Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Miri/CTFE: properly treat overflow in (signed) division/rem as UB #94512

Merged
merged 2 commits into from
Mar 3, 2022
Merged

Miri/CTFE: properly treat overflow in (signed) division/rem as UB #94512

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
6739299
Miri/CTFE: properly treat overflow in (signed) division/rem as UB
RalfJung Mar 2, 2022
24fc115
bless clippy
RalfJung Mar 3, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 3 additions & 9 deletions compiler/rustc_const_eval/src/interpret/intrinsics.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -500,15 +500,9 @@ impl<'mir, 'tcx: 'mir, M: Machine<'mir, 'tcx>> InterpCx<'mir, 'tcx, M> {
// `x % y != 0` or `y == 0` or `x == T::MIN && y == -1`.
// First, check x % y != 0 (or if that computation overflows).
let (res, overflow, _ty) = self.overflowing_binary_op(BinOp::Rem, &a, &b)?;
if overflow || res.assert_bits(a.layout.size) != 0 {
// Then, check if `b` is -1, which is the "MIN / -1" case.
let minus1 = Scalar::from_int(-1, dest.layout.size);
let b_scalar = b.to_scalar().unwrap();
if b_scalar == minus1 {
throw_ub_format!("exact_div: result of dividing MIN by -1 cannot be represented")
} else {
throw_ub_format!("exact_div: {} cannot be divided by {} without remainder", a, b,)
}
assert!(!overflow); // All overflow is UB, so this should never return on overflow.
if res.assert_bits(a.layout.size) != 0 {
throw_ub_format!("exact_div: {} cannot be divided by {} without remainder", a, b)
}
// `Rem` says this is all right, so we can let `Div` do its job.
self.binop_ignore_overflow(BinOp::Div, &a, &b, dest)
Expand Down
18 changes: 11 additions & 7 deletions compiler/rustc_const_eval/src/interpret/operator.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -196,16 +196,20 @@ impl<'mir, 'tcx: 'mir, M: Machine<'mir, 'tcx>> InterpCx<'mir, 'tcx, M> {
_ => None,
};
if let Some(op) = op {
let l = self.sign_extend(l, left_layout) as i128;
let r = self.sign_extend(r, right_layout) as i128;
// We need a special check for overflowing remainder:
// "int_min % -1" overflows and returns 0, but after casting things to a larger int
// type it does *not* overflow nor give an unrepresentable result!
if bin_op == Rem {
if r == -1 && l == (1 << (size.bits() - 1)) {
return Ok((Scalar::from_int(0, size), true, left_layout.ty));

// We need a special check for overflowing Rem and Div since they are *UB*
// on overflow, which can happen with "int_min $OP -1".
if matches!(bin_op, Rem | Div) {
if l == size.signed_int_min() && r == -1 {
if bin_op == Rem {
throw_ub!(RemainderOverflow)
} else {
throw_ub!(DivisionOverflow)
}
}
}
let l = self.sign_extend(l, left_layout) as i128;

