72:14 18: 0x7faae7e09e7f - core::panicking::assert_failed_inner::hefd49e818054cbff at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/core/src/panicking.rs:337:23 19: 0x7faad85c205f - core[9bbc21a9b33808e2]::panicking::assert_failed:: 20: 0x7faad86595b0 - ::write_cvalue_maybe_transmute::transmute_scalar 21: 0x7faad865905f - ::write_cvalue_maybe_transmute 22: 0x7faad860b26e - rustc_codegen_cranelift[ec19655ba85fdac8]::base::codegen_fn_body 23: 0x7faad8622e6c - rustc_codegen_cranelift[ec19655ba85fdac8]::driver::aot::module_codegen::{closure#0} 24: 0x7faad861ff52 - rustc_codegen_cranelift[ec19655ba85fdac8]::driver::aot::module_codegen 25: 0x7faad862cabf - rustc_codegen_cranelift[ec19655ba85fdac8]::driver::aot::run_aot 26: 0x7faad865bdbc - ::codegen_crate 27: 0x7faae6861430 - rustc_interface[d556da9ff3a1cc86]::passes::start_codegen 28: 0x7faae6860b70 - ::codegen_and_build_linker 29: 0x7faae6b104cc - rustc_interface[d556da9ff3a1cc86]::interface::run_compiler::, rustc_driver_impl[8792044a82a8625e]::run_compiler::{closure#0}>::{closure#0} 30: 0x7faae67abe46 - std[527f01a8ca63601b]::sys_common::backtrace::__rust_begin_short_backtrace::, rustc_driver_impl[8792044a82a8625e]::run_compiler::{closure#0}>::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>>::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>> 31: 0x7faae67abc73 - <::spawn_unchecked_, rustc_driver_impl[8792044a82a8625e]::run_compiler::{closure#0}>::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>>::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[9bbc21a9b33808e2]::result::Result<(), rustc_span[db02a72bff8b29a5]::ErrorGuaranteed>>::{closure#1} as core[9bbc21a9b33808e2]::ops::function::FnOnce<()>>::call_once::{shim:vtable#0} 32: 0x7faae7dc7015 - as core::ops::function::FnOnce>::call_once::h2bd4aab73c5ae314 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/alloc/src/boxed.rs:2015:9 33: 0x7faae7dc7015 - as core::ops::function::FnOnce>::call_once::ha809079e7c8fd129 at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/alloc/src/boxed.rs:2015:9 34: 0x7faae7dc7015 - std::sys::pal::unix::thread::Thread::new::thread_start::he1a55fca7da552da at /rustc/af08c64e3800fd15f0afdb8651de8fa7dacc0026/library/std/src/sys/pal/unix/thread.rs:108:17 35: 0x7faae1caa9eb - 36: 0x7faae1d2e7cc - 37: 0x0 - error: the compiler unexpectedly panicked. this is a bug. note: we would appreciate a bug report: https://github.com/rust-lang/rust/issues/new?labels=C-bug%2C+I-ICE%2C+T-compiler&template=ice.md note: rustc 1.77.0-nightly (af08c64e3 2024-01-29) running on x86_64-unknown-linux-gnu note: compiler flags: -Z mir-opt-level=5 -Z codegen-backend=cranelift -Z dump-mir-dir=dir query stack during panic: end of query stack warning: 2 warnings emitted ```

[matthiaskrgr]

another one

auto-reduced (treereduce-rust):

use std::mem;

struct PackedSized {
    f: u8,
    d: [u32; 4],
}

struct PackedUnsized {
    f: u8,
    d: [u32],
}

impl PackedSized {
    fn unsize(&self) -> &PackedUnsized {
        let len = 1;
        unsafe { mem::transmute((self, len)) }
    }
}

fn main() {
    unsafe {
        let p = PackedSized {
            f: 0,
            d: [1, 2, 3, 4],
        };
        let p = p.unsize() as *const PackedUnsized;
    }
}

original:

//@ run-pass
#![feature(layout_for_ptr)]
use std::mem;

