Segfault in safe code on Rust nightly when running rustc --emit=asm,link

[pythonesque]

This reliably segfaults for me on a 13 inch 2015 Macbook Air running OS X Yosemite. I'm not sure what the culprit is yet; it might be trans. I haven't tested it with stable yet.

fn main() {
    use std::thread;

    type Key = u32;
    const NUM_THREADS: usize = 2;

    #[derive(Clone,Copy)] struct Stats<S> { upsert: S, delete: S, insert: S, update: S };
    impl<S> Stats<S> where S: Copy {
        fn dot<B, F, T>(self, s: Stats<T>, f: F) -> Stats<B> where F: Fn(S, T) -> B {
            let Stats { upsert: u1, delete: d1, insert: i1, update: p1 } = self;
            let Stats { upsert: u2, delete: d2, insert: i2, update: p2 } = s;
            Stats { upsert: f(u1, u2), delete: f(d1, d2), insert: f(i1, i2), update: f(p1, p2) }
        }
        fn new(init: S) -> Self {
            Stats { upsert: init, delete: init, insert: init, update: init }
        }
    }
    fn make_threads() -> Vec<thread::JoinHandle<()>> {
        let mut t = Vec::with_capacity(NUM_THREADS);
        for _ in 0..NUM_THREADS {
            t.push(thread::spawn(move || {}));
        }
        t
    }
    let stats = [Stats::new(0) ; NUM_THREADS];
    make_threads();
    {
        let Stats { ref upsert, ref delete, ref insert, ref update } =
            stats.iter().fold(Stats::new(0), |res, &s| res.dot(s, |x: Key, y: Key| x.wrapping_add(y) ) );
        println!("upserts: {}, deletes: {}, inserts: {}, updates: {}",
                 upsert, delete, insert, update);
    }
}

---

$ rustc foo.rs -C opt-level=3 --emit=asm,link
$ ./foo
Illegal instruction: 4 # or Segmentation fault: 11

Maybe related to #24876 ?

[sfackler]

Seems to run fine on both 1.0 stable and a nightly on x86_64 Linux.

[alexcrichton]

Confirmed to segfault on OSX with stable rust. Also confirmed to have different IR with --emit asm or not, although only in symbol names... not entirely sure what's going on here.

[pythonesque]

Finding it hard to reduce further than this testcase (the usual tricks for getting rid of stuff like Vec don't appear to be working):

fn main() {
    use std::thread;
    let ref foo = [(0, 0, 0, 0)];
    vec![thread::Builder::new().spawn(|| ()).ok()];
    {
        let mut res = (0, 0, 0, 0);
        for s in foo {
            res = (s.0, s.1, s.2, s.3);
        }
        println!("{}{}", res.0, res.1);
    }
}

[pythonesque]

Interestingly, in a dummy implementation which includes thread::Builder, removing the mutex used for park / unpark seems to make the issue go away (no idea if that's the real problem though).

[chrisrharris]

I also ran into a segfault with cargo on rust 1.2, but only when installing rust from homebrew. (OSX Yosemite 10.10.4)

[steveklabnik]

Tagging as unsound due to segfault in stable rust.

[bstrie]

Nominating as this is a soundness bug that has yet to have a priority assigned.

[nikomatsakis]

triage: P-medium

Believed to be specific to --emit asm,link, which is a rather specific scenario. We believe the fix is #29385.

[dotdash]

@alexcrichton you're seeing the same asm from --emit=asm because that happens first, because the codegen for the link output breaks things. You do get different asm if you look at the output from objdump -S (I don't know what's the equivalent tool on OSX)

[dotdash]

... that's using --emit=link vs. --emit=asm,link then, of course.