let (result, oflo) = op(l, r);
// This may be out-of-bounds for the result type, so we have to truncate ourselves.
Expand Down
6 changes: 6 additions & 0 deletions compiler/rustc_middle/src/mir/interpret/error.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -233,6 +233,10 @@ pub enum UndefinedBehaviorInfo<'tcx> {
DivisionByZero,
/// Something was "remainded" by 0 (x % 0).
RemainderByZero,
/// Signed division overflowed (INT_MIN / -1).
DivisionOverflow,
/// Signed remainder overflowed (INT_MIN % -1).
RemainderOverflow,
/// Overflowing inbounds pointer arithmetic.
PointerArithOverflow,
/// Invalid metadata in a wide pointer (using `str` to avoid allocations).
Expand Down Expand Up @@ -310,6 +314,8 @@ impl fmt::Display for UndefinedBehaviorInfo<'_> {
}
DivisionByZero => write!(f, "dividing by zero"),
RemainderByZero => write!(f, "calculating the remainder with a divisor of zero"),
DivisionOverflow => write!(f, "overflow in signed division (dividing MIN by -1)"),
RemainderOverflow => write!(f, "overflow in signed remainder (dividing MIN by -1)"),
PointerArithOverflow => write!(f, "overflowing in-bounds pointer arithmetic"),
InvalidMeta(msg) => write!(f, "invalid metadata in wide pointer: {}", msg),
InvalidVtableDropFn(sig) => write!(
Expand Down
11 changes: 10 additions & 1 deletion compiler/rustc_mir_transform/src/const_prop.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1200,12 +1200,21 @@ impl<'tcx> MutVisitor<'tcx> for ConstPropagator<'_, 'tcx> {
AssertKind::RemainderByZero(op) => {
Some(AssertKind::RemainderByZero(eval_to_int(op)))
}
AssertKind::Overflow(bin_op @ (BinOp::Div | BinOp::Rem), op1, op2) => {
// Division overflow is *UB* in the MIR, and different than the
// other overflow checks.
Some(AssertKind::Overflow(
*bin_op,
eval_to_int(op1),
eval_to_int(op2),
))
}
AssertKind::BoundsCheck { ref len, ref index } => {
let len = eval_to_int(len);
let index = eval_to_int(index);
Some(AssertKind::BoundsCheck { len, index })
}
// Overflow is are already covered by checks on the binary operators.
// Remaining overflow errors are already covered by checks on the binary operators.
AssertKind::Overflow(..) | AssertKind::OverflowNeg(_) => None,
// Need proper const propagator for these.
_ => None,
Expand Down
10 changes: 10 additions & 0 deletions library/core/tests/num/wrapping.rs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -308,3 +308,13 @@ fn wrapping_int_api() {
}
}
}

#[test]
fn wrapping_const() {
// Specifically the wrapping behavior of division and remainder is subtle,
// see https://github.com/rust-lang/rust/pull/94512.
const _: () = {
assert!(i32::MIN.wrapping_div(-1) == i32::MIN);
assert!(i32::MIN.wrapping_rem(-1) == 0);
Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Turns out wrapping_div/rem actually does distinguish between div-by-0 and overflow, but LLVM does not (both are UB). For a second I thought wrapping_div relies on the old behavior of the interpreter, but turns out that function actually explicitly checks for this case and avoids even calling the MIR operator. So we are good.

But this is subtle enough that it warrants a specific test.

};
}
4 changes: 2 additions & 2 deletions src/test/ui/consts/const-int-unchecked.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -266,7 +266,7 @@ error[E0080]: evaluation of constant value failed
--> $DIR/const-int-unchecked.rs:134:25
|
LL | const _: i32 = unsafe { std::intrinsics::unchecked_div(i32::MIN, -1) };
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ overflow executing `unchecked_div`
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ overflow in signed division (dividing MIN by -1)

error[E0080]: evaluation of constant value failed
--> $DIR/const-int-unchecked.rs:137:25
Expand All @@ -278,7 +278,7 @@ error[E0080]: evaluation of constant value failed
--> $DIR/const-int-unchecked.rs:139:25
|
LL | const _: i32 = unsafe { std::intrinsics::unchecked_rem(i32::MIN, -1) };
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ overflow executing `unchecked_rem`
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ overflow in signed remainder (dividing MIN by -1)

error[E0080]: evaluation of constant value failed
--> $DIR/const-int-unchecked.rs:144:25
Expand Down
28 changes: 13 additions & 15 deletions src/test/ui/numbers-arithmetic/issue-8460-const.noopt.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,36 @@
error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:13:36
|
LL | assert!(thread::spawn(move|| { isize::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^^^ attempt to compute `isize::MIN / -1_isize`, which would overflow
|
= note: `#[deny(arithmetic_overflow)]` on by default
= note: `#[deny(unconditional_panic)]` on by default