#[repr(packed, C)]
struct PackedSized {
    f: u8,
    d: [u32; 4],
}

#[repr(packed, C)]
struct PackedUnsized {
    f: u8,
    d: [u32],
}

impl PackedSized {
    fn unsize(&self) -> &PackedUnsized {
        // We can't unsize via a generic type since then we get the error
        // that packed structs with unsized tail don't work if the tail
        // might need dropping.
        let len = 1;
        unsafe { mem::transmute((self, len)) }
    }
}

fn main() { unsafe {
    let p = PackedSized { f: 0, d: [1, 2, 3, 4] };
    let p = p.unsize() as *const PackedUnsized;
    // Make sure the size computation does *not* think there is
    // any padding in front of the `d` field.
    assert_eq!(mem::size_of_val_raw(p), 1 + 4*4);
    // And likewise for the offset computation.
    let d = std::ptr::addr_of!((*p).d);
    assert_eq!(d.cast::<u32>().read_unaligned(), 1);
} }

Version information

rustc 1.79.0-nightly (548e14b43 2024-03-24)
binary: rustc
commit-hash: 548e14b43963882fb758deb89e8258d9b8c2fc2a
commit-date: 2024-03-24
host: x86_64-unknown-linux-gnu
release: 1.79.0-nightly
LLVM version: 18.1.2

Command: /home/matthias/.rustup/toolchains/master/bin/rustc -Zcodegen-backend=cranelift

