[rustc_ast/src/ast_traits.rs:301] Stack overflow for nested expressions

[bf]

Code

fn main {
// please see attached files for full code
let x = 1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+1+ (repeat 100k times) +1; 
}

Affected release channels

• Previous Stable
• Current Stable
• Current Beta
• Current Nightly

Rust Version

rustc 1.83.0 (90b35a623 2024-11-26) (Arch Linux rust 1:1.83.0-1)
binary: rustc
commit-hash: 90b35a6239c3d8bdabc530a6a0816f7ff89a0aaf
commit-date: 2024-11-26
host: x86_64-unknown-linux-gnu
release: 1.83.0
LLVM version: 18.1.8

Current error output

Backtrace

$ RUST_BACKTRACE=full rustc evil8.rs
error: rustc interrupted by SIGSEGV, printing backtrace

/usr/lib/librustc_driver-37bf60d83001ffbc.so(+0x1373cb9) [0x7524d7373cb9]
/usr/lib/libc.so.6(+0x3d1d0) [0x7524d5e4c1d0]
/usr/lib/librustc_driver-37bf60d83001ffbc.so(_RNvXsm_NtCsi33IywiuLMr_12rustc_expand6expandNtB5_19InvocationCollectorNtNtCs2HYUzTpzXjS_9rustc_ast9mut_visit10MutVisitor10visit_expr+0x1b7) [0x7524d9af1057]

### cycle encountered after 3 frames with period 4
/usr/lib/librustc_driver-37bf60d83001ffbc.so(+0x3bc9e47) [0x7524d9bc9e47]
/usr/lib/librustc_driver-37bf60d83001ffbc.so(_RNvXsm_NtCsi33IywiuLMr_12rustc_expand6expandNtB5_19InvocationCollectorNtNtCs2HYUzTpzXjS_9rustc_ast9mut_visit10MutVisitor10visit_expr+0x779) [0x7524d9af1619]
/usr/lib/librustc_driver-37bf60d83001ffbc.so(+0x3bc9e47) [0x7524d9bc9e47]
/usr/lib/librustc_driver-37bf60d83001ffbc.so(_RNvXsm_NtCsi33IywiuLMr_12rustc_expand6expandNtB5_19InvocationCollectorNtNtCs2HYUzTpzXjS_9rustc_ast9mut_visit10MutVisitor10visit_expr+0x779) [0x7524d9af1619]
### recursed 63 times

/usr/lib/librustc_driver-37bf60d83001ffbc.so(+0x3bc9e47) [0x7524d9bc9e47]

note: rustc unexpectedly overflowed its stack! this is a bug
note: maximum backtrace depth reached, frames may have been lost
note: we would appreciate a report at https://github.com/rust-lang/rust
help: you can increase rustc's stack size by setting RUST_MIN_STACK=16777216
Segmentation fault (core dumped)





(gdb) run
Starting program: /usr/bin/rustc evil8.rs
[Thread debugging using libthread_db enabled]
Using host libthread_db library "/usr/lib/libthread_db.so.1".
[New Thread 0x7fffe85ff6c0 (LWP 1346636)]
[New Thread 0x7fffe7dff6c0 (LWP 1346637)]

Thread 3 "rustc" received signal SIGSEGV, Segmentation fault.
[Switching to Thread 0x7fffe7dff6c0 (LWP 1346637)]

Downloading 11.41 K source file /usr/src/debug/rust/rustc-1.83.0-src/compiler/rustc_ast/src/ast_traits.rs
0x00007ffff6ef1057 in rustc_ast::ast_traits::{impl#8}::visit_attrs<rustc_ast::ptr::P<rustc_ast::ast::Expr>, rustc_expand::expand::{impl#23}::take_first_attr::{closure_env#1}<rustc_ast::ptr::P<rustc_ast::ast::Expr>>> (self=0x7fffe54bfa50, f=<error reading variable: access outside bounds of object referenced via synthetic pointer>) at compiler/rustc_ast/src/ast_traits.rs:301
301            self.ast_deref_mut().visit_attrs(f)
(gdb)

Anything else?

This is a different SIGSEGV than the one sent earlier. Might not be exploitable, but rustc should be more robust for long inputs.
Also works in macros. Rustfmt also crashes, while rust-analyzer does not.

Please see evil8.rs.txt and evil9.rs.txt for full example code.

[jieyouxu]

Triage: note that the example is synthetically generated