Rust 1.54.0 optimized compilation overwrites stack variable, causing segfault

[indygreg]

I am able to reliably reproduce a crash on x86_64-unknown-linux-gnu when building in --release mode with 1.54.0. The same code and build configuration works properly on 1.53.0.

I'm not a great assembly-level debugger, but I believe the compiler is confused about register/variable aliasing and this effectively leads to corruption of a variable on the stack, which leads to a segfault.

Rust 1.54.0 Analysis

We're about to return from _PyArgv_AsWstrList (from the CPython 3.9 internals):

105     in Python/preconfig.c
   0x0000555555ae1456 <+54>:    mov    %r14,%rdi
   0x0000555555ae1459 <+57>:    call   0x555555ad9020 <_PyWideStringList_Copy>
   0x0000555555ae145e <+62>:    test   %eax,%eax
   0x0000555555ae1460 <+64>:    js     0x555555ae14dc <_PyArgv_AsWstrList+188>

106     in Python/preconfig.c
107     in Python/preconfig.c
108     in Python/preconfig.c
109     in Python/preconfig.c
=> 0x0000555555ae1462 <+66>:    xorps  %xmm0,%xmm0
   0x0000555555ae1465 <+69>:    movups %xmm0,0x10(%r15)
   0x0000555555ae146a <+74>:    movups %xmm0,(%r15)

110     in Python/preconfig.c
   0x0000555555ae146e <+78>:    mov    %r15,%rax
   0x0000555555ae1471 <+81>:    add    $0x20,%rsp
   0x0000555555ae1475 <+85>:    pop    %rbx
   0x0000555555ae1476 <+86>:    pop    %r12
   0x0000555555ae1478 <+88>:    pop    %r13
   0x0000555555ae147a <+90>:    pop    %r14
   0x0000555555ae147c <+92>:    pop    %r15
   0x0000555555ae147e <+94>:    ret

(gdb) info registers
rax            0x5555559e8ae0      93824997034720
rbx            0x7fffffffc530      140737488340272
rcx            0x7ffff7808008      140737345781768
rdx            0x0                 0
rsi            0x0                 0
rdi            0x0                 0
rbp            0x1                 0x1
rsp            0x7fffffffc4c0      0x7fffffffc4c0
r8             0x1                 1
r9             0x0                 0
r10            0x0                 0
r11            0x7ffff7809000      140737345785856
r12            0x7fffffffc4d8      140737488340184
r13            0x1                 1
r14            0x7fffffffc848      140737488341064
r15            0x7fffffffc600      140737488340480
rip            0x555555ae1462      0x555555ae1462 <_PyArgv_AsWstrList+66>
eflags         0x202               [ IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

And here's the last few frame pointers.

(gdb) info frame 0
Stack frame at 0x7fffffffc510:
 rip = 0x555555ae1462 in _PyArgv_AsWstrList (Python/preconfig.c:109); saved rip = 0x5555558733f2
 called by frame at 0x7fffffffc570
 source language c.
 Arglist at 0x7fffffffc4b8, args: args=0x7fffffffc530, list=0x7fffffffc848
 Locals at 0x7fffffffc4b8, Previous frame's sp is 0x7fffffffc510
 Saved registers:
  rbx at 0x7fffffffc4e0, r12 at 0x7fffffffc4e8, r13 at 0x7fffffffc4f0, r14 at 0x7fffffffc4f8, r15 at 0x7fffffffc500, rip at 0x7fffffffc508

(gdb) info frame 1
Stack frame at 0x7fffffffc570:
 rip = 0x5555558733f2 in _PyConfig_SetPyArgv (./Python/initconfig.c:2448); saved rip = 0x555555a4c92c
 inlined into frame 2, caller of frame at 0x7fffffffc510
 source language c.
 Arglist at unknown address.
 Locals at unknown address, Previous frame's sp is 0x7fffffffc510
 Saved registers:
  rbx at 0x7fffffffc4e0, r12 at 0x7fffffffc4e8, r13 at 0x7fffffffc4f0, r14 at 0x7fffffffc4f8, r15 at 0x7fffffffc500, rip at 0x7fffffffc508

(gdb) info frame 2
Stack frame at 0x7fffffffc570:
 rip = 0x5555558733f2 in PyConfig_SetBytesArgv (./Python/initconfig.c:2462); saved rip = 0x555555a4c92c
 called by frame at 0x7fffffffc650, caller of frame at 0x7fffffffc570
 source language c.
 Arglist at 0x7fffffffc508, args: config=<optimized out>, argc=<optimized out>, argv=<optimized out>
 Locals at 0x7fffffffc508, Previous frame's sp is 0x7fffffffc570
 Saved registers:
  rbx at 0x7fffffffc550, r14 at 0x7fffffffc558, r15 at 0x7fffffffc560, rip at 0x7fffffffc568

