Skip to content

Segfault due to impossible_predicates treating ambiguous obligation as impossible #141119

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
compiler-errors opened this issue May 17, 2025 · 2 comments · Fixed by #141121
Closed

Segfault due to impossible_predicates treating ambiguous obligation as impossible #141119

compiler-errors opened this issue May 17, 2025 · 2 comments · Fixed by #141121
Assignees
@compiler-errors
Labels
A-codegen Area: Code generation C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-types Relevant to the types team, which will review and decide on the PR/issue. WG-trait-system-refactor The Rustc Trait System Refactor Initiative (-Znext-solver)

Comments

@compiler-errors
Copy link
Member

I tried this code:

trait Mirror {
    type Assoc: ?Sized;
}
impl<T: ?Sized> Mirror for T {
    type Assoc = T;
}

trait Q: 'static {
    fn q(&self);
}

impl Q for i32 {
    fn q(&self) { println!("i32"); }
}

impl Q for <dyn Q as Mirror>::Assoc where Self: 'static {
    fn q(&self) { println!("dyn Q"); }
}

fn foo<T: Q + ?Sized>(t: &T) {
    t.q();
}

fn main() {
    foo(&1 as &dyn Q);
}

I expected it to work. But instead:

Exited with signal 11 (SIGSEGV): segmentation violation

This is a manifestation of two bugs:

  • Overlap between built-in and user-written impls for dyn Trait: Trait
  • Ambiguity was being treated as a hard error in the impossible_predicates method

Since the new trait solver treats some dyn Trait: Trait overlap as ambiguity (specifically when the responses from the two candidates differ), and we strike methods from the vtable if impossible_predicates returns true, a false positive will lead to a segfault.

Meta

rustc --version --verbose:

rustc 1.89.0-nightly (16d2276fa 2025-05-16)
binary: rustc
commit-hash: 16d2276fa6fccb0cc239a542d4c3f0eb46f660ec
commit-date: 2025-05-16
host: x86_64-unknown-linux-gnu
release: 1.89.0-nightly
LLVM version: 20.1.4
@compiler-errors compiler-errors added the C-bug Category: This is a bug. label May 17, 2025
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label May 17, 2025
@compiler-errors compiler-errors added A-codegen Area: Code generation I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness WG-trait-system-refactor The Rustc Trait System Refactor Initiative (-Znext-solver) and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels May 17, 2025
@rustbot rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label May 17, 2025
@compiler-errors
Copy link
Member Author

Partly due to #136988, partly due to very very old code:

https://github.com/rust-lang/rust/blame/c6ed442f401d90211ae36a9808ccaf0a3dc025f6/src/librustc_trait_selection/traits/mod.rs#L126

We've basically always treated ambiguity as error for this case 💀

@matthiaskrgr
Copy link
Member

miri:

error: Undefined Behavior: `dyn` call trying to call something that is not a method
  --> src/main.rs:21:5
   |
21 |     t.q();
   |     ^^^^^ `dyn` call trying to call something that is not a method
   |
   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
   = note: BACKTRACE:
   = note: inside `foo::<dyn Q>` at src/main.rs:21:5: 21:10
note: inside `main`
  --> src/main.rs:25:5
   |
25 |     foo(&1 as &dyn Q);
   |     ^^^^^^^^^^^^^^^^^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

@compiler-errors compiler-errors mentioned this issue May 17, 2025
Merged
@lcnr lcnr added P-critical Critical priority and removed I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels May 17, 2025
@compiler-errors compiler-errors changed the title Segfault due to impossible_predicates treating Segfault due to impossible_predicates treating ambiguous obligation as impossible May 17, 2025
@jieyouxu jieyouxu added T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-types Relevant to the types team, which will review and decide on the PR/issue. labels May 17, 2025
@bors bors closed this as completed in 616650b May 17, 2025
rust-timer added a commit to rust-lang-ci/rust that referenced this issue May 17, 2025
@rust-timer
Unrolled build for rust-lang#141121
45a9e15 
Rollup merge of rust-lang#141121 - compiler-errors:ambig-is-not-err, r=lcnr

Only select true errors in `impossible_predicates`

See description in test.

Fixes rust-lang#141119

r? lcnr
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@compiler-errors compiler-errors

Labels
A-codegen Area: Code generation C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. T-types Relevant to the types team, which will review and decide on the PR/issue. WG-trait-system-refactor The Rustc Trait System Refactor Initiative (-Znext-solver)
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Only select true errors in impossible_predicates compiler-errors/rust
5 participants
@matthiaskrgr @compiler-errors @lcnr @jieyouxu @rustbot