Rust: Segfaults/corruption when reading an enum in release mode

Can't reproduce with rustc 1.48.0-nightly (381b445ff 2020-09-29).

I don’t have MacOS, so I can’t test this myself easily. Here’s some tags though:
@rustbot modify labels: O-macos, T-compiler, E-needs-mcve. And someone might wanna add I-unsound.

_Edit:_ To clarify, I’m not seeing any segfault on Windows or Linux (both 7f7a1cbfd 2020-09-27). Oddly enough, I’m getting Edge(Some(NotUsed)) on Windows, and Edge(Some(Locator)) on Linux. And I get Edge(Some(LocatorLabel)) without --release on both (also with --release on stable or beta or in miri, for that matter). Is this program supposed to be deterministic?

@cormacrelf Perhaps you could test your less minimized version on Linux or Windows if you have access to those (since you said “the segfault started to change a bit”, so maybe the original version also segfaults on e.g. Linux).

Yes, the program is deterministic. I have seen similar wrong variants as well in the original code on macOS, so I'll go out in a limb and say that's the same bug on Linux. I can run a docker image if you like but I think you've already found it. The fragility I was referring to was in terms of "add a debug statement or delete some line, the issue goes away or pops up on a different input instead". But once you have it it produces the same segfault again and again. Given the complexity of the repro I'm not surprised that platform differences including calling conventions etc would affect reproducibility.

I did run in Miri and it didn't find anything amiss, and produced correct output, ie the full Edge(Some(LocatorLabel)).

@bjorn3 Yeah I should have made it more obvious about macOS. I can still reproduce with:

rustc 1.48.0-nightly (7f7a1cbfd 2020-09-27)
binary: rustc
commit-hash: 7f7a1cbfd3b55daee191247770627afab09eece2
commit-date: 2020-09-27
host: x86_64-apple-darwin
release: 1.48.0-nightly
LLVM version: 11.0

Okay, I guess if it is supposed to be deterministic, this means I can then confirm the problem for linux and windows. I’m currently trying to reduce the example further, keeping the different behavior between --release and debug on linux. @rustbot modify labels: -O-macos

Just got a segfault on Linux with a reduced example.

SimplifyArmIdentity moves an assignment to a local before StorageLive:

fn main() {
    f(None);
}

pub enum A {
    X,
    Y,
}

pub enum B {
    B(Option<A>),
}

pub fn f(a: Option<A>) -> B {
    if let Some(x) = a {
        let y = x;
        return B::B(Some(y));
    }
    B::B(None)
}

--- main.f.005-007.SimplifyArmIdentity.before.mir
+++ main.f.005-007.SimplifyArmIdentity.after.mir
@@ -1,2 +1,2 @@
-// MIR for `f` before SimplifyArmIdentity
+// MIR for `f` after SimplifyArmIdentity

@@ -13,6 +13,6 @@
     scope 1 {
-        debug x => _4;                   // in scope 1 at src/main.rs:15:17: 15:18
+        debug x => ((_7 as Some).0: A);  // in scope 1 at src/main.rs:15:17: 15:18
         let _6: A;                       // in scope 1 at src/main.rs:16:13: 16:14
         scope 2 {
-            debug y => _6;               // in scope 2 at src/main.rs:16:13: 16:14
+            debug y => ((_7 as Some).0: A); // in scope 2 at src/main.rs:16:13: 16:14
         }
@@ -47,9 +47,4 @@
         StorageLive(_6);                 // scope 1 at src/main.rs:16:13: 16:14
-        _6 = move _4;                    // scope 1 at src/main.rs:16:17: 16:18
+        _7 = move _1;                    // scope 2 at src/main.rs:17:21: 17:28
         StorageLive(_7);                 // scope 2 at src/main.rs:17:21: 17:28
-        StorageLive(_8);                 // scope 2 at src/main.rs:17:26: 17:27
-        _8 = move _6;                    // scope 2 at src/main.rs:17:26: 17:27
-        ((_7 as Some).0: A) = move _8;   // scope 2 at src/main.rs:17:21: 17:28
-        discriminant(_7) = 1;            // scope 2 at src/main.rs:17:21: 17:28
-        StorageDead(_8);                 // scope 2 at src/main.rs:17:27: 17:28
         ((_0 as B).0: std::option::Option<A>) = move _7; // scope 2 at src/main.rs:17:16: 17:29

cc @wesleywiser

The label regression-from-stable-to-nightly might also be appropriate.

