rustc crashed when compiling the crafted input

[ZhangZhuoSJTU]

I think this issue is more than an internal compiler error, so I report here.

I tried this code:

#![crate_name="0"]

fn r()->i{0|{#[cfg(r(0{]0

The md5 of poc.rs is: 55d1b05bebbe11b76ee62fe193bdd5ff

I expected to see this happen: normal compilation

Instead, this happened: rustc crashes

➜  playground rustc poc.rs
error: this file contains an unclosed delimiter
 --> poc.rs:3:27
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |          -  -             ^
  |          |  |
  |          |  unclosed delimiter
  |          unclosed delimiter

error: mismatched closing delimiter: `]`
 --> poc.rs:3:24
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |               -       -^ mismatched closing delimiter
  |               |       |
  |               |       unclosed delimiter
  |               closing delimiter possibly meant for this

error: expected one of `)` or `,`, found `{`
 --> poc.rs:3:23
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |                       ^ expected one of `)` or `,`

[1]    14378 abort (core dumped)  rustc poc.rs

Meta

I test it on nightly, beta, and stable versions.

rustc --version --verbose:

rustc 1.51.0-nightly (23adf9fd8 2021-02-05)
binary: rustc
commit-hash: 23adf9fd843da7a3394c824b056f93151aaa40ad
commit-date: 2021-02-05
host: x86_64-unknown-linux-gnu
release: 1.51.0-nightly
LLVM version: 11.0.1

rustc 1.50.0-beta.8 (1cd030396 2021-01-20)
binary: rustc
commit-hash: 1cd0303963629f317a08e7e52162ccca7232ae7f
commit-date: 2021-01-20
host: x86_64-unknown-linux-gnu
release: 1.50.0-beta.8

rustc 1.49.0 (e1884a8e3 2020-12-29)
binary: rustc
commit-hash: e1884a8e3c3e813aada8254edfa120e85bf5ffca
commit-date: 2020-12-29
host: x86_64-unknown-linux-gnu
release: 1.49.0

Backtrace

➜  playground RUST_BACKTRACE=1 rustc poc.rs
error: this file contains an unclosed delimiter
 --> poc.rs:3:27
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |          -  -             ^
  |          |  |
  |          |  unclosed delimiter
  |          unclosed delimiter

error: mismatched closing delimiter: `]`
 --> poc.rs:3:24
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |               -       -^ mismatched closing delimiter
  |               |       |
  |               |       unclosed delimiter
  |               closing delimiter possibly meant for this

error: expected one of `)` or `,`, found `{`
 --> poc.rs:3:23
  |
3 | fn r()->i{0|{#[cfg(r(0{]0
  |                       ^ expected one of `)` or `,`

[1]    16677 abort (core dumped)  RUST_BACKTRACE=1 rustc poc.rs

[ZhangZhuoSJTU]

I am not sure whether it is a security-oriented bug. If so, please close this.

But I guess it is ok to be public.

Thanks.

[nagisa]

This is an explicit process::abort:

#0  0x00007ffff305133a in raise () from /nix/store/m0xa5bz7vw7p43wi0jppvvi3c9vgqvp7-glibc-2.32-25/lib/libc.so.6
#1  0x00007ffff303b523 in abort () from /nix/store/m0xa5bz7vw7p43wi0jppvvi3c9vgqvp7-glibc-2.32-25/lib/libc.so.6
#2  0x00007ffff32b65ba in std::sys::unix::abort_internal () at /rustc/23adf9fd843da7a3394c824b056f93151aaa40ad//library/std/src/sys/unix/mod.rs:237
#3  0x00007ffff329e9b9 in std::process::abort () at /rustc/23adf9fd843da7a3394c824b056f93151aaa40ad//library/std/src/process.rs:1784
#4  0x00007ffff5b0c084 in <rustc_expand::expand::InvocationCollector as rustc_ast::mut_visit::MutVisitor>::visit_expr () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#5  0x00007ffff5b29779 in rustc_ast::mut_visit::noop_visit_expr () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#6  0x00007ffff5b45eba in rustc_ast::ptr::P<T>::filter_map () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#7  0x00007ffff5b2ede1 in rustc_ast::mut_visit::noop_flat_map_stmt_kind () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#8  0x00007ffff5b0d184 in <rustc_expand::expand::InvocationCollector as rustc_ast::mut_visit::MutVisitor>::flat_map_stmt () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#9  0x00007ffff5afe2bf in <alloc::vec::Vec<T> as rustc_data_structures::map_in_place::MapInPlace<T>>::flat_map_in_place () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#10 0x00007ffff5b2d809 in rustc_ast::mut_visit::noop_visit_item_kind () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#11 0x00007ffff5b2c101 in rustc_ast::mut_visit::noop_flat_map_item () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#12 0x00007ffff5b0df91 in <rustc_expand::expand::InvocationCollector as rustc_ast::mut_visit::MutVisitor>::flat_map_item () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#13 0x00007ffff5afb907 in <alloc::vec::Vec<T> as rustc_data_structures::map_in_place::MapInPlace<T>>::flat_map_in_place () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#14 0x00007ffff5b2d9c4 in rustc_ast::mut_visit::noop_visit_item_kind () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#15 0x00007ffff5b2c101 in rustc_ast::mut_visit::noop_flat_map_item () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#16 0x00007ffff5b0df91 in <rustc_expand::expand::InvocationCollector as rustc_ast::mut_visit::MutVisitor>::flat_map_item () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#17 0x00007ffff66d69e7 in <smallvec::SmallVec<A> as rustc_data_structures::map_in_place::MapInPlace<T>>::flat_map_in_place () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#18 0x00007ffff5b0a515 in rustc_expand::expand::MacroExpander::collect_invocations () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#19 0x00007ffff5b05efc in rustc_expand::expand::MacroExpander::fully_expand_fragment () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#20 0x00007ffff66aa780 in rustc_expand::expand::MacroExpander::expand_crate () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#21 0x00007ffff5eeec1a in rustc_session::utils::<impl rustc_session::session::Session>::time () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#22 0x00007ffff5f00d1b in rustc_interface::passes::configure_and_expand_inner () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#23 0x00007ffff5ef7275 in rustc_interface::passes::configure_and_expand::_$u7b$$u7b$closure$u7d$$u7d$::h5397698db2b97e0d () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#24 0x00007ffff5ef0756 in rustc_data_structures::box_region::PinnedGenerator<I,A,R>::new () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#25 0x00007ffff5f00234 in rustc_interface::passes::configure_and_expand () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#26 0x00007ffff5f14a8a in rustc_interface::queries::Queries::expansion () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#27 0x00007ffff5ea9cac in rustc_interface::queries::<impl rustc_interface::interface::Compiler>::enter () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#28 0x00007ffff5ea3663 in rustc_span::with_source_map () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#29 0x00007ffff5eaafca in rustc_interface::interface::create_compiler_and_run () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#30 0x00007ffff5ea3d2e in rustc_span::with_session_globals () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#31 0x00007ffff5eab473 in std::sys_common::backtrace::__rust_begin_short_backtrace () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#32 0x00007ffff5ec7e2a in core::ops::function::FnOnce::call_once{{vtable-shim}} () from /nix/store/hkv7bckn0vryzcf9x33cv4x3jqd1s513-rustc/lib/librustc_driver-197bed005be091ad.so
#33 0x00007ffff32b5dba in alloc::boxed::{{impl}}::call_once<(),FnOnce<()>,alloc::alloc::Global> () at /rustc/23adf9fd843da7a3394c824b056f93151aaa40ad/library/alloc/src/boxed.rs:1521
#34 alloc::boxed::{{impl}}::call_once<(),alloc::boxed::Box<FnOnce<()>, alloc::alloc::Global>,alloc::alloc::Global> () at /rustc/23adf9fd843da7a3394c824b056f93151aaa40ad/library/alloc/src/boxed.rs:1521
#35 std::sys::unix::thread::{{impl}}::new::thread_start () at /rustc/23adf9fd843da7a3394c824b056f93151aaa40ad//library/std/src/sys/unix/thread.rs:71
#36 0x00007ffff31eee9e in start_thread () from /nix/store/m0xa5bz7vw7p43wi0jppvvi3c9vgqvp7-glibc-2.32-25/lib/libpthread.so.0
#37 0x00007ffff311058f in clone () from /nix/store/m0xa5bz7vw7p43wi0jppvvi3c9vgqvp7-glibc-2.32-25/lib/libc.so.6

So just an ICE, just somebody used an process::abort instead of a bug!().

[nagisa]

rust/compiler/rustc_ast/src/mut_visit.rs

Lines 303 to 304 in 9a1d617

	let new_t = panic::catch_unwind(panic::AssertUnwindSafe(|| f(old_t)))
	.unwrap_or_else(|_| process::abort());

is the process::abort that's being executed.

[nagisa]

The problem is that the cfg parsing code is attempting to emit a fatal error, but error emission cannot happen through the visit_clobber function.

The stack looks something like this:

panic
rustc_span::fatal_error::FatalError::raise
rustc_parse::parser::Parser::expect_one_of
rustc_parse::parse_in
rustc_parse::validate_attr::parse_meta
rustc_expand::config::StripUnconfigured::in_cfg

Two potential fixes here: adjust visit_clobber so that it does not abort on panics or make anything running within the visit_clobber incapable of panicking. The latter is way harder and more prone to eventually break again.

I think this is probably P-medium or thereabouts.

[osa1]

It seems like the implementation of visit_clobber is copied from take_mut's take: https://github.com/Sgeo/take_mut/blob/1bd70d842c6febcd16ec1fe3a954a84032b89f52/src/lib.rs#L31-L41

[osa1]

adjust visit_clobber so that it does not abort on panics

Would this be safe? My understanding is if the callback panics then the pointer will potentially be in an inconsistent state and continuing execution will not be safe.

[nagisa]

Well, not in the exact form it is now, but there are a couple avenues that could be explored to make it more resilient to closure panics – e.g. one could replace the old value with some sort of placeholder default while the original value is being processed.

[ZhangZhuoSJTU]

Another test-case. Hope it can help.

fn a() {
    ({
    #[cfg(for (b +] 0

Playground.