Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bad pointer deref in SizeAndAlignOfDst/main_fail.rs #87

Closed
markrtuttle opened this issue Apr 18, 2021 · 5 comments · Fixed by #3040
Closed

Bad pointer deref in SizeAndAlignOfDst/main_fail.rs #87

markrtuttle opened this issue Apr 18, 2021 · 5 comments · Fixed by #3040
Assignees
@celinval
Labels
[C] Bug This is a bug. Something isn't working.
Milestone
Maintenance

Comments

@markrtuttle
Copy link
Contributor

RMC fails to cast a "mutable raw pointer to a trait object" to a "mutable raw pointer to a unit" that arises in the regression test rust-tests/cbmc-reg/SizeAndAlignOfDst/main_fail.rs described in issue #33 that was used initially to illustrate an issue with the unsized pointer cast.

The mir generated by rustc on the test includes

handling rc::is_dangling::<alloc::sync::ArcInner<Mutex<dyn Subscriber>>>, std::rc::is_dangling

let _1: *mut alloc::sync::ArcInner<std::sync::Mutex<dyn Subscriber>>
let _3: *mut ()
let _4: *mut alloc::sync::ArcInner<std::sync::Mutex<dyn Subscriber>>
_4 = _1
_3 = move _4 as *mut () (Misc)

where you can see that the pointer to the trait object (a fat pointer) is being cast to a pointer to a unit (thin pointer), and codegen_misc_cast fails because the cast_to predicate says you can't cast a goto struct to a goto pointer.
@markrtuttle markrtuttle added the [C] Bug This is a bug. Something isn't working. label Apr 18, 2021
This was referenced Apr 18, 2021
Closed
Merged
@avanhatt avanhatt self-assigned this Jun 14, 2021
@avanhatt
Copy link
Contributor

The cast now succeeds; but the test itself fails with a verification failure. Not sure if this is expected behavior because CBMC can't reason about locks. Will confirm and close issue if expected. Code in question:

    let s: Arc<Mutex<dyn Subscriber>> = Arc::new(Mutex::new(DummySubscriber::new()));
    let mut data = s.lock().unwrap();
    data.increment();
    assert!(data.get() == 1);

@avanhatt
Copy link
Contributor

avanhatt commented Jul 7, 2021

The test does also fail with invalid references when you pass --pointer-check, likely related to #240. Keeping open.

@avanhatt avanhatt changed the title Failing to cast *mut trait object to *mut unit Bad pointer deref in SizeAndAlignOfDst/main_fail.rs Jul 7, 2021
celinval pushed a commit to celinval/kani-dev that referenced this issue Nov 16, 2021
@calebzulawski
Merge pull request model-checking#87 from rust-lang/feat/sat-abs-neg
4e6d440 
Add saturating abs/neg
@celinval celinval assigned celinval and unassigned avanhatt Mar 11, 2022
@zhassan-aws
Copy link
Contributor

This test (which was moved to tests/kani/SizeAndAlignOfDst/main_assert_fixme.rs) fails due to an unlinked std function:

Check 12: _ZN3std10sys_common5mutex12MovableMutex3new17h6cb854a7d3d229c6E.assertion.1
	 - Status: FAILURE
	 - Description: "assertion false"
	 - Location: Unknown File in function _ZN3std10sys_common5mutex12MovableMutex3new17h6cb854a7d3d229c6E

So it is related to #576 (comment). Removing "MLP - Must Have" label.

@celinval celinval removed this from Kani v0.3 May 19, 2022
@celinval
Copy link
Contributor

The issue described here seems to be fixed, but we can't fully validate this until we fix the issue with linking std library.

@celinval celinval removed their assignment May 19, 2022
@tedinski tedinski mentioned this issue May 23, 2022
Closed
@celinval celinval self-assigned this Oct 26, 2022
@celinval celinval mentioned this issue Oct 26, 2022
Merged
4 tasks
@celinval
Copy link
Contributor

Linking the standard library is no longer an issue here, but it looks like we are still incorrectly generating code for this. I added a new simple harness to this tests that should succeed but it still fails:

#[kani::proof]
#[kani::unwind(2)]
fn simplified() {
    let s: Arc<Mutex<dyn Subscriber>> = Arc::new(Mutex::new(DummySubscriber::new()));
    let data = s.lock().unwrap();
    assert!(data.get() == 0);
}

celinval added a commit that referenced this issue Oct 26, 2022
@celinval
Add tests for issues related to std linking (#1801)
f306a44 
Add tests for #564, #208 and #87.

Unfortunately, it looks like there are still issues with with how we are
encoding panic threads and dynamic objects which are causing two of the
test cases to fail.
@zhassan-aws zhassan-aws mentioned this issue Feb 17, 2024
Closed
@celinval celinval mentioned this issue Feb 21, 2024
Merged
celinval added a commit that referenced this issue Feb 26, 2024
@celinval
Upgrade rust toolchain to 2024-02-17 (#3040)
c2dc489 
Upgrade toolchain to 2024-02-17. Relevant PR:

- rust-lang/rust#120500
- rust-lang/rust#100603

Fixes #87
Fixes #3034
Fixes #3037
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@celinval celinval

Labels
[C] Bug This is a bug. Something isn't working.
Projects
No open projects
Kani 0.14
Status: Done
Milestone
Maintenance
5 participants
@danielsn @markrtuttle @avanhatt @celinval @zhassan-aws