(gdb) info frame 3
Stack frame at 0x7fffffffc650:
 rip = 0x555555a4c92c in pyembed::interpreter_config::set_argv (/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:215);
    saved rip = 0x555555a04e1d
 called by frame at 0x7fffffffcb20, caller of frame at 0x7fffffffc570
 source language rust.
 Arglist at 0x7fffffffc570, args: config=0x0, args=...
 Locals at 0x7fffffffc570, Previous frame's sp is 0x7fffffffc650
 Saved registers:
  rbx at 0x7fffffffc618, rbp at 0x7fffffffc640, r12 at 0x7fffffffc620, r13 at 0x7fffffffc628, r14 at 0x7fffffffc630, r15 at 0x7fffffffc638,
  rip at 0x7fffffffc648

(gdb) info frame 4
Stack frame at 0x7fffffffcb20:
 rip = 0x555555a04e1d in pyembed::interpreter_config::{{impl}}::try_into (/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:592);
    saved rip = 0x555555a49736
 called by frame at 0x7fffffffd9e0, caller of frame at 0x7fffffffc650
 source language rust.
 Arglist at 0x7fffffffc648, args: self=0x7fffffffcff0
 Locals at 0x7fffffffc648, Previous frame's sp is 0x7fffffffcb20
 Saved registers:
  rbx at 0x7fffffffcaf8, r12 at 0x7fffffffcb00, r14 at 0x7fffffffcb08, r15 at 0x7fffffffcb10, rip at 0x7fffffffcb18

(gdb) info frame 5
Stack frame at 0x7fffffffd9e0:
 rip = 0x555555a49736 in pyembed::interpreter::MainPythonInterpreter::init (/home/gps/src/pyoxidizer.git/pyembed/src/interpreter.rs:169);
    saved rip = 0x5555559dde78
 inlined into frame 6, caller of frame at 0x7fffffffcb20
 source language rust.
 Arglist at unknown address.
 Locals at unknown address, Previous frame's sp is 0x7fffffffcb20
 Saved registers:
  rbx at 0x7fffffffcaf8, r12 at 0x7fffffffcb00, r14 at 0x7fffffffcb08, r15 at 0x7fffffffcb10, rip at 0x7fffffffcb18

We eventually crash in frame 4. So let's look at it's state:

(gdb) f 4
#4  0x0000555555a04e1d in pyembed::interpreter_config::{{impl}}::try_into (self=0x7fffffffcff0)
    at /home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:592
592                 set_argv(&mut config, argv)?;
(gdb) info registers
rax            0x5555559e8ae0      93824997034720
rbx            0x7fffffffcff0      140737488343024
rcx            0x7ffff7808008      140737345781768
rdx            0x0                 0
rsi            0x0                 0
rdi            0x0                 0
rbp            0x7fffffffd308      0x7fffffffd308
rsp            0x7fffffffc650      0x7fffffffc650
r8             0x1                 1
r9             0x0                 0
r10            0x0                 0
r11            0x7ffff7809000      140737345785856
r12            0x7ffff7d9ff40      140737351647040
r13            0x0                 0
r14            0x7fffffffcc70      140737488342128
r15            0x7fffffffc970      140737488341360
rip            0x555555a04e1d      0x555555a04e1d <pyembed::interpreter_config::{{impl}}::try_into+173>
eflags         0x202               [ IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

Here are the important details:

The instructions we're about to execute are:

0x0000555555ae1462 <+66>:    xorps  %xmm0,%xmm0
0x0000555555ae1465 <+69>:    movups %xmm0,0x10(%r15)
0x0000555555ae146a <+74>:    movups %xmm0,(%r15)

self in frame 4 is 0x7fffffffcff0, which appears to be inhabiting rbx.

The value of r15 is 0x7fffffffc600. This memory address is close to frame 4's arglist and locals (0x7fffffffc648). The value returned by this function is propagating through the intermediate frames to frame 4, which operates on it. So the compiler likely optimized things to a variable write directly into frame 4's locals space. Cool.

Before we execute that movups %xmm0,0x10(%r15), here is the memory we're operating on:

0x7fffffffc600: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffc610: 0x00000000      0x00000000      0xffffcff0      0x00007fff
0x7fffffffc620: 0xf7d9ff40      0x00007fff      0x00000000      0x00000000
0x7fffffffc630: 0xffffcc70      0x00007fff      0xffffc970      0x00007fff
0x7fffffffc640: 0xffffd308      0x00007fff      0x55a04e1d      0x00005555
0x7fffffffc650: 0xffffc8d0      0x00007fff      0x00000000      0x00000000
0x7fffffffc660: 0x00000003      0x00000001      0x00000000      0x00000000

And after:

0x7fffffffc600: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffc610: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffc620: 0xf7d9ff40      0x00007fff      0x00000000      0x00000000
0x7fffffffc630: 0xffffcc70      0x00007fff      0xffffc970      0x00007fff
0x7fffffffc640: 0xffffd308      0x00007fff      0x55a04e1d      0x00005555
0x7fffffffc650: 0xffffc8d0      0x00007fff      0x00000000      0x00000000
0x7fffffffc660: 0x00000003      0x00000001      0x00000000      0x00000000

The change there is:

 0x7fffffffc600: 0x00000000      0x00000000      0x00000000      0x00000000
-0x7fffffffc610: 0x00000000      0x00000000      0xffffcff0      0x00007fff
+0x7fffffffc610: 0x00000000      0x00000000      0x00000000      0x00000000
 0x7fffffffc620: 0xf7d9ff40      0x00007fff      0x00000000      0x00000000

So the 16 bytes between 0x7fffffffc610-0x7fffffffc61f got cleared out. Makes sense: that's what the instructions told it to do.

However, 0x7fffffffc618 contained the saved register value (0x7fffffffcff0) for rbx, holding the address of self. This value is now zeroed.

We confirm this from GDB:

(gdb) f 4
#4  0x0000555555a04e1d in pyembed::interpreter_config::{{impl}}::try_into (self=0x0)
    at /home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:592
592                 set_argv(&mut config, argv)?;
(gdb) info registers
rax            0x5555559e8ae0      93824997034720
rbx            0x0                 0
rcx            0x7ffff7808008      140737345781768
rdx            0x0                 0

Note that rbx is 0x0 and self=0x0.

Several instructions later, we return to frame 4 and execute assembly corresponding to the Rust code if self.exe.is_none() {. Since self is NULL, we get a segfault.

Rust 1.53.0 Analysis

Compiling the same source code with Rust 1.53.0, things look similar:

105     in Python/preconfig.c
   0x0000555555ae0886 <+54>:    mov    %r14,%rdi
   0x0000555555ae0889 <+57>:    call   0x555555ad8450 <_PyWideStringList_Copy>
   0x0000555555ae088e <+62>:    test   %eax,%eax
   0x0000555555ae0890 <+64>:    js     0x555555ae090c <_PyArgv_AsWstrList+188>

106     in Python/preconfig.c
107     in Python/preconfig.c
108     in Python/preconfig.c
109     in Python/preconfig.c
=> 0x0000555555ae0892 <+66>:    xorps  %xmm0,%xmm0
   0x0000555555ae0895 <+69>:    movups %xmm0,0x10(%r15)
   0x0000555555ae089a <+74>:    movups %xmm0,(%r15)

110     in Python/preconfig.c
   0x0000555555ae089e <+78>:    mov    %r15,%rax
   0x0000555555ae08a1 <+81>:    add    $0x20,%rsp
   0x0000555555ae08a5 <+85>:    pop    %rbx
   0x0000555555ae08a6 <+86>:    pop    %r12
   0x0000555555ae08a8 <+88>:    pop    %r13
   0x0000555555ae08aa <+90>:    pop    %r14
   0x0000555555ae08ac <+92>:    pop    %r15
   0x0000555555ae08ae <+94>:    ret

(gdb) info frame 0
Stack frame at 0x7fffffffc410:
 rip = 0x555555ae0892 in _PyArgv_AsWstrList (Python/preconfig.c:109); saved rip = 0x5555558724a2
 called by frame at 0x7fffffffc470
 source language c.
 Arglist at 0x7fffffffc3b8, args: args=0x7fffffffc430, list=0x7fffffffc8e0
 Locals at 0x7fffffffc3b8, Previous frame's sp is 0x7fffffffc410
 Saved registers:
  rbx at 0x7fffffffc3e0, r12 at 0x7fffffffc3e8, r13 at 0x7fffffffc3f0, r14 at 0x7fffffffc3f8, r15 at 0x7fffffffc400, rip at 0x7fffffffc408

(gdb) info frame 1
Stack frame at 0x7fffffffc470:
 rip = 0x5555558724a2 in _PyConfig_SetPyArgv (./Python/initconfig.c:2448); saved rip = 0x555555a42a6c
 inlined into frame 2, caller of frame at 0x7fffffffc410
 source language c.
 Arglist at unknown address.
 Locals at unknown address, Previous frame's sp is 0x7fffffffc410
 Saved registers:
  rbx at 0x7fffffffc3e0, r12 at 0x7fffffffc3e8, r13 at 0x7fffffffc3f0, r14 at 0x7fffffffc3f8, r15 at 0x7fffffffc400, rip at 0x7fffffffc408

