Stacked Borrows error can appear during validation, causing an ICE

[saethlin]

I'm really lost on this one, but at least it reproduces

cargo download -x serde_traitobject==0.2.7
cd serde_traitobject-0.2.7
cargo miri test

     Running tests/test.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/test-9641d48af4a095d7)
error: internal compiler error: /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_const_eval/src/interpret/validity.rs:981:17: Unexpected error during validation: attempting a read access using <untagged> at alloc2286[0x0], but that tag does not exist in the borrow stack for this location

thread 'rustc' panicked at 'Box<dyn Any>', /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_errors/src/lib.rs:1335:9

full error with backtrace

     Running tests/test.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/test-9641d48af4a095d7)
error: internal compiler error: /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_const_eval/src/interpret/validity.rs:981:17: Unexpected error during validation: attempting a read access using <untagged> at alloc2286[0x0], but that tag does not exist in the borrow stack for this location

thread 'rustc' panicked at 'Box<dyn Any>', /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_errors/src/lib.rs:1335:9
stack backtrace:
   0:     0x7fd82e09df3d - std::backtrace_rs::backtrace::libunwind::trace::hcdeec0200092dccc
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/../../backtrace/src/backtrace/libunwind.rs:93:5
   1:     0x7fd82e09df3d - std::backtrace_rs::backtrace::trace_unsynchronized::h631ff05959a3d4a7
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/../../backtrace/src/backtrace/mod.rs:66:5
   2:     0x7fd82e09df3d - std::sys_common::backtrace::_print_fmt::h49837a01ca762426
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/sys_common/backtrace.rs:66:5
   3:     0x7fd82e09df3d - <std::sys_common::backtrace::_print::DisplayBacktrace as core::fmt::Display>::fmt::h6a4ac13bdf158aa1
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/sys_common/backtrace.rs:45:22
   4:     0x7fd82e0f9bcc - core::fmt::write::hb391f60152fe1797
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/core/src/fmt/mod.rs:1196:17
   5:     0x7fd82e08f621 - std::io::Write::write_fmt::h0a4fbf5aac9ad806
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/io/mod.rs:1654:15
   6:     0x7fd82e0a0c55 - std::sys_common::backtrace::_print::hdf2e31e5d1d41e18
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/sys_common/backtrace.rs:48:5
   7:     0x7fd82e0a0c55 - std::sys_common::backtrace::print::h88d4ddd46fdedaa1
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/sys_common/backtrace.rs:35:9
   8:     0x7fd82e0a0c55 - std::panicking::default_hook::{{closure}}::hc5f4fd0fc888cb9c
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/panicking.rs:295:22
   9:     0x7fd82e0a08c9 - std::panicking::default_hook::hd44a0eae4798eec8
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/panicking.rs:314:9
  10:     0x7fd82e8e8e01 - rustc_driver[6c68c7675f8cc06]::DEFAULT_HOOK::{closure#0}::{closure#0}
  11:     0x7fd8217b73d3 - <alloc::boxed::Box<F,A> as core::ops::function::Fn<Args>>::call::hd8d093c026b814c3
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/alloc/src/boxed.rs:1886:9
  12:     0x7fd8217e529d - proc_macro::bridge::client::<impl proc_macro::bridge::Bridge>::enter::{{closure}}::{{closure}}::h97cf6c9829476b53
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/proc_macro/src/bridge/client.rs:335:21
  13:     0x7fd82e0a1426 - std::panicking::rust_panic_with_hook::hebfe27a5e80c59da
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/panicking.rs:702:17
  14:     0x7fd82f974d51 - std[f0264d9fe20a2da1]::panicking::begin_panic::<rustc_errors[a913ee7c1936dd3c]::ExplicitBug>::{closure#0}
  15:     0x7fd82f96f226 - std[f0264d9fe20a2da1]::sys_common::backtrace::__rust_end_short_backtrace::<std[f0264d9fe20a2da1]::panicking::begin_panic<rustc_errors[a913ee7c1936dd3c]::ExplicitBug>::{closure#0}, !>
  16:     0x7fd82f906166 - std[f0264d9fe20a2da1]::panicking::begin_panic::<rustc_errors[a913ee7c1936dd3c]::ExplicitBug>
  17:     0x7fd82f931096 - std[f0264d9fe20a2da1]::panic::panic_any::<rustc_errors[a913ee7c1936dd3c]::ExplicitBug>
  18:     0x7fd82f927fb5 - <rustc_errors[a913ee7c1936dd3c]::HandlerInner>::bug::<&alloc[f962eb889b9f6fee]::string::String>
  19:     0x7fd82f927b20 - <rustc_errors[a913ee7c1936dd3c]::Handler>::bug::<&alloc[f962eb889b9f6fee]::string::String>
  20:     0x7fd82f97d65d - rustc_middle[47a10bba0a67dc13]::ty::context::tls::with_opt::<rustc_middle[47a10bba0a67dc13]::util::bug::opt_span_bug_fmt<rustc_span[febcdc6cde54d1dc]::span_encoding::Span>::{closure#0}, ()>
  21:     0x7fd82f97d9d6 - rustc_middle[47a10bba0a67dc13]::util::bug::opt_span_bug_fmt::<rustc_span[febcdc6cde54d1dc]::span_encoding::Span>
  22:     0x7fd82f97d953 - rustc_middle[47a10bba0a67dc13]::util::bug::bug_fmt
  23:     0x55db073af20f - rustc_const_eval::interpret::validity::<impl rustc_const_eval::interpret::eval_context::InterpCx<M>>::validate_operand_internal::he6bf2f185ca35b0d
