Closed
Description
Fuzzer generated MIR, reduced, and UB-free under Miri (for real this time 😅)
#![feature(custom_mir, core_intrinsics)]
extern crate core;
use core::intrinsics::mir::*;
#[custom_mir(dialect = "runtime", phase = "initial")]
fn fn4() {
mir! {
let _1: isize;
let _12: Adt55;
let unit: ();
{
_12 = Adt55::Variant1 { fld0: 0, fld1: 0};
SetDiscriminant(_12, 0);
place!(Field::<*mut isize>(Variant(_12, 0), 0)) = core::ptr::addr_of_mut!(_1);
Call(unit = fn19(Field::<*mut isize>(Variant(_12, 0), 0)), bb11, UnwindUnreachable())
}
bb11 = {
Return()
}
}
}
#[custom_mir(dialect = "runtime", phase = "initial")]
pub fn fn19(mut _1: *mut isize) {
mir! {
{
(*_1) = 1;
Return()
}
}
}
pub fn main() {
fn4();
println!("here");
}
#[derive(Debug, Copy, Clone)]
pub enum Adt55 {
Variant0 { fld0: *mut isize },
Variant1 { fld0: u8, fld1: u64 },
}Segfaults with ConstProp enabled:
$ rustc -Zmir-opt-level=0 -Copt-level=0 -Zmir-enable-passes=+ConstProp repro.rs &&
./repro
Segmentation fault (core dumped)Field::<*mut isize>(Variant(_12, 0), 0)), which is a valid pointer, somehow got propagated as 0:
// MIR for `fn4` before ConstProp
fn fn4() -> () {
let mut _0: ();
let mut _1: isize;
let mut _2: Adt55;
let mut _3: ();
bb0: {
_2 = Adt55::Variant1 { fld0: const 0_u8, fld1: const 0_u64 };
discriminant(_2) = 0;
((_2 as variant#0).0: *mut isize) = &raw mut _1;
_3 = fn19(((_2 as variant#0).0: *mut isize)) -> [return: bb1, unwind unreachable];
}
bb1: {
return;
}
}
// MIR for `fn4` after ConstProp
fn fn4() -> () {
let mut _0: ();
let mut _1: isize;
let mut _2: Adt55;
let mut _3: ();
bb0: {
_2 = Adt55::Variant1 { fld0: const 0_u8, fld1: const 0_u64 };
discriminant(_2) = 0;
((_2 as variant#0).0: *mut isize) = &raw mut _1;
_3 = fn19(const {0x0 as *mut isize}) -> [return: bb1, unwind unreachable];
}
bb1: {
return;
}
}