[HN Gopher] Achievement unlocked: rustc segfault
___________________________________________________________________
Achievement unlocked: rustc segfault
Author : bcantrill
Score : 112 points
Date : 2022-04-10 19:47 UTC (3 hours ago)
(HTM) web link (gist.github.com)
(TXT) w3m dump (gist.github.com)
| EdSchouten wrote:
| It's amazing how in-line assembly is always such a big source of
| miscompilations/compiler crashes. Both with C/C++ and Rust. With
| GCC or Clang. It doesn't matter.
| VWWHFSfQ wrote:
| I'm never surprised by these kinds of bugs. C is _not_ a low-
| level language, despite people thinking that it is. It's a
| high-level language that is translated to low-level
| instructions.
|
| C was considered a high-level language in 1980. In 2022, it's
| low-level. You see how far we've come here. People used to
| program for the CPU. Now they program for the C compiler!
|
| Surprise! The compiler has bugs.
| gpm wrote:
| I think it makes sense as a place to expect bugs. It's a rarely
| used feature which interacts in a unique way with some pretty
| core parts of the compiler, in a platform dependent manner.
| mhh__ wrote:
| Although in recent years the representation has become a lot
| more abstract (and people to correctly generate that abstract
| representation), inline assembler tends to have a lot of
| monotonous drivel to get right.
| kibwen wrote:
| Amusingly, if I recall correctly, the author of this post was
| the author of Rust's original (never stable, now removed)
| inline assembly support, years and years ago. Certainly one of
| the best people in the world to have encountered this bug!
| monocasa wrote:
| Oh, lol, I guess I get that achievement too. Custom target spec
| json with incompatible MIPS cpu and abi options was what did it.
| That was a few years back, but post 1.0 at least.
| kelnos wrote:
| Perhaps I missed it, but too bad OP didn't submit a fix to LLVM
| as well, or at least file a bug report there. Sure, rustc was
| emitting bad IR, but LLVM shouldn't crash! It should catch the
| issue and exit cleanly with an error message. Probably would have
| been easier to debug this issue if LLVM hadn't crashed in the
| first place, too.
|
| Either way, a really fun read. For some reason I enjoy reading
| debugging stories for bugs that I almost certainly wouldn't be
| able to solve myself.
| hu3 wrote:
| One of the reasons aircrafts like Boeing runs on safer languages
| like Ada.
|
| There's a pretty cool article about it:
| http://archive.adaic.com/projects/atwork/boeing.html
|
| edit: To those stating it was C++ portion of the compiler code at
| fault. That's not the point. Ada offers greater protection
| against segfaults than Rust. Not to mention that part of the
| compiler still being written in C++ and not Rust doesn't bode
| well.
| msla wrote:
| https://yarchive.net/comp/ada.html
|
| (Marc H. Donner and David H. Jameson, "Language and Operating
| System Features for Real-time Programming", Computing Systems
| vol 1 number 1, winter 1988, pp 33-62):
|
| > Ill-chosen abstraction is particularly evident in the design
| of the Ada runtime system. The interface to the Ada runtime
| system is so opaque that it is impossible to model or predict
| its performance, making it effectively useless for real-time
| systems.
|
| More:
|
| https://catless.ncl.ac.uk/Risks/6/36#subj12
|
| > Am I correct in thinking that several (two?) missiles were
| recently destroyed on launch each of which had their guidance
| systems coded in Ada? Were the problems which forced the
| destruction of the missiles the result of bad software design
| or some inherent ambiguity in Ada syntax?
|
| > I spotted but unfortunately left unlogged a report somewhere
| which gave an account of a talk by a leading scientist (name?)
| in the military technology area who expressed grave
| reservations about the design of Ada. I _think_ the report
| mentioned that the person expressed little confidence in
| guidance systems coded in Ada.
| johnisgood wrote:
| This is going to invite all the people who know nothing about
| the language and the circumstances with regarding to Ariane 5.
| :)
| hu3 wrote:
| Agreed. To those seeking more information about this, I
| always refer to this article because of the links it
| contains:
|
| http://www.rvs.uni-
| bielefeld.de/publications/Incidents/DOCS/...
| __jem wrote:
| I didn't read that closely, but isn't this is a segfault in the
| compiler, not a miscompilation?
| titzer wrote:
| Nothing inspires confidence like the compiler crashing. Given
| C/C++'s attitude towards UB, a crash just means you got lucky
| and the program really f'd up before doing something
| seriously nefarious like silent memory corruption or carrying
| on with nonsensical results....
| kelnos wrote:
| As a practical matter, though, I'd much rather the compiler
| segfault, than miscompile my code so it does something
| incorrect at runtime.
|
| But agreed that seeing a compiler segfault doesn't inspire
| confidence!
| gpm wrote:
| Yes.
|
| A segfault in the portion of the compiler written in C++ no
| less, though triggered by invalid input from the portion of
| the compiler written in rust (due to a logic bug).
|
| Unless GPs point is that "rust code can still have bugs" (so
| can ADA) or "the rust compiler still has bugs" (I'm willing
| to bet so do all ADA compilers) I don't see how this supports
| his claim.
| theamk wrote:
| This article compares Ada with C and PL/1. This is pretty easy
| to win - its hard to imagine language less safe than C.
| rurban wrote:
| Pretty easy to get llvm segfaults, I got that with pony also in
| development versions. The difference to rust is that this happens
| with rust compiled binaries also at run-time, in pony very
| rarely.
|
| https://github.com/rust-lang/rust/issues?q=is%3Aissue+SIGSEG...
| => 87 + 291
|
| vs
| https://github.com/ponylang/ponyc/issues?q=is%3Aissue+SIGSEG...
| => 11 + 50
|
| Now compare that to a safe systems language, e.g. sbcl:
| https://bugs.launchpad.net/sbcl/+bugs?field.searchtext=SIGSE...
| => 1 (invalid)
|
| or clisp:
| https://sourceforge.net/p/clisp/bugs/?q=%7B%22status%22%3A+%...
| => 15
| gpm wrote:
| > The difference to rust is that this happens with rust
| compiled binaries also at run-time,
|
| The list of issues you linked in an apparent attempt to support
| this claim are almost all (or maybe even all) compile time
| crashes not runtime crashes...
| kjeetgill wrote:
| The post is also about crashes in rustc not crashes in rust
| programs, right?
| gpm wrote:
| The top level link, yes.
|
| The comment I replied to... I quoted the text that made me
| think it wasn't. Am I misinterpreting it?
| woodruffw wrote:
| Not to besmirch Pony (I think it's a very interesting
| language), but isn't some of this a base sampling error? There
| are probably a few orders of magnitude more engineers writing
| Rust (and therefore running `rustc`), so we'd expect crashes in
| Rust to surface more frequently.
| rurban wrote:
| Not in memory safe languages, sorry.
| woodruffw wrote:
| I'm not sure I understand. Rust is memory safe, and the
| memory unsafety happening here isn't in Rust itself: an IR
| generation bug in Rust is causing memory unsafety in LLVM,
| which is written in C++.
|
| (Besides: If GitHub's stats are correct, `ponyc` seems to
| be >60% C and C++?)
___________________________________________________________________
(page generated 2022-04-10 23:00 UTC)