(gdb) info frame 2
Stack frame at 0x7fffffffc470:
 rip = 0x5555558724a2 in PyConfig_SetBytesArgv (./Python/initconfig.c:2462); saved rip = 0x555555a42a6c
 called by frame at 0x7fffffffc550, caller of frame at 0x7fffffffc470
 source language c.
 Arglist at 0x7fffffffc408, args: config=<optimized out>, argc=<optimized out>, argv=<optimized out>
 Locals at 0x7fffffffc408, Previous frame's sp is 0x7fffffffc470
 Saved registers:
  rbx at 0x7fffffffc450, r14 at 0x7fffffffc458, r15 at 0x7fffffffc460, rip at 0x7fffffffc468

(gdb) info frame 3
Stack frame at 0x7fffffffc550:
 rip = 0x555555a42a6c in pyembed::interpreter_config::set_argv (/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:215);
    saved rip = 0x5555559fe846
 called by frame at 0x7fffffffca30, caller of frame at 0x7fffffffc470
 source language rust.
 Arglist at 0x7fffffffc470, args: config=0x0, args=...
 Locals at 0x7fffffffc470, Previous frame's sp is 0x7fffffffc550
 Saved registers:
  rbx at 0x7fffffffc518, rbp at 0x7fffffffc540, r12 at 0x7fffffffc520, r13 at 0x7fffffffc528, r14 at 0x7fffffffc530, r15 at 0x7fffffffc538,
  rip at 0x7fffffffc548

(gdb) info frame 4
Stack frame at 0x7fffffffca30:
 rip = 0x5555559fe846 in pyembed::interpreter_config::{{impl}}::try_into (/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:592);
    saved rip = 0x555555a36692
 called by frame at 0x7fffffffd9e0, caller of frame at 0x7fffffffc550
 source language rust.
 Arglist at 0x7fffffffc548, args: self=0x7fffffffcff0
 Locals at 0x7fffffffc548, Previous frame's sp is 0x7fffffffca30
 Saved registers:
  rbx at 0x7fffffffca08, r12 at 0x7fffffffca10, r14 at 0x7fffffffca18, r15 at 0x7fffffffca20, rip at 0x7fffffffca28

(gdb) info registers
rax            0x5555559e70a0      93824997028000
rbx            0x7fffffffc430      140737488340016
rcx            0x7ffff7808008      140737345781768
rdx            0x0                 0
rsi            0x0                 0
rdi            0x0                 0
rbp            0x1                 0x1
rsp            0x7fffffffc3c0      0x7fffffffc3c0
r8             0x1                 1
r9             0x0                 0
r10            0x0                 0
r11            0x7ffff7809000      140737345785856
r12            0x7fffffffc3d8      140737488339928
r13            0x1                 1
r14            0x7fffffffc8e0      140737488341216
r15            0x7fffffffc500      140737488340224
rip            0x555555ae0892      0x555555ae0892 <_PyArgv_AsWstrList+66>
eflags         0x202               [ IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

(gdb) frame 4
#4  0x00005555559fe846 in pyembed::interpreter_config::{{impl}}::try_into (self=0x7fffffffcff0)
    at /home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:592
592                 set_argv(&mut config, argv)?;

(gdb) info registers
rax            0x5555559e70a0      93824997028000
rbx            0x0                 0
rcx            0x7ffff7808008      140737345781768
rdx            0x0                 0
rsi            0x0                 0
rdi            0x0                 0
rbp            0x7fffffffd308      0x7fffffffd308
rsp            0x7fffffffc550      0x7fffffffc550
r8             0x1                 1
r9             0x0                 0
r10            0x0                 0
r11            0x7ffff7809000      140737345785856
r12            0x7fffffffcff0      140737488343024
r13            0x0                 0
r14            0x7fffffffcb00      140737488341760
r15            0x7fffffffcff0      140737488343024
rip            0x5555559fe846      0x5555559fe846 <pyembed::interpreter_config::{{impl}}::try_into+166>
eflags         0x202               [ IF ]
cs             0x33                51
ss             0x2b                43
ds             0x0                 0
es             0x0                 0
fs             0x0                 0
gs             0x0                 0

This time r15 is 0x7fffffffc500.

And frame 4's arglist is at 0x7fffffffc548. The offsets are the same here. So the assembly changes the same relative bytes.

But, the starting bytes that are nulled out start out as NULL, so the movups is effectively a no-op:

0x7fffffffc4f0: 0x00000001      0x00000000      0x00000001      0x00000000
0x7fffffffc500: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffc510: 0x00000000      0x00000000      0x00000000      0x00000000
0x7fffffffc520: 0xffffcff0      0x00007fff      0x00000000      0x00000000
0x7fffffffc530: 0xffffcb00      0x00007fff      0xffffcff0      0x00007fff
0x7fffffffc540: 0xffffd308      0x00007fff      0x559fe846      0x00005555
0x7fffffffc550: 0x00000038      0x00000000      0x00000000      0x00000000

However, this version does not crash because self is not overwritten because its address isn't stored in rbx. The address of self (0x7fffffffcff0) is stored in r12 and r15. (I'm unsure how the memory address for self is calculated here.)

Hypothesis

This smells like a compiler optimization bug. Rust 1.54.0 seems to be emitting assembly that aliases 2 variables/registers to the same memory address.

Steps to Reproduce

git clone https://github.com/indygreg/PyOxidizer.git
cd PyOxidizer
git checkout rust-crash
cargo run --bin pyoxidizer -- init-rust-project ~/tmp/crash
cd ~/tmp/crash

cat > Cargo.toml <<EOF
[profile.release]
debug = true
EOF

cargo run --release --features allocator-jemalloc

In a debugger, try setting a breakpoint at preconfig.c:109. This should stop just before self gets overwritten.

The Rust function call from the crashing frame is https://github.com/indygreg/PyOxidizer/blob/0ca3236bac944b63ea8506f273b064167e25f47b/pyembed/src/interpreter_config.rs#L592. This calls into another Rust function which calls into CPython C APIs. The crash occurs at https://github.com/indygreg/PyOxidizer/blob/0ca3236bac944b63ea8506f273b064167e25f47b/pyembed/src/interpreter_config.rs#L595 when dereferencing a NULL self.

[indygreg]

Oh, I forgot to mention I can make the bug/crash go away by inserting a println!("{}", argv) line at https://github.com/indygreg/PyOxidizer/blob/0ca3236bac944b63ea8506f273b064167e25f47b/pyembed/src/interpreter_config.rs#L592 as well as performing other minor changes to the code in question. This being a provable heisenbug amplifies my theory of a compiler bug and not something wrong in my code. Although this reproduce case is making ample use of unsafe so bad code should not be ruled out.

[indygreg]

Using the ccffcafd5 2021-08-11 nightly, I can reproduce this bug with the default configuration and with RUSTFLAGS="-Z mutable-noalias=yes" and RUSTFLAGS="-Z mutable-noalias=no". So it doesn't seem to be a mutable-noalias issue.

The memory layout in nightly is the same as 1.54.0: self is stored in rbx in the crashing frame and is incorrectly overwritten.

[eddyb]

If this is a LLVM optimization change, you can try comparing the output from:

cargo rustc -- -Z no-parallel-llvm -C llvm-args=-print-after-all -Z symbol-mangling-version=v0 2> llvm.log

cc @nikic @nagisa

[indygreg]

If this is a LLVM optimization change, you can try comparing the output from:

cargo rustc -- -Z no-parallel-llvm -C llvm-args=-print-after-all -Z symbol-mangling-version=v0 2> llvm.log

Thanks for the pointer.

I was able to do this. However, the diff is quite large and I'm not really sure what I'm looking at.

I probably should have posted the disassembly from the crashing function (https://github.com/indygreg/PyOxidizer/blob/0ca3236bac944b63ea8506f273b064167e25f47b/pyembed/src/interpreter_config.rs#L585).

Here's the working version in 1.53.0:

Dump of assembler code for function _ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E:
/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
585         fn try_into(self) -> Result<pyffi::PyConfig, Self::Error> {
   0x0000555555a02e30 <+0>:     push   %r15
   0x0000555555a02e32 <+2>:     push   %r14
   0x0000555555a02e34 <+4>:     push   %rbx
   0x0000555555a02e35 <+5>:     sub    $0x4b0,%rsp
   0x0000555555a02e3c <+12>:    mov    %rsi,%r15
   0x0000555555a02e3f <+15>:    mov    %rdi,%r14

586             // We use the raw configuration as a base then we apply any adjustments,
587             // as needed.
588             let mut config: pyffi::PyConfig =
589                 python_interpreter_config_to_py_config(&self.interpreter_config)?;
=> 0x0000555555a02e42 <+18>:    add    $0x30,%rsi
   0x0000555555a02e46 <+22>:    lea    0x198(%rsp),%rdi
   0x0000555555a02e4e <+30>:    call   0x555555a42bd0 <_ZN7pyembed18interpreter_config38python_interpreter_config_to_py_config17h7c09a0c959ab9a73E>

/rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/result.rs:
1636    /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/result.rs: No such file or directory.
   0x0000555555a02e53 <+35>:    mov    0x198(%rsp),%rbx
   0x0000555555a02e5b <+43>:    lea    0x1a0(%rsp),%rsi
   0x0000555555a02e63 <+51>:    lea    0x10(%rsp),%rdi
   0x0000555555a02e68 <+56>:    mov    $0x188,%edx
   0x0000555555a02e6d <+61>:    call   *0x147169d(%rip)        # 0x555556e74510