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_const_eval/src/interpret/validity.rs:981:17
  24:     0x55db07398f1c - rustc_const_eval::interpret::step::<impl rustc_const_eval::interpret::eval_context::InterpCx<M>>::eval_rvalue_into_place::h4c1d9a3de03f01ba
  25:     0x55db07398f1c - rustc_const_eval::interpret::step::<impl rustc_const_eval::interpret::eval_context::InterpCx<M>>::statement::ha7149acc71bf9f8e
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_const_eval/src/interpret/step.rs:86:44
  26:     0x55db0733a5dd - rustc_const_eval::interpret::step::<impl rustc_const_eval::interpret::eval_context::InterpCx<M>>::step::ha1c02e91a2deca5a
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_const_eval/src/interpret/step.rs:62:13
  27:     0x55db0733a5dd - miri::eval::eval_entry::{{closure}}::h9d90038c669517a6
                               at /home/ben/miri/src/eval.rs:317:29
  28:     0x55db0733a5dd - miri::eval::eval_entry::hba847821640c2229
                               at /home/ben/miri/src/eval.rs:311:38
  29:     0x55db072b3702 - <miri::MiriCompilerCalls as rustc_driver::Callbacks>::after_analysis::{{closure}}::h16608e88f2f600a3
                               at /home/ben/miri/src/bin/miri.rs:85:40
  30:     0x55db072b3702 - rustc_interface::passes::QueryContext::enter::{{closure}}::h063a8123c11a3f3b
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_interface/src/passes.rs:819:42
  31:     0x55db072b3702 - rustc_middle::ty::context::tls::enter_context::{{closure}}::h6bba93844dc4f5b9
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_middle/src/ty/context.rs:1841:50
  32:     0x55db072b3702 - rustc_middle::ty::context::tls::set_tlv::h5044845c79d009ac
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_middle/src/ty/context.rs:1825:9
  33:     0x55db072b3702 - rustc_middle::ty::context::tls::enter_context::hb47d41c7dc4b2566
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_middle/src/ty/context.rs:1841:9
  34:     0x55db072b3702 - rustc_interface::passes::QueryContext::enter::hb54f03ae7dbcc6c4
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/compiler/rustc_interface/src/passes.rs:819:9
  35:     0x55db072ae008 - <miri::MiriCompilerCalls as rustc_driver::Callbacks>::after_analysis::he4713bb167836509
                               at /home/ben/miri/src/bin/miri.rs:62:9
  36:     0x7fd830951215 - <rustc_interface[cc2011f0ec0b0d74]::interface::Compiler>::enter::<rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}::{closure#2}, core[8780a581d94640bd]::result::Result<core[8780a581d94640bd]::option::Option<rustc_interface[cc2011f0ec0b0d74]::queries::Linker>, rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>
  37:     0x7fd83097986f - rustc_span[febcdc6cde54d1dc]::with_source_map::<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_interface[cc2011f0ec0b0d74]::interface::create_compiler_and_run<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}>::{closure#1}>
  38:     0x7fd830965174 - rustc_interface[cc2011f0ec0b0d74]::interface::create_compiler_and_run::<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}>
  39:     0x7fd83094f702 - <scoped_tls[e8ce85aa300a11]::ScopedKey<rustc_span[febcdc6cde54d1dc]::SessionGlobals>>::set::<rustc_interface[cc2011f0ec0b0d74]::interface::run_compiler<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}>::{closure#0}, core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>
  40:     0x7fd83096682f - std[f0264d9fe20a2da1]::sys_common::backtrace::__rust_begin_short_backtrace::<rustc_interface[cc2011f0ec0b0d74]::util::run_in_thread_pool_with_globals<rustc_interface[cc2011f0ec0b0d74]::interface::run_compiler<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}>::{closure#0}, core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>::{closure#0}, core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>
  41:     0x7fd830966969 - <<std[f0264d9fe20a2da1]::thread::Builder>::spawn_unchecked_<rustc_interface[cc2011f0ec0b0d74]::util::run_in_thread_pool_with_globals<rustc_interface[cc2011f0ec0b0d74]::interface::run_compiler<core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>, rustc_driver[6c68c7675f8cc06]::run_compiler::{closure#1}>::{closure#0}, core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>::{closure#0}, core[8780a581d94640bd]::result::Result<(), rustc_errors[a913ee7c1936dd3c]::ErrorGuaranteed>>::{closure#1} as core[8780a581d94640bd]::ops::function::FnOnce<()>>::call_once::{shim:vtable#0}
  42:     0x7fd82e0ab343 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::h19b21b80db330164
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/alloc/src/boxed.rs:1872:9
  43:     0x7fd82e0ab343 - <alloc::boxed::Box<F,A> as core::ops::function::FnOnce<Args>>::call_once::he0e29e364d6820ca
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/alloc/src/boxed.rs:1872:9
  44:     0x7fd82e0ab343 - std::sys::unix::thread::Thread::new::thread_start::hd51ff0e9e0198919
                               at /rustc/481db40311cdd241ae4d33f34f2f75732e44d8e8/library/std/src/sys/unix/thread.rs:108:17
  45:     0x7fd82de7f54d - <unknown>
  46:     0x7fd82df04b14 - clone
  47:                0x0 - <unknown>

