Fix deduplication mismatches in vtables leading to upcasting unsoundness #135318
Conversation
rustbot
added
S-waiting-on-review
|
Some changes occurred to the CTFE / Miri interpreter cc @rust-lang/miri Some changes occurred to the CTFE machinery cc @rust-lang/wg-const-eval |
This comment has been minimized.
This comment has been minimized.
compiler-errors
force-pushed
the
vtable-fixes
branch
from
04fb1f2 to
c9ae1a0
Compare
|
Some changes occurred in compiler/rustc_codegen_cranelift cc @bjorn3 Some changes occurred in compiler/rustc_codegen_gcc |
We do have assertions that are intended to ensure that looking up the method via the offset leads to the same result as the type-driven "direct" lookup. If those did not catch this problem, something seems odd. Note that these are debug assertions so you won't see this in |
|
vibeck 👍 can talk about it regardless, but this feels very reasonable to me modulo the nit above wrt to hr-trait objects, the important part is that all trait object args are invariant so you can't subtype types in the args: going from |
compiler-errors
force-pushed
the
vtable-fixes
branch
from
c9ae1a0 to
dfe3084
Compare
|
The rustc-dev-guide subtree was changed. If this PR only touches the dev guide consider submitting a PR directly to rust-lang/rustc-dev-guide otherwise thank you for updating the dev guide with your changes. |
|
I've reworked the
I've also removed the |
|
I've also changed a bunch of |
|
I've tested out the new behavior (before the force-push, but it sounds like that wasn't changing anything about it) a little bit, and it seems quite convincing to me :-) |
|
didnt change anything behaviorally since the rebase |
|
FWIW running the test from #135315 in Miri with debug assertions does ICE, so the existing check do in fact enable Miri to catch problems like this: Same for the test in #135316. Maybe we should just always enable these checks for Miri? That makes virtual calls slightly more expensive, but it seems hard to imagine that becoming a bottleneck. |
tests/ui/traits/trait-upcasting/multiple-supertraits-modulo-binder.rs
Outdated
Show resolved
Hide resolved
tests/ui/traits/trait-upcasting/multiple-supertraits-modulo-normalization.rs
Outdated
Show resolved
Hide resolved
Yeah, my first reaction was to test it in miri and not it triggering did give me a false impression that miri was not affected here :) I'll change the debug assertion to be a regular assertion. |
|
Miri is indeed not affected, but it'd still be nice to have Miri catch issues that only affect code using the actual vtable entries. |
compiler-errors
force-pushed
the
vtable-fixes
branch
from
dfe3084 to
305a3e0
Compare
|
The Miri subtree was changed cc @rust-lang/miri |
compiler-errors
force-pushed
the
vtable-fixes
branch
from
305a3e0 to
1543bb4
Compare
Fix deduplication mismatches in vtables leading to upcasting unsoundness We currently have two cases where subtleties in supertraits can trigger disagreements in the vtable layout, e.g. leading to a different vtable layout being accessed at a callsite compared to what was prepared during unsizing. Namely: ### rust-lang#135315 In this example, we were not normalizing supertraits when preparing vtables. In the example, ``` trait Supertrait<T> { fn _print_numbers(&self, mem: &[usize; 100]) { println!("{mem:?}"); } } impl<T> Supertrait<T> for () {} trait Identity { type Selff; } impl<Selff> Identity for Selff { type Selff = Selff; } trait Middle<T>: Supertrait<()> + Supertrait<T> { fn say_hello(&self, _: &usize) { println!("Hello!"); } } impl<T> Middle<T> for () {} trait Trait: Middle<<() as Identity>::Selff> {} impl Trait for () {} fn main() { (&() as &dyn Trait as &dyn Middle<()>).say_hello(&0); } ``` When we prepare `dyn Trait`, we see a supertrait of `Middle<<() as Identity>::Selff>`, which itself has two supertraits `Supertrait<()>` and `Supertrait<<() as Identity>::Selff>`. These two supertraits are identical, but they are not duplicated because we were using structural equality and *not* considering normalization. This leads to a vtable layout with two trait pointers. When we upcast to `dyn Middle<()>`, those two supertraits are now the same, leading to a vtable layout with only one trait pointer. This leads to an offset error, and we call the wrong method. ### rust-lang#135316 This one is a bit more interesting, and is the bulk of the changes in this PR. It's a bit similar, except it uses binder equality instead of normalization to make the compiler get confused about two vtable layouts. In the example, ``` trait Supertrait<T> { fn _print_numbers(&self, mem: &[usize; 100]) { println!