Skip to content

genmc: Bug fixes #4733

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
RalfJung merged 10 commits into from
Nov 29, 2025
Merged

genmc: Bug fixes #4733

RalfJung merged 10 commits into from
Nov 29, 2025

Conversation

@michaliskok
Copy link
Contributor

@michaliskok michaliskok commented Nov 28, 2025
edited by rustbot
Loading

This PR bumps the GenMC version to 0.16.1:

r? @RalfJung
(Each commit includes a description and can be reviewed separately.)

@rustbot rustbot added the S-waiting-on-review Status: Waiting for a review to complete label Nov 28, 2025
RalfJung
RalfJung reviewed Nov 29, 2025
View reviewed changes
Copy link
Member

@RalfJung RalfJung left a comment
edited by rustbot
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

The last commit mentions issues with memory allocation; what exactly are you referring to?

View changes since this review

@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025

Also, please run ./miri fmt to apply our standard formatting to the Rust code.
@rustbot author

@rustbot rustbot removed the S-waiting-on-review Status: Waiting for a review to complete label Nov 29, 2025
@rustbot
Copy link
Collaborator

rustbot commented Nov 29, 2025

Reminder, once the PR becomes ready for a review, use @rustbot ready.

@rustbot rustbot added the S-waiting-on-author Status: Waiting for the PR author to address review comments label Nov 29, 2025
@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025
edited
Loading

The last commit mentions issues with memory allocation; what exactly are you referring to?

Ah, the PR description mentions "Fixes overflowing on large allocations". Is this about a single large allocation, or many allocations accumulating to exhaust the 4GB per-thread limit? How large is "large"? Is it possible to test for that? What happens now when the per-thread 4GB memory region is exhausted?

@michaliskok
Copy link
Contributor Author

michaliskok commented Nov 29, 2025

The last commit mentions issues with memory allocation; what exactly are you referring to?

Ah, the PR description mentions "Fixes overflowing on large allocations". Is this about a single large allocation, or many allocations accumulating to exhaust the 4GB per-thread limit? How large is "large"? Is it possible to test for that? What happens now when the per-thread 4GB memory region is exhausted?

Each thread can allocate up to 4GB. If the limit is exceeded, the allocator would silently wrap around 0 and handle duplicate addresses. The new commit makes GenMC crash if the limit is exceeded, and doesn't overflow if a size/alignment >2^32 is passed to alloc_aligned.

@michaliskok
genmc/build,api: Move wrappers around GenMC API to single file
a4ca25b 
GenMC has a single API that was handled in a collection of different
files. This commit collects all API wrappers to Exploration.cpp.

(The Setup.cpp file remains intact as it contains setting translation
and setup functions.)
@michaliskok
genmc/api: Use ERROR_ON instead of if (cond) ERROR()
137ecd4 
This commit makes the code a bit more compact by using ERROR_ON()
whenever possible. It also renames a particularly verbose variable
used in ERROR's condition.
@michaliskok
genmc/api: Prefer early exits to joining if/else clauses
ab7109f
@michaliskok
genmc/api: Don't use macros for mutex state
878fa82 
Use scoped constexprs instead.
@michaliskok
genmc/api: Remove unnecessary comments
bf73ca2 
These comments explain the default values used internally
in (some) calls of the GenMC library, which is unnecessary.
@michaliskok michaliskok force-pushed the genmc-bug-fixes branch 2 times, most recently from c964074 to 8f8c08e Compare November 29, 2025 10:01
@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025

The new commit makes GenMC crash if the limit is exceeded,

That may make it tricky to add a test then, depending on the exit status this will trigger.

@michaliskok
Copy link
Contributor Author

michaliskok commented Nov 29, 2025
edited
Loading

The new commit makes GenMC crash if the limit is exceeded,

That may make it tricky to add a test then, depending on the exit status this will trigger.

The alternative would be to return an error code to Miri and let Miri crash.

@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025
edited
Loading

I tried what happened when one thread allocates more than 4GB memory in total (but not at the same time, i.e. we allocate chunks of 512MB and free them again):

./miri run --features=genmc bench-cargo-miri/big-allocs/src/main.rs -Zmiri-genmc

With this PR, that leads to a panic:

thread 'rustc' (123993) panicked at src/concurrency/genmc/mod.rs:597:9:
assertion `left != right` failed: GenMC malloc returned nullptr.

EDIT: I get the same with an 8GB allocation, using this test:

fn main() {
    let _v = Vec::<u8>::with_capacity(8 * 1024 * 1024 * 1024);
}

So, I can't reproduce the GenMC crash.

@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025
edited
Loading

The alternative would be to return an error code to Miri and let Miri crash.

The alternative would be to make Miri emit a nice error saying we ran out of memory for this thread. :)

We don't have to resolve that in this PR, but ideally we'd have some tests before we mark the item in #4572 as resolved.

RalfJung
RalfJung reviewed Nov 29, 2025
View reviewed changes
RalfJung
RalfJung reviewed Nov 29, 2025
View reviewed changes
RalfJung
RalfJung reviewed Nov 29, 2025
View reviewed changes
@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025

Here's a little patch to give the user some more explanation for why they may run out of address space in genmc mode:

diff --git a/src/diagnostics.rs b/src/diagnostics.rs
index bb8ba1969..8e252d306 100644
--- a/src/diagnostics.rs
+++ b/src/diagnostics.rs
@@ -362,6 +362,10 @@ pub fn report_result<'tcx>(
                 vec![
                     note!("this is likely not a bug in the program; it indicates that the program performed an operation that Miri does not support"),
                 ],
+            ResourceExhaustion(ResourceExhaustionInfo::AddressSpaceFull) if ecx.machine.data_race.as_genmc_ref().is_some() =>
+                vec![
+                    note!("in GenMC mode, the address space is limited to 4GB per thread, and addresses cannot be reused")
+                ],
             UndefinedBehavior(AlignmentCheckFailed { .. })
                 if ecx.machine.check_alignment == AlignmentCheck::Symbolic
             =>

RalfJung
RalfJung reviewed Nov 29, 2025
View reviewed changes
@rustbot

This comment has been minimized.

Sign in to view
@michaliskok
Copy link
Contributor Author

michaliskok commented Nov 29, 2025

I tried what happened when one thread allocates more than 4GB memory in total (but not at the same time, i.e. we allocate chunks of 512MB and free them again):

./miri run --features=genmc bench-cargo-miri/big-allocs/src/main.rs -Zmiri-genmc

With this PR, that leads to a panic:

thread 'rustc' (123993) panicked at src/concurrency/genmc/mod.rs:597:9:
assertion `left != right` failed: GenMC malloc returned nullptr.

EDIT: I get the same with an 8GB allocation, using this test:

fn main() {
    let _v = Vec::<u8>::with_capacity(8 * 1024 * 1024 * 1024);
}

So, I can't reproduce the GenMC crash.

Indeed, sorry about that.

I thought I made GenMC panic in all cases, but that's not the case. For allocations taking place via handleMalloc, GenMC returns nullptr (and potentially an error trace, but error reporting is not hooked up yet anyway). I added a test ensuring that Miri produces an error report if addresses get depleted.

I also incorporated your other comments.

@michaliskok
genmc/api: Use returned value from handleFree()
b5a7b4b 
GenMC's handleFree() does return an optional<Error>, so we
may as well use that value.
@michaliskok
genmc/api: Use returned value for handleExecutionEnd()
11f09d8
@michaliskok
genmc,tests: Throw when GenMC runs out of memory
8568c89 
GenMC can currently allocate up to 4GB per thread. If it cannot
allocated any more memory, it will return nullptr.

This commit adds a test in Miri that ensures we gracefully throw
if this ever happens.
@michaliskok
diagnostics: Explain why programs might run OOM in GenMC mode
1d16624 
GenMC's allocator can currently only allocate up to 4GB per thread.

Authored-by: Ralf Jung
@michaliskok
genmc/build,tests: Update GenMC version to 0.16.1
ec626b9 
This version fixes some issues with atomic_{umix,umax} operation
and memory allocation.
@michaliskok
Copy link
Contributor Author

michaliskok commented Nov 29, 2025

@rustbot ready

@rustbot rustbot added S-waiting-on-review Status: Waiting for a review to complete and removed S-waiting-on-author Status: Waiting for the PR author to address review comments labels Nov 29, 2025
@RalfJung
Copy link
Member

RalfJung commented Nov 29, 2025

Looks great, thanks :)

@RalfJung RalfJung enabled auto-merge November 29, 2025 12:26
@RalfJung RalfJung added this pull request to the merge queue Nov 29, 2025
Merged via the queue into rust-lang:master with commit 0749929 Nov 29, 2025
14 checks passed
@rustbot rustbot removed the S-waiting-on-review Status: Waiting for a review to complete label Nov 29, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@RalfJung RalfJung RalfJung left review comments

Assignees

@RalfJung RalfJung

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@michaliskok @RalfJung @rustbot