UB found using rustlantis
#689
Labels
bug
Something isn't working
Comments
|
Managed to reproduce the issue in surface-level unsafe Rust(as opposed to MIR generated by Now, I will try to reproduce it in safe Rust. |
|
Reproducer in fully safe rust: use std::fmt::Debug;
#[inline(never)]
fn dump_var(f: usize, var2: usize, val2: impl Debug) {
println!("fn{f}:_{var2} = {val2:?}");
}
pub fn fn2(
mut _2: i16,
mut _3: i32,
mut _4: u32,
mut _5: u32,
mut _6: isize,
mut _8: isize,
mut _9: u32,
mut _10: bool,
) -> isize {
let mut RET: isize = Default::default();
let mut _11: u16 = Default::default();
let mut _12: (f32, (), u64) = Default::default();
let mut _15: u64 = Default::default();
let mut _16: f64 = Default::default();
let mut _17: (Adt38, u64, f32, u16) = (Default::default(), 0, 0.0, 0);
_4 = !_9;
RET = _8;
let mut _1 = &mut _8;
_9 = _4;
_11 = 50919;
_10 = false;
_4 = _5;
_12.0 = 0.0;
_1 = &mut _6;
loop {
_12.2 = (-164714684559875379919518575010379717139_i128) as u64;
_17.2 = 0.0;
let tmp = _10;
_17.3 = !_11;
_4 = !_9;
_15 = _12.2 << _8;
_16 = (-3256106608463376368_i64) as f64;
_8 = RET >> _3;
match _5 {
0 => return RET,
1705677637 => {
(*_1) = 1;
(*_1) = 0;
_11 = _17.3;
_1 = &mut _6;
_17.0.fld1 = _11 as u8;
fn3(_17.0, (_17));
}
_ => return RET,
}
let tmp = !_10;
_17.2 = 0.0;
_3 = core::hint::black_box(1) * 942_i32;
_17.2 = _11 as f32;
_4 = _5;
_5 = _5 & _9;
match _4 {
1705677637 => return RET,
_ => continue,
}
}
}
#[inline(never)]
pub fn fn3(mut arg1: Adt38, mut arg2: (Adt38, u64, f32, u16)) -> isize {
let _33 = !(arg1.fld1) as isize;
dump_var(3_usize, 33_usize, (_33));
return 1;
}
pub fn main() {
let mut _13 = '\u{9f647}' as isize;
let _1 = &mut _13;
let a = true;
let _2 = '\u{f2e32}' as i16;
let _3 = 1705677637_u32;
let _11 = !(-69_isize);
let _6 = (-579835010_i32) & (-913890743_i32);
let _4 = _2 as i8;
println!("{:?}", _11);
fn2(_2, _6, _3, _3, _11, _11, _3, a);
}
#[derive(Debug, Copy, Clone, Default)]
pub struct Adt38 {
fld0: bool,
fld1: u8,
}It seems like I was wrong about the decoy blocks: they don't get executed, but are still needed to confuse GCC. |
|
Reduced the issue down to 50 LOC, with only use std::fmt::Debug;
#[inline(never)]
fn dump_var(f: usize, var2: usize, val2: impl Debug) {
println!("fn{f}:_{var2} = {val2:?}");
}
pub fn fn2(mut arg: u8) -> isize {
let mut mut_int = 0;
let mut adt1: Adt1 = Default::default();
loop {
let mut tmp = !mut_int;
match arg {
0 => return 0,
1 => {
mut_int = 1;
adt1.a.fld1 = tmp as u8;
fn3(adt1.a, adt1);
}
_ => return 0,
}
// Needed to prevent an ealier opt pass from seeing arg does not change(?).
core::hint::black_box(());
arg = arg & arg;
match arg {
1 => return 0,
_ => continue,
}
}
}
#[inline(never)]
pub fn fn3(arg1: Adt38, arg2: Adt1) {
dump_var(3_usize, 33_usize, (!(arg1.fld1) as isize));
}
pub fn main() {
fn2(1);
}
#[derive(Debug, Copy, Clone, Default)]
#[repr(C)]
struct Adt1 {
a: Adt38,
unused: [u8; 2],
}
#[derive(Debug, Copy, Clone, Default)]
#[repr(C)]
pub struct Adt38 {
fld0: u8,
fld1: u8,
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
This Rust program (which runs fine under MIRI) produces different results in GCC debug mode(result same as LLVM) and GCC release mode(incorrect result).
The sample is currently ~140 LOC, I am working on reducing it further.
Some interesting observations: it seems like the problem is related to pointers, and the control flow is different in release GCC(a "decoy" block gets executed, while it should never be).
The text was updated successfully, but these errors were encountered: