Integer overflow compiling libcore with RUST_LOG=rustc::middle::dataflow

[arielb1]

RUST_BACKTRACE=1 RUST_LOG=rustc::middle::dataflow LD_LIBRARY_PATH=$PWD/rust/build/x86_64-unknown-linux-gnu/stage1/lib:$LD_LIBRARY_PATH $PWD/rust/build/x86_64-unknown-linux-gnu/stage1/bin/rustc rust/src/libcore/lib.rs --crate-type=rlib -Z time-passes

Gives this ICE

thread 'rustc' panicked at 'shift operation overflowed', /tmp/tmp.T4Z5CFeegA/rust/src/librustc/middle/dataflow.rs:616

stack backtrace:
   1:     0x7f5eb8047559 - sys::backtrace::write::h6ed19dc4dacf551bLPC
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/sys/unix/backtrace.rs:158
   2:     0x7f5eb80671e9 - panicking::on_panic::hac4d2b3392cefeeaXeJ
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/panicking.rs:48
   3:     0x7f5eb7fbed92 - rt::unwind::begin_unwind_inner::h8c3cc30fe353299b5TI
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/rt/unwind.rs:586
   4:     0x7f5eb7fbf11d - rt::unwind::begin_unwind_fmt::h4bcbc8ee12946879xSI
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/rt/unwind.rs:508
   5:     0x7f5eb8066d67 - rust_begin_unwind
   6:     0x7f5eb80cb77a - panicking::panic_fmt::h40282ff8b8e4dd99uCC
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libcore/panicking.rs:64
   7:     0x7f5eb80bd7c0 - panicking::panic::h5ec5e170e0b475701AC
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libcore/panicking.rs:45
   8:     0x7f5eb5fe49de - middle::dataflow::bits_to_string::h10a35495539ed29fRik
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libcore/fmt/mod.rs:163
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc/middle/dataflow.rs:603
   9:     0x7f5eb71ff4c7 - borrowck::move_data::FlowedMoveData<'a, 'tcx>::new::h87b882753ba3d1baGve
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc/middle/dataflow.rs:239
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/move_data.rs:475
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/move_data.rs:613
  10:     0x7f5eb720a26a - borrowck::build_borrowck_dataflow_data::hb7f63cd7157f0f6cINe
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:175
  11:     0x7f5eb7204698 - borrowck::borrowck_fn::h1cb861fefd55f033dLe
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:132
  12:     0x7f5eb7207138 - visit::walk_impl_item::h3465592306121567481
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:58
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:645
  13:     0x7f5eb720574e - borrowck::borrowck_item::h385047a199416447hKe
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:81
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:287
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:111
  14:     0x7f5eb72053ae - borrowck::borrowck_item::h385047a199416447hKe
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:62
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:160
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:64
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:257
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:111
  15:     0x7f5eb72058de - borrowck::check_crate::h25527627d97d2217iFe
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:62
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:160
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:64
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libsyntax/visit.rs:152
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_borrowck/borrowck/mod.rs:77
  16:     0x7f5eb86d6dea - driver::phase_3_run_analysis_passes::hd21b18152a084898nGa
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/driver.rs:661
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc/util/common.rs:53
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/time/duration.rs:155
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc/util/common.rs:52
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/driver.rs:660
  17:     0x7f5eb86bcfcd - driver::compile_input::h8cb610c988065f9aQba
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/driver.rs:119
  18:     0x7f5eb875d055 - run_compiler::h9b1c78185bfc93e5X4b
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/lib.rs:158
  19:     0x7f5eb875afdc - boxed::F.FnBox<A>::call_box::h8855901410011515709
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/lib.rs:101
                        at /tmp/tmp.T4Z5CFeegA/rust/src/librustc_driver/lib.rs:816
                        at /tmp/tmp.T4Z5CFeegA/rust/src/liballoc/boxed.rs:365
  20:     0x7f5eb875a71e - rt::unwind::try::try_fn::h3956771332398307935
  21:     0x7f5eb8102fe8 - rust_try_inner
  22:     0x7f5eb8102fd5 - rust_try   
  23:     0x7f5eb875a9bc - boxed::F.FnBox<A>::call_box::h10043666882495187021
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/rt/unwind.rs:125
                        at /tmp/tmp.T4Z5CFeegA/rust/src/libstd/thread/mod.rs:329
                        at /tmp/tmp.T4Z5CFeegA/rust/src/liballoc/boxed.rs:365
  24:     0x7f5eb805949e - sys::thread::create::thread_start::h0dc8e2cdac8f3d2dpPH
  25:     0x7f5eb2ada181 - start_thread
  26:     0x7f5eb7c1e30c - __clone
  27:                0x0 - <unknown>  

[hirschenberger]

Can't reproduce with

rustc 1.0.0-dev (8f209d5a3 2015-04-16) (built 2015-04-16)
rustc 1.0.0-nightly (abf0548b5 2015-04-15) (built 2015-04-16)

[arielb1]

Are you sure you used a build with active logging? You need to configure it with --enable-debug-assertions --enable-debuginfo (which isn't done with the nightlies) or RUST_LOG will be ignored.

[hirschenberger]

Sorry, good hint. I CAN reproduce the ICE.

[pnkfelix]

oh cool, this seems like it must be a bug either in the overflow-detection or in the dataflow code

[hirschenberger]

It seems as if the dataflow code is flawed, trying to shift a usize var by values >32bits. Shouldn't the and'ed mask be 0x1F or better usize::BITS to prevent this?

dataflow.rs:660

fn bit_str(bit: usize) -> String {
    let byte = bit >> 8;
    let lobits = 1 << (bit & 0xFF);
    format!("[{}:{}-{:02x}]", bit, byte, lobits)
}

...
DEBUG:rustc::middle::dataflow: word=0 bit_in_word=29 bit_mask=0
DEBUG:rustc::middle::dataflow: flowed_move_data_assigns add_gen(id=27690, bit=30)
DEBUG:rustc::middle::dataflow: set_bit: words=[00-00-00-00-00-00-00-00] bit=[30:0-40000000]
DEBUG:rustc::middle::dataflow: word=0 bit_in_word=30 bit_mask=0
DEBUG:rustc::middle::dataflow: flowed_move_data_assigns add_gen(id=27691, bit=31)
DEBUG:rustc::middle::dataflow: set_bit: words=[00-00-00-00-00-00-00-00] bit=[31:0-80000000]
DEBUG:rustc::middle::dataflow: word=0 bit_in_word=31 bit_mask=0
DEBUG:rustc::middle::dataflow: flowed_move_data_assigns add_gen(id=27696, bit=32)

[pnkfelix]

yeah, that's definitely a bug; if the code (that this is providing instrumentation for) is extracting a byte and then a bit from within it, then bit_str should look like:

    let byte = bit >> 3;
    let lobits = 1 << (bit & 0xb111); // or 0x7 if you prefer that

If its extracting a 32-bit word and then a bit within that, then bit_str should look like:

    let byte = bit >> 5; // "byte" seems like a misnomer here
    let lobits = 1 << (bit & 0xb11111); // or 0x1F if you prefer that

(if the extraction really is word-size dependent, that seems like a recipe for trouble to me... better to just use u32 everywhere here, IMO....)

[pnkfelix]

cc @nikomatsakis

[brson]

@nikomatsakis says it's fixed.

[nikomatsakis]

bit_str looks like this now:

fn bit_str(bit: usize) -> String {
    let byte = bit >> 3;
    let lobits = 1 << (bit & 0b111); // <-- NB: b111
    format!("[{}:{}-{:02x}]", bit, byte, lobits)
}