Segfault from mir-opt-level >= 3 (EnumSizeOpt)

[cbeuw]

Fuzzer generated custom MIR. Apologies I couldn't reduce it much further:

#![feature(custom_mir, core_intrinsics)]
#![allow(unused_parens, unused_assignments)]
extern crate core;
use core::intrinsics::mir::*;

fn print() {
    println!("here");
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn0() -> Adt58 {
    mir! {
    type RET = Adt58;
    let _26: ();
    {
    Call(RET.fld7.2 = fn1(), bb10, UnwindUnreachable())
    }
    bb10 = {
    Call(_26 = print(), bb11, UnwindUnreachable())
    }
    bb11 = {
    Return()
    }

    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
fn fn1() -> ((usize, u32, isize),) {
    mir! {
    type RET = ((usize, u32, isize),);
    let r: isize;
    let _12: Adt58;
    {
    RET.0 = (5_usize, 3938888967_u32, 121_isize);
    _12.fld0.0 = core::ptr::addr_of_mut!(RET.0.2);
    Call(r = fn6(_12.fld0.0), bb2, UnwindUnreachable())
    }
    bb2 = {
    Return()
    }
    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn6(mut _1: *mut isize) -> isize {
    mir! {
    let _6: *mut isize;
    let _11: [i8; 8];
    let _12: isize;
    let _19: Adt63;
    let _20: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64);
    let _23: (u128, [i128; 2]);
    let _24: Adt49;
    let _26: f32;
    {
    _6 = _1;
    Goto(bb1)
    }
    bb1 = {
    _12 = -(*_1);
    Call(_11 = core::intrinsics::transmute((*_1)), bb5, UnwindUnreachable())
    }
    bb5 = {
    _19.fld5.fld7.1 = (15794702092393743318_usize, 3565415235_u32, _12);
    _19.fld5.fld7.2.0 = _19.fld5.fld7.1;
    _1 = _6;
    _20.2 = _19.fld5.fld7.2;
    match _20.2.0.0 {
    0 => bb1,
    15794702092393743318 => bb6,
    _ => bb5
    }
    }
    bb6 = {
    _19.fld5.fld5 = _20.2.0.0;
    Call(_19.fld5.fld7.3 = fn7(_1, _1), bb7, UnwindUnreachable())
    }
    bb7 = {
    _24 = Adt49::Variant0 { fld0: _19.fld5.fld5,fld1: _23,fld2: _23.0,fld3: 0 };
    _19.fld0 = Adt60::Variant3 { fld0: 0,fld1: (-2414910124516489307_i64),fld2: 10387225622116096231080460783541968851_i128,fld3: _26,fld4: 275_i16 };
    _6 = core::ptr::addr_of_mut!(_19.fld5.fld7.1.2);
    _19.fld5.fld0 = (_1,);
    Goto(bb8)
    }
    bb8 = {
    match Field::<i128>(Variant(_19.fld0, 3), 2) {
    10387225622116096231080460783541968851 => bb10,
    _ => bb5
    }
    }
    bb10 = {
    match Field::<usize>(Variant(_24, 0), 0) {
    15794702092393743318 => bb11,
    _ => bb5
    }
    }
    bb11 = {
    Return()
    }

    }
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn7(
    mut _1: *mut isize,
    mut _2: *mut isize,
) -> u64 {
    mir! {
    let _7: (u8, (*mut isize,), i16, i8, i64, (usize, u32, isize));
    let _8: f64;
    let _10: f32;
    let _11: i32;
    let _12: [i128; 2];
    let _13: isize;
    let _14: isize;
    let _17: ((isize, f64), i8);
    let _20: isize;
    let _21: Adt63;
    {
    _7.4 = !3370110814453801772_i64;
    _7.5.0 = 7_usize & 1304353824105351931_usize;
    _8 = 0.;
    _7.5.2 = _8 as isize;
    _7.5 = (3302905616188524396_usize, 1150340430_u32, (-9223372036854775808_isize));
    _7.1.0 = core::ptr::addr_of_mut!((*_2));
    _7.5.2 = _8 as isize;
    _7.2 = -29299_i16;
    _7.3 = 40_i8;
    _7.2 = (-1339_i16);
    _7.3 = (-44_i8) * (-68_i8);
    _7.1.0 = core::ptr::addr_of_mut!(_7.5.2);
    _7.5 = (6_usize, 1690308138_u32, (-9223372036854775808_isize));
    _7.0 = 227_u8;
    _7.4 = (-8049829723332252308_i64);
    _7.3 = _7.0 as i8;
    _7.5.2 = 9223372036854775807_isize;
    _7.0 = 207_u8;
    (*_2) = _7.0 as isize;
    RET = 0;
    _7.3 = _7.5.1 as i8;
    _7.1 = (_1,);
    _7.5 = (3231788080604669159_usize, 268874823_u32, (-9223372036854775808_isize));
    _7.1 = (_2,);
    (*_2) = (-9223372036854775808_isize);
    _10 = (*_2) as f32;
    _7.1 = (_2,);
    _7.5.1 = 1559352357_u32;
    (*_1) = 9223372036854775807_isize - (-9223372036854775808_isize);
    _7.5 = (12370566778207505070_usize, 1393399085_u32, (-59_isize));
    _7.5.0 = 1_usize & 5_usize;
    _7.2 = !17549_i16;
    _7.5.0 = !2_usize;
    _13 = !(*_2);
    _17.0.0 = (-159775293299709533892712067148515424088_i128) as isize;
    _7.1.0 = _2;
    _14 = _7.5.2;
    Call(_7.5.2 = core::intrinsics::bswap(_14), bb7, UnwindUnreachable())
    }
    bb7 = {
    _7.1.0 = _2;
    _7.5.0 = 0_usize & 5_usize;
    (*_2) = _7.3 as isize;
    _7.0 = !14_u8;
    _7.3 = RET as i8;
    Call((*_2) = core::intrinsics::transmute(_7.4), bb8, UnwindUnreachable())
    }
    bb8 = {
    _7.0 = !188_u8;
    _20 = !_7.5.2;
    _7.2 = _10 as i16;
    _11 = !585373290_i32;
    (*_2) = _17.0.0 * _17.0.0;
    _21.fld2.0 = [(-78467358730145228102713254453611538061_i128),(-76811762829508806080346431520353784840_i128)];
    _21.fld5.fld7.1.1 = _7.5.1 % _7.5.1;
    _21.fld5.fld7.2.0.1 = !_21.fld5.fld7.1.1;
    _21.fld5.fld5 = _7.5.0 & _7.5.0;
    _21.fld4 = core::ptr::addr_of!(_7.2);
    (*_2) = !_20;
    _21.fld2.1.1 = _21.fld5.fld7.1.1;
    _21.fld5.fld7.1.2 = _11 as isize;
    _21.fld5.fld7.1 = _7.5;
    _21.fld5.fld7.2.0.0 = _21.fld5.fld7.1.0 + _21.fld5.fld7.1.0;
    _21.fld2.1.1 = !_21.fld5.fld7.2.0.1;
    _21.fld5.fld7.2.0 = (_7.5.0, _7.5.1, _13);
    _21.fld2.1 = (_21.fld5.fld7.2.0.0, _7.5.1, _7.5.2);
    place!(Field::<(((usize, u32, isize),),)>(Variant(_21.fld0, 1), 4)).0.0 = (_21.fld2.1.0, _21.fld5.fld7.2.0.1, _14);
    _21.fld5.fld4 = Move(Field::<Adt58>(Variant(_21.fld0, 1), 3).fld4);
    place!(Field::<Adt58>(Variant(_21.fld0, 1), 3)).fld7 = (_12, Field::<(((usize, u32, isize),),)>(Variant(_21.fld0, 1), 4).0.0, _21.fld5.fld7.2, RET);
    RET = Field::<Adt58>(Variant(_21.fld0, 1), 3).fld7.1.0 as u64;
    _21.fld5.fld2 = core::ptr::addr_of!(place!(Field::<i128>(Variant(_21.fld0, 1), 1)));
    Return()
    }