("{mem:?}"); } } impl<T> Supertrait<T> for () {} trait Trait<T, U>: Supertrait<T> + Supertrait<U> { fn say_hello(&self, _: &usize) { println!("Hello!"); } } impl<T, U> Trait<T, U> for () {} fn main() { (&() as &'static dyn for<'a> Trait<&'static (), &'a ()> as &'static dyn Trait<&'static (), &'static ()>) .say_hello(&0); } ``` When we prepare the vtable for `dyn for<'a> Trait<&'static (), &'a ()>`, we currently consider the PolyTraitRef of the vtable as the key for a supertrait. This leads two two supertraits -- `Supertrait<&'static ()>` and `for<'a> Supertrait<&'a ()>`. However, we can upcast[^up] without offsetting the vtable from `dyn for<'a> Trait<&'static (), &'a ()>` to `dyn Trait<&'static (), &'static ()>`. This is just instantiating the principal trait ref for a specific `'a = 'static`. However, when considering those supertraits, we now have only one distinct supertrait -- `Supertrait<&'static ()>` (which is deduplicated since there are two supertraits with the same substitutions). This leads to similar offsetting issues, leading to the wrong method being called. [^up]: I say upcast but this is a cast that is allowed on stable, since it's not changing the vtable at all, just instantiating the binder of the principal trait ref for some lifetime. The solution here is to recognize that a vtable isn't really meaningfully higher ranked, and to just treat a vtable as corresponding to a `TraitRef` so we can do this deduplication more faithfully. That is to say, the vtable for `dyn for<'a> Tr<'a>` and `dyn Tr<'x>` are always identical, since they both would correspond to a set of free regions on an impl... Do note that `Tr<for<'a> fn(&'a ())>` and `Tr<fn(&'static ())>` are still distinct. ---- There's a bit more that can be cleaned up. In codegen, we can stop using `PolyExistentialTraitRef` basically everywhere. We can also fix SMIR to stop storing `PolyExistentialTraitRef` in its vtable allocations. As for testing, it's difficult to actually turn this into something that can be tested with `rustc_dump_vtable`, since having multiple supertraits that are identical is a recipe for ambiguity errors. Maybe someone else is more creative with getting that attr to work, since the tests I added being run-pass tests is a bit unsatisfying. Miri also doesn't help here, since it doesn't really generate vtables that are offset by an index in the same way as codegen. r? `@lcnr` for the vibe check? Or reassign, idk. Maybe let's talk about whether this makes sense. <sup>(I guess an alternative would also be to not do any deduplication of vtable supertraits (or only a really conservative subset) rather than trying to normalize and deduplicate more faithfully here. Not sure if that works and is sufficient tho.)</sup> cc `@steffahn` -- ty for the minimizations cc `@WaffleLapkin` -- since you're overseeing the feature stabilization :3 Fixes rust-lang#135315 Fixes rust-lang#135316
This comment has been minimized.
This comment has been minimized.
|
💔 Test failed - checks-actions |
bors
added
S-waiting-on-review
|
That looks like it may be a proper error and requires a higher recursion limit/manual auto trait impl in fuchsia? |
|
☔ The latest upstream changes (presumably #136035) made this pull request unmergeable. Please resolve the merge conflicts. |
compiler-errors
force-pushed
the
vtable-fixes
branch
from
526d71e to
d98b99a
Compare
|
@bors r=lcnr |
bors
added
S-waiting-on-bors
|
Thank you for your hard work, compiler-errors. |
|
☀️ Test successful - checks-actions |
Ensure that we never try to monomorphize the upcasting of impossible dyn types Just the last commit, blocked on rust-lang#135318. r? lcnr
|
Finished benchmarking commit (c37fbd8): comparison URL. Overall result: ❌ regressions - no action needed@rustbot label: -perf-regression Instruction countThis is the most reliable metric that we have; it was used to determine the overall result at the top of this comment. However, even this metric can sometimes exhibit noise.
