Panic and abort should stop the program execution #543

celinval · 2021-10-07T21:54:02Z

I tried this code:

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 OR MIT
//
// rmc-verify-fail

pub fn main() {
    for i in 0..4 {
        if i == 1 {
            panic!("This comes first");
        }
        if i == 2 {
            panic!("This should never happen");
        }
    }
}

using the following command line invocation:

rmc loop.rs

I expected to see this happen: The first assertion should fail but the second one should be unreachable. The panic call should abort the execution in the second iteration of the loop.

Instead, this happened: Both assertions fail. The trace for the second assertion includes the first panic call.

Note that the same behavior happens if we replace the panic!() statement by process::abort().

The text was updated successfully, but these errors were encountered:

celinval · 2021-10-12T15:33:40Z

An easy fix right now would be to condegen these failures as:

assert(cond);
assume(cond);

However, this is not actually sound since we are ignoring the unwind path. I created #545 to handle unwind logic.

zhassan-aws · 2021-11-30T17:47:52Z

This is also how CBMC behaves. For example, for:

#include <assert.h>

int main() {
    int x = 5;
    assert(x < 3);
    assert(x < 4);
    return 0;
}

Both assertions fail:

** Results:
test.c function main
[main.assertion.1] line 5 assertion x < 3: FAILURE
[main.assertion.2] line 6 assertion x < 4: FAILURE

** 2 of 2 failed (2 iterations)
VERIFICATION FAILED

Perhaps we can add an option, e.g. --assert-fail-aborts that changes to the behavior you described? We can document that using this option could lead to missing assertion failures during stack unwinding.

celinval · 2021-12-01T20:41:29Z

I think we should always abort for user asserts, since that is the semantics of assert in rust. Note that if you add an assert!(false); or a panic statement, the rust compiler considers everything else that is dominated by that statement as dead code and removes it.

For debug_assert and other checks that we add, we should not abort since the code after the failure may still reachable during a release execution.

celinval · 2021-12-01T21:10:47Z

Note that assertions in C have different semantics since they can be enabled / disabled according to the value of NDEBUG. https://en.cppreference.com/w/cpp/error/assert

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes model-checking#466, fixes model-checking#543, and fixes model-checking#636. This change also mitigates model-checking#545.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes #466, fixes #543, and fixes #636. This change also mitigates #545.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes model-checking#67, fixes model-checking#466, fixes model-checking#543, and fixes model-checking#636. This change also mitigates model-checking#545.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes #466, fixes #543, and fixes #636. This change also mitigates #545.

celinval added the [C] Bug This is a bug. Something isn't working. label Oct 7, 2021

celinval self-assigned this Oct 7, 2021

celinval mentioned this issue Dec 10, 2021

Fix assert!() and panic!() code generation #687

Merged

4 tasks

celinval closed this as completed in #687 Dec 14, 2021

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Panic and abort should stop the program execution #543

Panic and abort should stop the program execution #543

celinval commented Oct 7, 2021

celinval commented Oct 12, 2021

zhassan-aws commented Nov 30, 2021

celinval commented Dec 1, 2021

celinval commented Dec 1, 2021

Panic and abort should stop the program execution #543

Panic and abort should stop the program execution #543

Comments

celinval commented Oct 7, 2021

celinval commented Oct 12, 2021

zhassan-aws commented Nov 30, 2021

celinval commented Dec 1, 2021

celinval commented Dec 1, 2021