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
589                 python_interpreter_config_to_py_config(&self.interpreter_config)?;
   0x0000555555a02e73 <+67>:    cmp    $0x1,%rbx
   0x0000555555a02e77 <+71>:    jne    0x555555a02e92 <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+98>
   0x0000555555a02e79 <+73>:    movups 0x10(%rsp),%xmm0
   0x0000555555a02e7e <+78>:    movups 0x20(%rsp),%xmm1
   0x0000555555a02e83 <+83>:    movups %xmm1,0x18(%r14)
   0x0000555555a02e88 <+88>:    movups %xmm0,0x8(%r14)
   0x0000555555a02e8d <+93>:    jmp    0x555555a03026 <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+502>
   0x0000555555a02e92 <+98>:    lea    0x328(%rsp),%rdi
   0x0000555555a02e9a <+106>:   lea    0x10(%rsp),%rsi
   0x0000555555a02e9f <+111>:   mov    $0x188,%edx
   0x0000555555a02ea4 <+116>:   call   *0x1471666(%rip)        # 0x555556e74510

590
591             if let Some(argv) = &self.argv {
   0x0000555555a02eaa <+122>:   mov    0x290(%r15),%rdx
   0x0000555555a02eb1 <+129>:   test   %rdx,%rdx
   0x0000555555a02eb4 <+132>:   je     0x555555a02efe <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+206>

/rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/alloc/src/vec/mod.rs:
2323    /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/alloc/src/vec/mod.rs: No such file or directory.
   0x0000555555a02eb6 <+134>:   mov    0x2a0(%r15),%rcx
   0x0000555555a02ebd <+141>:   lea    0x198(%rsp),%rdi
   0x0000555555a02ec5 <+149>:   lea    0x328(%rsp),%rsi

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
592                 set_argv(&mut config, argv)?;
   0x0000555555a02ecd <+157>:   call   0x555555a42790 <_ZN7pyembed18interpreter_config8set_argv17hedd5bbad1f1fa6c0E>

/rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/result.rs:
1636    /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/result.rs: No such file or directory.
   0x0000555555a02ed2 <+162>:   mov    0x198(%rsp),%rax
   0x0000555555a02eda <+170>:   movups 0x1a0(%rsp),%xmm0
   0x0000555555a02ee2 <+178>:   movaps %xmm0,0x10(%rsp)
   0x0000555555a02ee7 <+183>:   mov    0x1b0(%rsp),%rcx
   0x0000555555a02eef <+191>:   mov    %rcx,0x20(%rsp)

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
592                 set_argv(&mut config, argv)?;
   0x0000555555a02ef4 <+196>:   cmp    $0x2,%rax
   0x0000555555a02ef8 <+200>:   jne    0x555555a0300f <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+479>

/rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/option.rs:
197     /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/option.rs: No such file or directory.
   0x0000555555a02efe <+206>:   mov    (%r15),%rcx
   0x0000555555a02f01 <+209>:   test   %rcx,%rcx

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
595             if self.exe.is_none() {
   0x0000555555a02f04 <+212>:   je     0x555555a0302f <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+511>

/rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/option.rs:
197     /rustc/53cb7b09b00cbea8754ffb78e7e3cb521cb8af4b/library/core/src/option.rs: No such file or directory.
   0x0000555555a02f0a <+218>:   cmpq   $0x0,0x18(%r15)

And the bad / 1.54.0 version:

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
585         fn try_into(self) -> Result<pyffi::PyConfig, Self::Error> {
   0x0000555555a0cff0 <+0>:     push   %r15
   0x0000555555a0cff2 <+2>:     push   %r14
   0x0000555555a0cff4 <+4>:     push   %r12
   0x0000555555a0cff6 <+6>:     push   %rbx
   0x0000555555a0cff7 <+7>:     sub    $0x4a8,%rsp
   0x0000555555a0cffe <+14>:    mov    %rsi,%rbx
   0x0000555555a0d001 <+17>:    mov    %rdi,%r14

586             // We use the raw configuration as a base then we apply any adjustments,
587             // as needed.
588             let mut config: pyffi::PyConfig =
589                 python_interpreter_config_to_py_config(&self.interpreter_config)?;
=> 0x0000555555a0d004 <+20>:    add    $0x30,%rsi
   0x0000555555a0d008 <+24>:    lea    0x8(%rsp),%rdi
   0x0000555555a0d00d <+29>:    call   0x555555a4cd00 <_ZN7pyembed18interpreter_config38python_interpreter_config_to_py_config17h8fe88207c7bebad5E>

/rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs:
1664    /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs: No such file or directory.
   0x0000555555a0d012 <+34>:    cmpl   $0x1,0x8(%rsp)
   0x0000555555a0d017 <+39>:    lea    0x10(%rsp),%rsi
   0x0000555555a0d01c <+44>:    jne    0x555555a0d04b <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+91>

1665    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
   0x0000555555a0d01e <+46>:    movups (%rsi),%xmm0
   0x0000555555a0d021 <+49>:    movups 0x10(%rsi),%xmm1
   0x0000555555a0d025 <+53>:    movaps %xmm1,0x330(%rsp)
   0x0000555555a0d02d <+61>:    movaps %xmm0,0x320(%rsp)

1666    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1667    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1668    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1669    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1670    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1671    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1672    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1673    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1674    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
1675    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
   0x0000555555a0d035 <+69>:    movups %xmm1,0x18(%r14)
   0x0000555555a0d03a <+74>:    movups %xmm0,0x8(%r14)
   0x0000555555a0d03f <+79>:    movq   $0x1,(%r14)
   0x0000555555a0d046 <+86>:    jmp    0x555555a0d1cb <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+475>
   0x0000555555a0d04b <+91>:    lea    0x320(%rsp),%r15
   0x0000555555a0d053 <+99>:    mov    0x1464446(%rip),%r12        # 0x555556e714a0

1664    in /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs
   0x0000555555a0d05a <+106>:   mov    $0x188,%edx
   0x0000555555a0d05f <+111>:   mov    %r15,%rdi
   0x0000555555a0d062 <+114>:   call   *%r12
   0x0000555555a0d065 <+117>:   lea    0x198(%rsp),%rdi

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
589                 python_interpreter_config_to_py_config(&self.interpreter_config)?;
   0x0000555555a0d06d <+125>:   mov    $0x188,%edx
   0x0000555555a0d072 <+130>:   mov    %r15,%rsi
   0x0000555555a0d075 <+133>:   call   *%r12

590
591             if let Some(argv) = &self.argv {
   0x0000555555a0d078 <+136>:   mov    0x290(%rbx),%rdx
   0x0000555555a0d07f <+143>:   test   %rdx,%rdx
   0x0000555555a0d082 <+146>:   je     0x555555a0d0ac <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+188>

/rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/alloc/src/vec/mod.rs:
2366    /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/alloc/src/vec/mod.rs: No such file or directory.
   0x0000555555a0d084 <+148>:   mov    0x2a0(%rbx),%rcx
   0x0000555555a0d08b <+155>:   lea    0x8(%rsp),%rdi
   0x0000555555a0d090 <+160>:   lea    0x198(%rsp),%rsi

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
592                 set_argv(&mut config, argv)?;
   0x0000555555a0d098 <+168>:   call   0x555555a4c8c0 <_ZN7pyembed18interpreter_config8set_argv17hbfb1f04fcddc907fE>

/rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs:
1664    /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/result.rs: No such file or directory.
   0x0000555555a0d09d <+173>:   mov    0x8(%rsp),%rax
   0x0000555555a0d0a2 <+178>:   cmp    $0x2,%rax
   0x0000555555a0d0a6 <+182>:   jne    0x555555a0d178 <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+392>

/rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/option.rs:
199     /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/option.rs: No such file or directory.
   0x0000555555a0d0ac <+188>:   mov    (%rbx),%rcx
   0x0000555555a0d0af <+191>:   test   %rcx,%rcx

/home/gps/src/pyoxidizer.git/pyembed/src/interpreter_config.rs:
595             if self.exe.is_none() {
   0x0000555555a0d0b2 <+194>:   je     0x555555a0d198 <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+424>

/rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/option.rs:
199     /rustc/a178d0322ce20e33eac124758e837cbd80a6f633/library/core/src/option.rs: No such file or directory.
   0x0000555555a0d0b8 <+200>:   cmpq   $0x0,0x18(%rbx)

There are clearly differences here.

I'm not great at reading assembly, but the differences in the call to set_argv(&mut config, argv)? are perplexing me.

Here's the good version:

   0x0000555555a02eb6 <+134>:   mov    0x2a0(%r15),%rcx
   0x0000555555a02ebd <+141>:   lea    0x198(%rsp),%rdi
   0x0000555555a02ec5 <+149>:   lea    0x328(%rsp),%rsi
   0x0000555555a02ecd <+157>:   call   0x555555a42790 
   0x0000555555a02ed2 <+162>:   mov    0x198(%rsp),%rax
   0x0000555555a02eda <+170>:   movups 0x1a0(%rsp),%xmm0
   0x0000555555a02ee2 <+178>:   movaps %xmm0,0x10(%rsp)
   0x0000555555a02ee7 <+183>:   mov    0x1b0(%rsp),%rcx
   0x0000555555a02eef <+191>:   mov    %rcx,0x20(%rsp)
   0x0000555555a02ef4 <+196>:   cmp    $0x2,%rax
   0x0000555555a02ef8 <+200>:   jne    0x555555a0300f <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h749e4f0eba59cec2E+479>

