Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Miri reports UB with opt-level 4 in code that should not have UB #111422

Closed
RalfJung opened this issue May 10, 2023 · 4 comments · Fixed by #111441
Closed

Miri reports UB with opt-level 4 in code that should not have UB #111422

RalfJung opened this issue May 10, 2023 · 4 comments · Fixed by #111441
Assignees
Labels
A-mir-opt Area: MIR optimizations I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness requires-nightly This issue requires a nightly compiler in some way.

Comments

@RalfJung
Copy link
Member

  tests/pass/ptr_raw.rs FAILED:
  command: "/home/runner/work/miri/miri/target/debug/miri" "--error-format=json" "-Dwarnings" "-Dunused" "-Zmiri-tag-gc=1" "-O" "-Zmir-opt-level=4" "-Cdebug-assertions=yes" "-Zui-testing" "--target" "x86_64-unknown-linux-gnu" "tests/pass/ptr_raw.rs" "--edition" "2021"
  
  Error: no message
  error file=tests/pass/ptr_raw.rs,line=0,title=pass test got exit status: 1, but expected 0::no message
  
  Error: Error: Undefined Behavior: attempting a write access using <2732> at alloc1455[0x0], but that tag does not exist in the borrow stack for this location
  error file=tests/pass/ptr_raw.rs,line=9,title=Unmatched diagnostics::Error: Undefined Behavior: attempting a write access using <2732> at alloc1455[0x0], but that tag does not exist in the borrow stack for this location
  
  pass test got exit status: 1, but expected 0
  
  There were 1 unmatched diagnostics at tests/pass/ptr_raw.rs:9
      Error: Undefined Behavior: attempting a write access using <2732> at alloc1455[0x0], but that tag does not exist in the borrow stack for this location
  
  full stderr:
  warning: Miri does not support optimizations. If you have enabled optimizations by selecting a Cargo profile (such as --release) which changes other profile settings such as whether debug assertions and overflow checks are enabled, those settings are still applied.
  
  warning: You have explicitly enabled MIR optimizations, overriding Miri's default which is to completely disable them. Any optimizations may hide UB that Miri would otherwise detect, and it is not necessarily possible to predict what kind of UB will be missed. If you are enabling optimizations to make Miri run faster, we advise using cfg(miri) to shrink your workload instead. The performance benefit of enabling MIR optimizations is usually marginal at best.
  
  error: Undefined Behavior: attempting a write access using <2732> at alloc1455[0x0], but that tag does not exist in the borrow stack for this location
    --> tests/pass/ptr_raw.rs:9:9
     |
  LL |         *raw = 42;
     |         ^^^^^^^^^
     |         |
     |         attempting a write access using <2732> at alloc1455[0x0], but that tag does not exist in the borrow stack for this location
     |         this error occurs as part of an access at alloc1455[0x0..0x4]
     |
     = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
     = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
  help: <2732> was created by a Unique retag at offsets [0x0..0x4]
    --> tests/pass/ptr_raw.rs:3:13
     |
  LL |     let x = &mut x;
     |             ^^^^^^
  help: <2732> was later invalidated at offsets [0x0..0x4] by a SharedReadOnly retag
    --> tests/pass/ptr_raw.rs:5:5
     |
  LL |     assert_eq!(*x, 12);
     |     ^^^^^^^^^^^^^^^^^^
     = note: BACKTRACE (of the first span):
     = note: inside `basic_raw` at tests/pass/ptr_raw.rs:9:9: 9:18
  note: inside `main`
    --> tests/pass/ptr_raw.rs:24:5
     |
  LL |     basic_raw();
     |     ^^^^^^^^^^^
     = note: this error originates in the macro `assert_eq` (in Nightly builds, run with -Z macro-backtrace for more info)
  
  note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
  
  error: aborting due to previous error; 2 warnings emitted
  
  
  
  
  tests/pass/stacked-borrows/stacked-borrows.rs FAILED:
  command: "/home/runner/work/miri/miri/target/debug/miri" "--error-format=json" "-Dwarnings" "-Dunused" "-Zmiri-tag-gc=1" "-O" "-Zmir-opt-level=4" "-Cdebug-assertions=yes" "-Zui-testing" "--target" "x86_64-unknown-linux-gnu" "tests/pass/stacked-borrows/stacked-borrows.rs" "-Zmiri-retag-fields" "--edition" "2021"
  