Max RSS (memory usage)Results (primary -4.3%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesResults (secondary -0.7%)This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Binary sizeThis benchmark run did not return any relevant results for this metric. Bootstrap: 777.277s -> 776.084s (-0.15%) |
We currently have two cases where subtleties in supertraits can trigger disagreements in the vtable layout, e.g. leading to a different vtable layout being accessed at a callsite compared to what was prepared during unsizing. Namely:
#135315
In this example, we were not normalizing supertraits when preparing vtables. In the example,
When we prepare
dyn Trait, we see a supertrait ofMiddle<<() as Identity>::Selff>, which itself has two supertraitsSupertrait<()>andSupertrait<<() as Identity>::Selff>. These two supertraits are identical, but they are not duplicated because we were using structural equality and not considering normalization. This leads to a vtable layout with two trait pointers.When we upcast to
dyn Middle<()>, those two supertraits are now the same, leading to a vtable layout with only one trait pointer. This leads to an offset error, and we call the wrong method.#135316
This one is a bit more interesting, and is the bulk of the changes in this PR. It's a bit similar, except it uses binder equality instead of normalization to make the compiler get confused about two vtable layouts. In the example,
When we prepare the vtable for
dyn for<'a> Trait<&'static (), &'a ()>, we currently consider the PolyTraitRef of the vtable as the key for a supertrait. This leads two two supertraits --Supertrait<&'static ()>andfor<'a> Supertrait<&'a ()>.However, we can upcast1 without offsetting the vtable from
dyn for<'a> Trait<&'static (), &'a ()>todyn Trait<&'static (), &'static ()>. This is just instantiating the principal trait ref for a specific'a = 'static. However, when considering those supertraits, we now have only one distinct supertrait --Supertrait<&'static ()>(which is deduplicated since there are two supertraits with the same substitutions). This leads to similar offsetting issues, leading to the wrong method being called.The solution here is to recognize that a vtable isn't really meaningfully higher ranked, and to just treat a vtable as corresponding to a
TraitRefso we can do this deduplication more faithfully. That is to say, the vtable fordyn for<'a> Tr<'a>anddyn Tr<'x>are always identical, since they both would correspond to a set of free regions on an impl... Do note thatTr<for<'a> fn(&'a ())>andTr<fn(&'static ())>are still distinct.There's a bit more that can be cleaned up. In codegen, we can stop using
PolyExistentialTraitRefbasically everywhere. We can also fix SMIR to stop storingPolyExistentialTraitRefin its vtable allocations.As for testing, it's difficult to actually turn this into something that can be tested with
rustc_dump_vtable, since having multiple supertraits that are identical is a recipe for ambiguity errors. Maybe someone else is more creative with getting that attr to work, since the tests I added being run-pass tests is a bit unsatisfying. Miri also doesn't help here, since it doesn't really generate vtables that are offset by an index in the same way as codegen.r? @lcnr for the vibe check? Or reassign, idk. Maybe let's talk about whether this makes sense.
(I guess an alternative would also be to not do any deduplication of vtable supertraits (or only a really conservative subset) rather than trying to normalize and deduplicate more faithfully here. Not sure if that works and is sufficient tho.)
cc @steffahn -- ty for the minimizations
cc @WaffleLapkin -- since you're overseeing the feature stabilization :3
Fixes #135315
Fixes #135316
Footnotes
I say upcast but this is a cast that is allowed on stable, since it's not changing the vtable at all, just instantiating the binder of the principal trait ref for some lifetime. ↩