RMC doesn't seem to handle stack unwind logic correctly #545

celinval · 2021-10-07T23:43:47Z

I was playing with the assertion codegen to understand how we were handling cleanup after a failure. I created the following test case:

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 OR MIT
//
// This test ensures that rmc follows the correct CFG for assertion failures.
// - Statements that succeeds an assertion failure should be unreachable.
// - Cleanup statements should still be executed though.
// - Note that failures while unwinding actually crashes the process. So drop may only be called
//   once.
// File: cleanup.rs

#[derive(PartialEq, Eq)]
struct S {
    a: u8,
    b: u16,
}

impl Drop for S {
    fn drop(&mut self) {
        assert!(false, "A1: This should still fail during cleanup");
    }
}

pub fn main() {
    let lhs = S { a: 42, b: 42 };
    let rhs = S { a: 0, b: 0 };
    assert!(lhs == rhs, "A2: A very false statement. Always fail.");
    assert!(false, "A3: Unreachable assert. Code always panic before this line.");
}

using the following command line invocation:

rmc cleanup.rs

I expected to see this happen: Assertions A1 and A2 should fail, but assertions A3 should be unreachable.

Instead, this happened: RMC entered an infinite loop.

I also tested the code with --unwind 0. The result is incorrect. A2 and A3 fail, but A1 doesn't.

[<S as std::ops::Drop>::drop.assertion.1] line 21 A1: This should still fail during cleanup: SUCCESS
....
[main.assertion.3] line 23 resume instruction: SUCCESS
[main.assertion.1] line 26 A2: A very false statement. Always fail.: FAILURE
[main.assertion.2] line 26 A3: Unreachable assert. Code always panic before this line.: FAILURE

The text was updated successfully, but these errors were encountered:

celinval · 2021-10-07T23:53:53Z

Note that the cleanup logic seems correct when there is no unwinding:

// Copyright Amazon.com, Inc. or its affiliates. All Rights Reserved.
// SPDX-License-Identifier: Apache-2.0 OR MIT

#[derive(PartialEq, Eq)]
struct S {
    a: u8,
}

impl Drop for S {
    fn drop(&mut self) {
        assert!(false, "A1: This should still fail during cleanup");
    }
}

pub fn main() {
    let lhs = S { a: 42 };
    let rhs = S { a: 0 };
    assert!(lhs != rhs, "A2: A true statement. Succeed");
}

Result is:

[<S as std::ops::Drop>::drop.assertion.1] line 21 A1: This should still fail during cleanup: FAILURE
...
[main.assertion.2] line 22 resume instruction: SUCCESS
[main.assertion.1] line 25 A2: A true statement. Succeed: SUCCESS

celinval · 2021-12-07T19:07:02Z

There are actually two different bugs reported in this issue.

Infinite loop.
Incorrect cleanup logic.

We'll handle the bug #1 on issue #636 and we'll leave this issue to track bug #2

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes model-checking#466, fixes model-checking#543, and fixes model-checking#636. This change also mitigates model-checking#545.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes #466, fixes #543, and fixes #636. This change also mitigates #545.

celinval · 2021-12-14T21:10:48Z

We don't support stack unwinding yet. I created a feature request (#692) to track that. I'll leave this issue open for now since it is a valid use case that we should ensure gets covered.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes model-checking#67, fixes model-checking#466, fixes model-checking#543, and fixes model-checking#636. This change also mitigates model-checking#545.

I refactored how we codegen panic statements so it now it terminate the program per its spec. I have also removed the hack we had to try to get the assert location. Since we currently do not support stack unwinding, the panic codegen will always terminate immediately and it will not try to unwind the stack. I added an option to RMC to force the compiler to use abort as the panic strategy and a check to rmc codegen that will fail if the user tries to override that. Another note is that we currently do not support `#[track_caller]` and I have not changed that. This change fixes #67, fixes #466, fixes #543, and fixes #636. This change also mitigates #545.

tedinski · 2022-11-14T16:53:44Z

I don't think this is tracking anything not in #692 and #267, closing.

celinval added [C] Bug This is a bug. Something isn't working. Area: compilation T-High Priority Tag issues that have high priority [F] Soundness Kani failed to detect an issue labels Oct 7, 2021

celinval changed the title ~~RMC codegen for cleanup logic is incorrect and it generates a loop~~ RMC codegen for cleanup logic is incorrect and it may even result in a loop Oct 8, 2021

celinval self-assigned this Oct 8, 2021

celinval added this to the Soundness milestone Oct 8, 2021

celinval changed the title ~~RMC codegen for cleanup logic is incorrect and it may even result in a loop~~ RMC doesn't seem to handle unwind logic correctly Oct 8, 2021

celinval mentioned this issue Oct 12, 2021

Panic and abort should stop the program execution #543

Closed

celinval changed the title ~~RMC doesn't seem to handle unwind logic correctly~~ RMC doesn't seem to handle stack unwind logic correctly Oct 12, 2021

celinval mentioned this issue Nov 11, 2021

An example with a false assertion doesn't terminate #636

Closed

celinval mentioned this issue Dec 10, 2021

Fix assert!() and panic!() code generation #687

Merged

4 tasks

celinval added [C] Feature / Enhancement A new feature request or enhancement to an existing feature. and removed [C] Bug This is a bug. Something isn't working. T-High Priority Tag issues that have high priority [F] Soundness Kani failed to detect an issue Soundness: Medium labels Mar 14, 2022

celinval removed their assignment Aug 9, 2022

celinval removed the Area: compilation label Nov 9, 2022

tedinski closed this as completed Nov 14, 2022

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

RMC doesn't seem to handle stack unwind logic correctly #545

RMC doesn't seem to handle stack unwind logic correctly #545

celinval commented Oct 7, 2021 •

edited

Loading

celinval commented Oct 7, 2021

celinval commented Dec 7, 2021

celinval commented Dec 14, 2021

tedinski commented Nov 14, 2022

RMC doesn't seem to handle stack unwind logic correctly #545

RMC doesn't seem to handle stack unwind logic correctly #545

Comments

celinval commented Oct 7, 2021 • edited Loading

celinval commented Oct 7, 2021

celinval commented Dec 7, 2021

celinval commented Dec 14, 2021

tedinski commented Nov 14, 2022

celinval commented Oct 7, 2021 •

edited

Loading