  Error: no message
  error file=tests/pass/stacked-borrows/stacked-borrows.rs,line=0,title=pass test got exit status: 1, but expected 0::no message
  
  Error: Error: Undefined Behavior: attempting a write access using <2768> at alloc1530[0x0], but that tag does not exist in the borrow stack for this location
  error file=tests/pass/stacked-borrows/stacked-borrows.rs,line=57,title=Unmatched diagnostics::Error: Undefined Behavior: attempting a write access using <2768> at alloc1530[0x0], but that tag does not exist in the borrow stack for this location
  
  pass test got exit status: 1, but expected 0
  
  There were 1 unmatched diagnostics at tests/pass/stacked-borrows/stacked-borrows.rs:57
      Error: Undefined Behavior: attempting a write access using <2768> at alloc1530[0x0], but that tag does not exist in the borrow stack for this location
  
  full stderr:
  warning: Miri does not support optimizations. If you have enabled optimizations by selecting a Cargo profile (such as --release) which changes other profile settings such as whether debug assertions and overflow checks are enabled, those settings are still applied.
  
  warning: You have explicitly enabled MIR optimizations, overriding Miri's default which is to completely disable them. Any optimizations may hide UB that Miri would otherwise detect, and it is not necessarily possible to predict what kind of UB will be missed. If you are enabling optimizations to make Miri run faster, we advise using cfg(miri) to shrink your workload instead. The performance benefit of enabling MIR optimizations is usually marginal at best.
  
  error: Undefined Behavior: attempting a write access using <2768> at alloc1530[0x0], but that tag does not exist in the borrow stack for this location
    --> tests/pass/stacked-borrows/stacked-borrows.rs:57:9
     |
  LL |         *xraw = 4;
     |         ^^^^^^^^^
     |         |
     |         attempting a write access using <2768> at alloc1530[0x0], but that tag does not exist in the borrow stack for this location
     |         this error occurs as part of an access at alloc1530[0x0..0x4]
     |
     = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
     = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
  help: <2768> was created by a Unique retag at offsets [0x0..0x4]
    --> tests/pass/stacked-borrows/stacked-borrows.rs:52:16
     |
  LL |     let xref = &mut x;
     |                ^^^^^^
  help: <2768> was later invalidated at offsets [0x0..0x4] by a SharedReadOnly retag
    --> tests/pass/stacked-borrows/stacked-borrows.rs:54:16
     |
  LL |     let xshr = &*xref;
     |                ^^^^^^
     = note: BACKTRACE (of the first span):
     = note: inside `mut_raw_then_mut_shr` at tests/pass/stacked-borrows/stacked-borrows.rs:57:9: 57:18
  note: inside `main`
    --> tests/pass/stacked-borrows/stacked-borrows.rs:9:5
     |
  LL |     mut_raw_then_mut_shr();
     |     ^^^^^^^^^^^^^^^^^^^^^^
  
  note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
  
  error: aborting due to previous error; 2 warnings emitted
  
  
  
  FAILURES:
      tests/pass/ptr_raw.rs
      tests/pass/stacked-borrows/stacked-borrows.rs

Given the timing I would guess this is caused by #106285 -- Cc @cjgillot

@RalfJung
Copy link
Member Author

Cc @rust-lang/wg-mir-opt

@JakobDegen
Copy link
Contributor

JakobDegen commented May 10, 2023

$ cat test.rs
#![crate_type = "lib"]

pub fn mut_raw_then_mut_shr() -> (i32, i32) {
    let mut x = 2;
    let xref = &mut x;
    let xraw = &mut *xref as *mut _;
    let xshr = &*xref;
    let a = *xshr;
    unsafe {
        *xraw = 4;
    }
    (a, x)
}
$ rustc +master -Zdump-mir=all test.rs -Zmir-opt-level=0 -Zmir-enable-passes=+ReferencePropagation -Cdebug-assertions=no

With storage statements and some other crap removed, this:

_1 = const 2_i32;
_2 = &mut _1;
_5 = &mut (*_2);
_4 = &raw mut (*_5);
_3 = _4;
_6 = &(*_2);
_7 = (*_6);
(*_3) = const 4_i32;
_10 = _1;

Is turned into:

_1 = const 2_i32;
_2 = &mut _1;
_5 = &mut _1;
_4 = &raw mut (*_2);
_3 = _4;
_6 = &_1;
_7 = (*_2);
(*_5) = const 4_i32;
_10 = _1;

The logic that checks for complete replacement of _2 seems buggy.

