Miscompilation when using wrapping_sub/wrapping_add on pointer.

[steffahn]

Relevant comment on IRLO. The following code leads to illegal instruction in release mode. (It works fine, printing 42 in debug mode.)

pub unsafe fn foo(x: *const i8) -> i8 {
    *x.wrapping_sub(x as _).wrapping_add(x as _)
}

fn main() {
    let x = 42;
    println!("{}", unsafe {foo(&x)});
}

Apparently, leaving the object x with a wrapping_sup, then going back into the object with wrapping_add and dereferencing the resulting pointer is supposed to be safe (although there is still an open issue (#80306) about properly documenting that this is safe).

As discussed in the linked IRLO thread, what’s probably happening here is that LLVM realizes that the first x.wrapping_sub(x as _) evaluates to the null pointer, and then considers the code equivalent to something like *std::ptr::null().wrapping_add(x as _) which is then detected as UB (dereferencing some integer offset of the null pointer), hence the illegal instruction.

(Playground)

Errors:

   Compiling playground v0.0.1 (/playground)
    Finished release [optimized] target(s) in 1.03s
     Running `target/release/playground`
timeout: the monitored command dumped core
/playground/tools/entrypoint.sh: line 11:     7 Illegal instruction     timeout --signal=KILL ${timeout} "$@"

[steffahn]

Here’s a similar miscompilation, using only safe Rust code
(admitted, I was playing around with this until I got some safe code to miscompile, I’m not entirely sure anymore as to why exactly this particular example gets turned into UB by the optimizer)

pub fn ptr(x: *const i8) -> *const i8 {
    x.wrapping_offset(-(x as isize)).wrapping_offset(x as isize)
}
pub fn zero(x: *const i8) -> isize {
    (ptr(x) as isize).wrapping_add(-(x as isize))
}
pub fn qux(x: &[i8]) -> i8 {
    x[zero(x.as_ptr()) as usize]
}

fn main() {
    let z = vec![42, 43];
    println!("{}", qux(&z));
}

(playground)

   Compiling playground v0.0.1 (/playground)
    Finished release [optimized] target(s) in 0.60s
     Running `target/release/playground`
timeout: the monitored command dumped core
/playground/tools/entrypoint.sh: line 11:     7 Illegal instruction     timeout --signal=KILL ${timeout} "$@"

@rustbot modify labels: C-bug, T-compiler
@rustbot prioritize

[LeSeulArtichaut]

After a bit of godbolt testing, this seems to happen since 1.16.0, when ptr_wrapping_offset was stabilized

[nikic]

Reduced: https://llvm.godbolt.org/z/qec9oz

[nikic]

LLVM bug report: https://bugs.llvm.org/show_bug.cgi?id=48577

[steffahn]

Simplified the vec example:

pub fn zero(x: usize) -> usize {
    std::ptr::null::<i8>().wrapping_add(x) as usize - x
}
pub fn qux(x: &[i8]) -> i8 {
    x[zero(x.as_ptr() as usize)]
}

fn main() {
    let z = vec![42, 43];
    println!("{}", qux(&z));
}