A slight modification to @tmiasko's repro and it will segfault in release mode:

fn main() {
    println!("{:?}", f(Some(A::Y)));
}

#[derive(Eq, Debug, PartialEq)]
pub enum A {
    X(String),
    Y,
}

#[derive(Eq, Debug, PartialEq)]
pub enum B {
    B(Option<A>),
}

pub fn f(a: Option<A>) -> B {
    if let Some(x) = a {
        let y = x;
        return B::B(Some(y));
    }
    B::B(None)
}

I can open a PR disabling this optimization so this doesn't hit beta next week.

Marking this as P-critical based on the wg-prioritization discussion

We can probably turn bugs like this into ICEs by extending the MIR validator (unless another optimization interferes before this hits codegen)

Because I didn’t feel like aborting my own minimization attempt, here’s the (heavily) reduced version of OPs example that I got:

#[derive(Debug)]
enum MyEnum {
    Variant1(Vec<u8>),
    Variant2,
    Variant3,
    Variant4,
}

fn f(arg1: &bool, arg2: &bool, arg3: bool) -> MyStruct {
    if *arg1 {
        println!("{:?}", f(&arg2, arg2, arg3));
        MyStruct(None)
    } else {
        match if arg3 { Some(MyEnum::Variant3) } else { None } {
            Some(t) => {
                let ah = t;
                return MyStruct(Some(ah));
            }
            _ => MyStruct(None)
        }
    }
}

#[derive(Debug)]
struct MyStruct(Option<MyEnum>);

fn main() {
    let arg1 = true;
    let arg2 = false;
    f(&arg1, &arg2, true);
}

Causing a segfault on linux with nightly.

@wesleywiser Your modified example does not consistently segfault. It only does so for nightlies newer than 2020-09-27 or so. The difference between Some and None being printed _does_ however start from the same commit that OPs bisection identified. (Actually it does not “segfault” at all but gives me an “invalid pointer” error.)

@steffahn

Your modified example does not consistently segfault. It only does so for nightlies newer than 2020-09-27 or so

That sounds about right to me since #76844 should have been in nightly 2020-09-26. Prior to that PR, the mis-optimization was disabled in #76837 which should have been in nightly-2020-09-19 or so. Between ~2020-09-19 and ~2020-09-26 the issue should not appear.

Does your repro work on the playground? When I try it with the nightly available, it works correctly.

We can probably turn bugs like this into ICEs by extending the MIR validator (unless another optimization interferes before this hits codegen)

Opened https://github.com/rust-lang/rust/pull/77369 with an implementation of this. It does indeed catch this miscompilation.

Does your repro work on the playground?

It doesn’t seem to work in the playground. Even the (mostly) untouched original code that OP provided doesn’t fail in the playground. (I.e. it correctly displays Some(LocatorLabel).)

To demonstrate some online reproduction: godbolt.org does show the segfault (exit code 139).

I can reproduce with this playground based on one of the MCVEs:

stderr

   Compiling playground v0.0.1 (/playground)
    Finished release [optimized] target(s) in 0.85s
     Running `target/release/playground`
munmap_chunk(): invalid pointer
timeout: the monitored command dumped core
/playground/tools/entrypoint.sh: line 11:     7 Aborted                 timeout --signal=KILL ${timeout} "$@"

stdout

B(None)

Perhaps change the title of the issue to "... in release mode"?

Is this still open so that the underlying issue is fixed? (The PR to temporarily disable the optimization was merged.)

We should leave this issue open to track fixing the optimization but we can remove some of the tags. Once a nightly goes out with the fix, we should also confirm it's no longer repros on the nightly channel. (I was going to wait for that confirmation before changing any labels)

Both repros work correctly on the latest nightly (2020-10-02), so I'm adjusting the tags accordingly. Thanks @cormacrelf for reporting this issue!

@wesleywiser Did you mean to remove P-critical?

@camelid Yeah