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:15:36
|
LL | assert!(thread::spawn(move|| { i8::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^ attempt to compute `i8::MIN / -1_i8`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:17:36
|
LL | assert!(thread::spawn(move|| { i16::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i16::MIN / -1_i16`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:19:36
|
LL | assert!(thread::spawn(move|| { i32::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i32::MIN / -1_i32`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:21:36
|
LL | assert!(thread::spawn(move|| { i64::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i64::MIN / -1_i64`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:23:36
|
LL | assert!(thread::spawn(move|| { i128::MIN / -1; }).join().is_err());
Expand All @@ -41,8 +41,6 @@ error: this operation will panic at runtime
|
LL | assert!(thread::spawn(move|| { 1isize / 0; }).join().is_err());
| ^^^^^^^^^^ attempt to divide `1_isize` by zero
|
= note: `#[deny(unconditional_panic)]` on by default

error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:27:36
Expand Down Expand Up @@ -74,37 +72,37 @@ error: this operation will panic at runtime
LL | assert!(thread::spawn(move|| { 1i128 / 0; }).join().is_err());
| ^^^^^^^^^ attempt to divide `1_i128` by zero

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:37:36
|
LL | assert!(thread::spawn(move|| { isize::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^^^ attempt to compute the remainder of `isize::MIN % -1_isize`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:39:36
|
LL | assert!(thread::spawn(move|| { i8::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^ attempt to compute the remainder of `i8::MIN % -1_i8`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:41:36
|
LL | assert!(thread::spawn(move|| { i16::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i16::MIN % -1_i16`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:43:36
|
LL | assert!(thread::spawn(move|| { i32::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i32::MIN % -1_i32`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:45:36
|
LL | assert!(thread::spawn(move|| { i64::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i64::MIN % -1_i64`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:47:36
|
LL | assert!(thread::spawn(move|| { i128::MIN % -1; }).join().is_err());
Expand Down
28 changes: 13 additions & 15 deletions src/test/ui/numbers-arithmetic/issue-8460-const.opt.stderr
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,36 +1,36 @@
error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:13:36
|
LL | assert!(thread::spawn(move|| { isize::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^^^ attempt to compute `isize::MIN / -1_isize`, which would overflow
|
= note: `#[deny(arithmetic_overflow)]` on by default
= note: `#[deny(unconditional_panic)]` on by default

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:15:36
|
LL | assert!(thread::spawn(move|| { i8::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^ attempt to compute `i8::MIN / -1_i8`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:17:36
|
LL | assert!(thread::spawn(move|| { i16::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i16::MIN / -1_i16`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:19:36
|
LL | assert!(thread::spawn(move|| { i32::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i32::MIN / -1_i32`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:21:36
|
LL | assert!(thread::spawn(move|| { i64::MIN / -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute `i64::MIN / -1_i64`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:23:36
|
LL | assert!(thread::spawn(move|| { i128::MIN / -1; }).join().is_err());
Expand All @@ -41,8 +41,6 @@ error: this operation will panic at runtime
|
LL | assert!(thread::spawn(move|| { 1isize / 0; }).join().is_err());
| ^^^^^^^^^^ attempt to divide `1_isize` by zero
|
= note: `#[deny(unconditional_panic)]` on by default

error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:27:36
Expand Down Expand Up @@ -74,37 +72,37 @@ error: this operation will panic at runtime
LL | assert!(thread::spawn(move|| { 1i128 / 0; }).join().is_err());
| ^^^^^^^^^ attempt to divide `1_i128` by zero

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:37:36
|
LL | assert!(thread::spawn(move|| { isize::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^^^ attempt to compute the remainder of `isize::MIN % -1_isize`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:39:36
|
LL | assert!(thread::spawn(move|| { i8::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^ attempt to compute the remainder of `i8::MIN % -1_i8`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:41:36
|
LL | assert!(thread::spawn(move|| { i16::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i16::MIN % -1_i16`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:43:36
|
LL | assert!(thread::spawn(move|| { i32::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i32::MIN % -1_i32`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:45:36
|
LL | assert!(thread::spawn(move|| { i64::MIN % -1; }).join().is_err());
| ^^^^^^^^^^^^^ attempt to compute the remainder of `i64::MIN % -1_i64`, which would overflow

error: this arithmetic operation will overflow
error: this operation will panic at runtime
--> $DIR/issue-8460-const.rs:47:36
|
LL | assert!(thread::spawn(move|| { i128::MIN % -1; }).join().is_err());
Expand Down
Loading