Program output

``` warning: unused variable: `p` --> /tmp/icemaker_global_tempdir.TXIDEzRUKYHM/rustc_testrunner_tmpdir_reporting.ssq51HE4Uh0x/mvce.rs:26:13 | 26 | let p = p.unsize() as *const PackedUnsized; | ^ help: if this is intentional, prefix it with an underscore: `_p` | = note: `#[warn(unused_variables)]` on by default warning: unnecessary `unsafe` block --> /tmp/icemaker_global_tempdir.TXIDEzRUKYHM/rustc_testrunner_tmpdir_reporting.ssq51HE4Uh0x/mvce.rs:21:5 | 21 | unsafe { | ^^^^^^ unnecessary `unsafe` block | = note: `#[warn(unused_unsafe)]` on by default warning: fields `f` and `d` are never read --> /tmp/icemaker_global_tempdir.TXIDEzRUKYHM/rustc_testrunner_tmpdir_reporting.ssq51HE4Uh0x/mvce.rs:4:5 | 3 | struct PackedSized { | ----------- fields in this struct 4 | f: u8, | ^ 5 | d: [u32; 4], | ^ | = note: `#[warn(dead_code)]` on by default warning: fields `f` and `d` are never read --> /tmp/icemaker_global_tempdir.TXIDEzRUKYHM/rustc_testrunner_tmpdir_reporting.ssq51HE4Uh0x/mvce.rs:9:5 | 8 | struct PackedUnsized { | ------------- fields in this struct 9 | f: u8, | ^ 10 | d: [u32], | ^ thread 'rustc' panicked at src/value_and_place.rs:555:13: assertion `left == right` failed: write_cvalue_transmute: types::I32 -> types::I64 left: 4 right: 8 stack backtrace: 0: 0x7bb38e821fd5 - std::backtrace_rs::backtrace::libunwind::trace::h42bff1a7b43dd59b at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/../../backtrace/src/backtrace/libunwind.rs:105:5 1: 0x7bb38e821fd5 - std::backtrace_rs::backtrace::trace_unsynchronized::h487df93320a9df04 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5 2: 0x7bb38e821fd5 - std::sys_common::backtrace::_print_fmt::h07de1da949170707 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys_common/backtrace.rs:68:5 3: 0x7bb38e821fd5 - ::fmt::h844cac6fe47b48fc at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys_common/backtrace.rs:44:22 4: 0x7bb38e87307b - core::fmt::rt::Argument::fmt::hb8e1c63e19804b9f at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/core/src/fmt/rt.rs:142:9 5: 0x7bb38e87307b - core::fmt::write::h48ca3d8ec7493938 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/core/src/fmt/mod.rs:1153:17 6: 0x7bb38e816d6f - std::io::Write::write_fmt::he2f539f86a4d5187 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/io/mod.rs:1843:15 7: 0x7bb38e821dae - std::sys_common::backtrace::_print::hf0fb6b45269a2f11 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys_common/backtrace.rs:47:5 8: 0x7bb38e821dae - std::sys_common::backtrace::print::h03209c69877615dd at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys_common/backtrace.rs:34:9 9: 0x7bb38e824a29 - std::panicking::default_hook::{{closure}}::h101bae6d8c9043af 10: 0x7bb38e824793 - std::panicking::default_hook::hf5920306d6e4b5b6 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/panicking.rs:292:9 11: 0x7bb38b1cb6ff - std[7fd525226211ab56]::panicking::update_hook::>::{closure#0} 12: 0x7bb38e8251c8 - as core::ops::function::Fn>::call::hbe2177d39db84251 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/alloc/src/boxed.rs:2029:9 13: 0x7bb38e8251c8 - std::panicking::rust_panic_with_hook::h8bee57b94d205fd8 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/panicking.rs:789:13 14: 0x7bb38e824ed6 - std::panicking::begin_panic_handler::{{closure}}::h905d90f7e050310b at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/panicking.rs:657:13 15: 0x7bb38e822499 - std::sys_common::backtrace::__rust_end_short_backtrace::h6a64716082cdcf75 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys_common/backtrace.rs:171:18 16: 0x7bb38e824c07 - rust_begin_unwind at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/panicking.rs:645:5 17: 0x7bb38e86f516 - core::panicking::panic_fmt::h2aff6718f4bdfb08 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/core/src/panicking.rs:72:14 18: 0x7bb38e86fadf - core::panicking::assert_failed_inner::hd21aa0ff3fbea35f at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/core/src/panicking.rs:334:23 19: 0x7bb37e3c28af - core[12243c8320863e2a]::panicking::assert_failed:: 20: 0x7bb37e45997a - ::write_cvalue_maybe_transmute::transmute_scalar 21: 0x7bb37e45942d - ::write_cvalue_maybe_transmute 22: 0x7bb37e40b33c - rustc_codegen_cranelift[835da27022a33635]::base::codegen_fn_body 23: 0x7bb37e4241b2 - rustc_codegen_cranelift[835da27022a33635]::driver::aot::module_codegen::{closure#0} 24: 0x7bb37e421297 - rustc_codegen_cranelift[835da27022a33635]::driver::aot::module_codegen 25: 0x7bb37e42d65c - rustc_codegen_cranelift[835da27022a33635]::driver::aot::run_aot 26: 0x7bb37e45c061 - ::codegen_crate 27: 0x7bb38d46db1f - rustc_interface[32eaad0573225f19]::passes::start_codegen 28: 0x7bb38d46d2b3 - ::codegen_and_build_linker 29: 0x7bb38d271ceb - rustc_interface[32eaad0573225f19]::interface::run_compiler::, rustc_driver_impl[e695e332d36d528]::run_compiler::{closure#0}>::{closure#0} 30: 0x7bb38d33efa3 - std[7fd525226211ab56]::sys_common::backtrace::__rust_begin_short_backtrace::, rustc_driver_impl[e695e332d36d528]::run_compiler::{closure#0}>::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>>::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>> 31: 0x7bb38d33edd0 - <::spawn_unchecked_, rustc_driver_impl[e695e332d36d528]::run_compiler::{closure#0}>::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>>::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>>::{closure#0}::{closure#0}, core[12243c8320863e2a]::result::Result<(), rustc_span[12522247a56ca943]::ErrorGuaranteed>>::{closure#1} as core[12243c8320863e2a]::ops::function::FnOnce<()>>::call_once::{shim:vtable#0} 32: 0x7bb38e82e989 - as core::ops::function::FnOnce>::call_once::h27cb56cf029c42e6 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/alloc/src/boxed.rs:2015:9 33: 0x7bb38e82e989 - as core::ops::function::FnOnce>::call_once::hde702e0873fc7642 at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/alloc/src/boxed.rs:2015:9 34: 0x7bb38e82e989 - std::sys::pal::unix::thread::Thread::new::thread_start::h4cd71e4fc50a3acb at /rustc/548e14b43963882fb758deb89e8258d9b8c2fc2a/library/std/src/sys/pal/unix/thread.rs:108:17 35: 0x7bb3880a955a - 36: 0x7bb388126a3c - 37: 0x0 - error: the compiler unexpectedly panicked. this is a bug. note: we would appreciate a bug report: https://github.com/rust-lang/rust/issues/new?labels=C-bug%2C+I-ICE%2C+T-compiler&template=ice.md note: rustc 1.79.0-nightly (548e14b43 2024-03-24) running on x86_64-unknown-linux-gnu note: compiler flags: -Z codegen-backend=cranelift -Z dump-mir-dir=dir query stack during panic: end of query stack warning: 4 warnings emitted ```