note: the compiler unexpectedly panicked. this is a bug.

note: we would appreciate a bug report: https://github.com/rust-lang/rust/issues/new?labels=C-bug%2C+I-ICE%2C+T-compiler&template=ice.md

note: rustc 1.62.0-nightly (481db4031 2022-05-12) running on x86_64-unknown-linux-gnu

note: compiler flags: -C embed-bitcode=no -C debuginfo=2 -C incremental

note: some of the compiler flags provided by cargo are hidden

query stack during panic:
end of query stack
error: aborting due to previous error

error: test failed, to rerun pass '--test test'

[RalfJung]

Oh, that is fascinating. So even though we just wrote that value to the given location, we still get UB when trying to read it back? Not sure how that can happen.

A better stack trace (with all the missing source spans) and a self-contained example reproducing the problem would be really useful.

[saethlin]

This code is metaprogramming and nightly features way beyond my skill as a Rust programmer, but I narrowed down the location of the ICE to this std::ptr::from_raw_parts_mut call. Execution gets past the transmute_coerce call.

https://github.com/alecmocatta/metatype/blob/04adef6883c917de454cbe327f891f77a45a854f/src/lib.rs#L151

	default fn fatten(thin: *mut (), t: Self::Meta) -> *mut Self {
		let t: TraitObject = type_coerce(t);
		let vtable: *const () = t.vtable;
		let vtable = vtable as *mut ();
		std::ptr::from_raw_parts_mut(thin, unsafe { transmute_coerce(vtable) })
	}

[asquared31415]

#![feature(ptr_metadata)]

trait Foo {}

impl Foo for u32 {}

fn uwu(thin: *const (), meta: &'static ()) -> *const dyn Foo {
    core::ptr::from_raw_parts(thin, unsafe { core::mem::transmute(meta) })
}

fn main() {
    unsafe {
        let orig = 1_u32;
        let x = &orig as &dyn Foo;
        let (ptr, meta) = (x as *const dyn Foo).to_raw_parts();
        let _ = uwu(ptr, core::mem::transmute(meta));
    }
}

Isolated reproduction. Reproduces with pointer tagging enabled as well.

[RalfJung]

So what happens here is that &'static () is a pointer with provenance for 0 bytes (matching the size of ()). When you use that pointer for a vtable, then validity checks whether you are having a valid vtable, which does a read from the vtable, and that is UB since the vtable pointer does not actually have permission to access this memory.

This is what I get for doing actual memory accesses during validation in one specific case. ;) Good catch!