I have not checked the other test.

@jyn514 jyn514 added regression-from-stable-to-nightly Performance or correctness regression from stable to nightly. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness requires-nightly This issue requires a nightly compiler in some way. A-mir-opt Area: MIR optimizations labels May 10, 2023
@jyn514
Copy link
Member

jyn514 commented May 10, 2023

Is there any way to enable mir-opt-level=4 on stable?

@JakobDegen
Copy link
Contributor

I believe there is not

@oli-obk oli-obk removed the regression-from-stable-to-nightly Performance or correctness regression from stable to nightly. label May 11, 2023
Dylan-DPC added a commit to Dylan-DPC/rust that referenced this issue May 11, 2023
Verify copies of mutable pointers in 2 stages in ReferencePropagation

Fixes rust-lang#111422

In the first stage, we mark the copies as reborrows, to be checked later.
In the second stage, we walk the reborrow chains to verify that all stages are fully replacable.

The replacement itself mirrors the check, and iterates through the reborrow chain.

r? `@RalfJung`
cc `@JakobDegen`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue May 11, 2023
Verify copies of mutable pointers in 2 stages in ReferencePropagation

Fixes rust-lang#111422

In the first stage, we mark the copies as reborrows, to be checked later.
In the second stage, we walk the reborrow chains to verify that all stages are fully replacable.

The replacement itself mirrors the check, and iterates through the reborrow chain.

r? ``@RalfJung``
cc ``@JakobDegen``
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue May 11, 2023
Verify copies of mutable pointers in 2 stages in ReferencePropagation

Fixes rust-lang#111422

In the first stage, we mark the copies as reborrows, to be checked later.
In the second stage, we walk the reborrow chains to verify that all stages are fully replacable.

The replacement itself mirrors the check, and iterates through the reborrow chain.

r? ```@RalfJung```
cc ```@JakobDegen```
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue May 11, 2023
Verify copies of mutable pointers in 2 stages in ReferencePropagation

Fixes rust-lang#111422

In the first stage, we mark the copies as reborrows, to be checked later.
In the second stage, we walk the reborrow chains to verify that all stages are fully replacable.

The replacement itself mirrors the check, and iterates through the reborrow chain.

r? `````@RalfJung`````
cc `````@JakobDegen`````
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue May 11, 2023
Verify copies of mutable pointers in 2 stages in ReferencePropagation

Fixes rust-lang#111422

In the first stage, we mark the copies as reborrows, to be checked later.
In the second stage, we walk the reborrow chains to verify that all stages are fully replacable.

The replacement itself mirrors the check, and iterates through the reborrow chain.

r? ````@RalfJung````
cc ````@JakobDegen````
@bors bors closed this as completed in ab18da6 May 12, 2023
bors added a commit to rust-lang-ci/rust that referenced this issue May 12, 2023
update Miri

and run mir-opt-level=4 tests in rustc CI so issues like rust-lang#111422 are caught before they land.

r? `@oli-obk` due to the bootstrap changes
RalfJung pushed a commit to RalfJung/miri that referenced this issue May 13, 2023
update Miri

and run mir-opt-level=4 tests in rustc CI so issues like rust-lang/rust#111422 are caught before they land.

r? `@oli-obk` due to the bootstrap changes
spikespaz pushed a commit to spikespaz/dotwalk-rs that referenced this issue Aug 29, 2024
update Miri

and run mir-opt-level=4 tests in rustc CI so issues like rust-lang/rust#111422 are caught before they land.

r? `@oli-obk` due to the bootstrap changes
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
A-mir-opt Area: MIR optimizations I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness requires-nightly This issue requires a nightly compiler in some way.
Projects
None yet
Development

Successfully merging a pull request may close this issue.

5 participants