And the bad:

   0x0000555555a0d084 <+148>:   mov    0x2a0(%rbx),%rcx
   0x0000555555a0d08b <+155>:   lea    0x8(%rsp),%rdi
   0x0000555555a0d090 <+160>:   lea    0x198(%rsp),%rsi
   0x0000555555a0d098 <+168>:   call   0x555555a4c8c0 <_ZN7pyembed18interpreter_config8set_argv17hbfb1f04fcddc907fE>
   0x0000555555a0d09d <+173>:   mov    0x8(%rsp),%rax
   0x0000555555a0d0a2 <+178>:   cmp    $0x2,%rax
   0x0000555555a0d0a6 <+182>:   jne    0x555555a0d178 <_ZN7pyembed18interpreter_config161_$LT$impl$u20$core..convert..TryInto$LT$pyo3..ffi..cpython..initconfig..PyConfig$GT$$u20$for$u20$$RF$pyembed..config..ResolvedOxidizedPythonInterpreterConfig$GT$8try_into17h3c0366d657e57554E+392>

We clearly see the 2 lea to %rdi and %rsi to set up the arguments. Followed by the call. But then things diverge. The bad version clearly lacks some additional moves. I'm unsure if these missing instructions are critical as part of restoring caller state or whether they shouldn't be necessary. The callee has already trampled on the register holding self at this point (%rbx). And the memory layout is quite different between these 2 functions. So I dunno.

[indygreg]

I was able to isolate this down to a regression in the 2021-05-19 nightly:

• 2021-05-15: good
• 2021-05-16: good
• 2021-05-17: good
• 2021-05-18: good
• 2021-05-19: bad
• 2021-05-20: bad
• 2021-05-21: bad

That means the regression range is somewhere between 3e99439..4e3e6db.

[glandium]

cargo-bisect-rustc should be able to pin that down to a merge commit. https://github.com/rust-lang/cargo-bisect-rustc/blob/master/TUTORIAL.md

[indygreg]

cargo-bisect-rustc identified commit 4e3e6db (#84767) as the cause of the regression. The previous toolchain (491cf55) works just fine.

I can probably work on simpler steps to reproduce. Let me know.

cc @scottmcm

[indygreg]

I am able to reproduce the issue with cargo +nightly-2021-05-19 rustc --release --features allocator-jemalloc -- --C llvm-args=-opt-bisect-limit=0. I think what this is doing is bypassing LLVM's optimization passes, effectively testing the LLVM IR that rustc emits, and in this case isolating this to an LLVM IR emission bug in rustc, not an LLVM optimization error?

Strangely, cargo +nightly-2021-05-19 rustc --release --features allocator-jemalloc -- -C no-prepopulate-passes (which I think is the preferred way to turn off LLVM IR optimization passes) fails:

error: could not compile `myapp`

Caused by:
  process didn't exit successfully: `rustc --crate-name myapp --edition=2018 src/main.rs --error-format=json --json=diagnostic-rendered-ansi --crate-type bin --emit=dep-info,link -C opt-level=3 -C embed-bitcode=no -C debuginfo=2 -C no-prepopulate-passes --cfg 'feature="allocator-jemalloc"' --cfg 'feature="build-mode-pyoxidizer-exe"' --cfg 'feature="default"' -C metadata=d92e577e2d36bc93 -C extra-filename=-d92e577e2d36bc93 --out-dir /home/gps/tmp/myapp/target/release/deps -L dependency=/home/gps/tmp/myapp/target/release/deps --extern pyembed=/home/gps/tmp/myapp/target/release/deps/libpyembed-846f76a23fec60bf.rlib -C link-args=-Wl,-export-dynamic -L native=/tmp/pyoxidizer-build-exe-packaging7UiBSc -L native=/home/gps/.cache/pyoxidizer/python_distributions/python.343e2d349779/python/build/lib -L native=/home/gps/tmp/myapp/build/x86_64-unknown-linux-gnu/release/resources -L native=/home/gps/tmp/myapp/target/release/build/jemalloc-sys-e62986af855335b6/out/build/lib -L native=/home/gps/.pyenv/versions/3.9.6/lib` (signal: 11, SIGSEGV: invalid memory reference)

If someone tells me how to get rustc to --emit files from crates that aren't the main crate being compiled, I can diff the output and try to isolate the regression. But when I run commands like cargo rustc -- -Z no-parallel-llvm -C llvm-args=-print-after-all -Z symbol-mangling-version=v0 it appears the output only contains symbols for the main crate being built. Unfortunately, the bad assembly is in a dependency crate.