    }
}
pub fn main() {
    fn0();
}
#[derive(Debug, Copy, Clone)]
pub enum Adt49 {
    Variant0 {
        fld0: usize,
        fld1: (u128, [i128; 2]),
        fld2: u128,
        fld3: u16,
    },
    Variant1 {},
}
#[derive(Debug)]
pub struct Adt51 {
    fld2: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
    fld3: [i128; 6],
}
#[derive(Debug)]
pub struct Adt52 {}
#[derive(Debug)]
pub enum Adt53 {
    Variant0 { fld3: Adt51 },
    Variant1 {},
    Variant2 {},
}
#[derive(Debug)]
pub struct Adt56 {}
#[derive(Debug)]
pub struct Adt58 {
    fld0: (*mut isize,),
    fld1: (bool,),
    fld2: *const i128,
    fld4: Adt53,
    fld5: usize,
    fld7: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
}
#[derive(Debug)]
pub enum Adt60 {
    Variant0 {},
    Variant1 {
        fld0: [u64; 2],
        fld1: i128,
        fld2: usize,
        fld3: Adt58,
        fld4: (((usize, u32, isize),),),
    },
    Variant2 {},
    Variant3 {
        fld0: u16,
        fld1: i64,
        fld2: i128,
        fld3: f32,
        fld4: i16,
    },
}
#[derive(Debug)]
pub struct Adt63 {
    fld0: Adt60,
    fld2: ([i128; 2], (usize, u32, isize), ((usize, u32, isize),), u64),
    fld4: *const i16,
    fld5: Adt58,
}

$ rustc -Zmir-opt-level=2 -Copt-level=2 repro.rs && ./repro
here
$ rustc -Zmir-opt-level=3 -Copt-level=2 repro.rs && ./repro
Segmentation fault (core dumped)

(the segfault is from the compiled program, not the compiler)

Miri reports no UB under Tree Borrows.

$ rustc --version -v
rustc 1.76.0-nightly (a1a37735c 2023-11-23)
binary: rustc
commit-hash: a1a37735cbc3db359d0b24ba9085c9fcbe1bc274
commit-date: 2023-11-23
host: x86_64-unknown-linux-gnu
release: 1.76.0-nightly
LLVM version: 17.0.5

[saethlin]

I can minimize the MIR opts to:

rustc +nightly -Zmir-opt-level=0 -Zmir-enable-passes=+EnumSizeOpt -Copt-level=2 repro.rs && ./repro

[saethlin]

EnumSizeOpt has this strange is_enabled predicate:

        sess.opts.unstable_opts.unsound_mir_opts || sess.mir_opt_level() >= 3

which I do not understand. If the pass is unsound, -Zunsound-mir-opts should be required regardless of -Zmir-opt-level.

That logic is original to the PR where this pass was merged: #85158

where @wesleywiser said this:

Having said of that, our policy right now is to be willing to merge new MIR passes that are disabled by default and give them time to mature in-tree.

So I suppose this pass has matured in-tree?

[asquared31415]

Miri is reporting UB with or without TB on rustc 1.76.0-nightly (37b2813a7 2023-11-24).

[cbeuw]

Oops indeed my unreduced program also has UB. I have disabled a validation I shouldn't have. Closing this issue for now