Miscompilation due to MatchBranchSimplification MIR pass mixing up discriminants #124150
Comments
RalfJung
added
the
I-unsound
rustbot
added
I-prioritize
|
Cc @rust-lang/wg-mir-opt |
workingjubilee
added
T-compiler
|
does it make sense to quickly throw up a PR disabling it to leave more time for fixing it properly and thoroughly? |
Noratrieb
removed
the
needs-triage
I like this: #124122 (comment). |
|
yeah, could you put up a quick PR to disable it, gating it behind unsound MIR opts? |
I will do it today. :) |
This is just the usual operation on LLVM: disabling certain conversions, rather than disabling the entire Pass. Of course, compared to LLVM's passes, the passes in MIR-opt are much smaller. |
|
WG-prioritization assigning priority (Zulip discussion). @rustbot label -I-prioritize +P-critical |
rustbot
added
P-critical
I've rethought this scenario, and it's appropriate to add unsound opts. Because this pass is mostly all in #120614. :) |
|
I think disabling the entire pass should have a very small impact, it's not like this is the LLVM instcombine pass :D. So that makes more sense, it's usually how we do it for less important MIR opt passes. |
|
I caused a P-critical issue for the first time. :p |
Rust nightly, as of yesterday, breaks yk. We *think* this is because of rust-lang/rust#124150 --- if so, hopefully we can switch back to "nightly nightly" in a day or two.
|
mir-opts work has a pretty high chance of doing that. Unfortunately we haven't yet figured out how to build correct-by-construction optimization passes outside of full-blown theorem provers... |
Disable MatchBranchSimplification Due to the miscompilation mentioned in rust-lang#124150, We need to disable MatchBranchSimplification temporarily. To fully resolve this issue, my plan is: 1. Disable MatchBranchSimplification (this PR). 2. Remove all potentially unclear transforms in rust-lang#124122. 3. Gradually add back the removed transforms (possibly multiple PRs). r? `@Nilstrieb` or `@oli-obk`
…fJung Disable SimplifyToExp in MatchBranchSimplification Due to the miscompilation mentioned in rust-lang#124150, We need to disable MatchBranchSimplification temporarily. To fully resolve this issue, my plan is: 1. Disable SimplifyToExp in MatchBranchSimplification (this PR). 2. Remove all potentially unclear transforms in rust-lang#124122. 3. Gradually add back the removed transforms (possibly multiple PRs). r? `@Nilstrieb` or `@oli-obk`
Simplify match based on the cast result of `IntToInt` Continue to complete rust-lang#124150. The condition in rust-lang#120614 is wrong, e.g. `-1i8` cannot be converted to `255i16`. I've rethought the issue and simplified the conditional judgment for a more straightforward approach. The new approach is to check **if the case value after the `IntToInt` conversion equals the target value**. In different types, `IntToInt` uses different casting methods. This rule is as follows: - `i8`/`u8` to `i8`/`u8`: do nothing. - `i8` to `i16`/`u16`: sign extension. - `u8` to `i16`/`u16`: zero extension. - `i16`/`u16` to `i8`/`u8`: truncate to the target size. The previous error was a mix of zext and sext. r? mir-opt
#120614 introduced a miscompilation; turns out this question poked at incorrect logic in the MatchBranchSimplification MIR pass.
#124122 is a WIP patch to fix this (and also contains a testcase that currently gets miscompiled), but as a critical soundness issue this deserves tracking nonetheless.
The text was updated successfully, but these errors were encountered: