Dafny to Rust : Object::from_ref is unsound #5851
Labels
during 4: bad execution of correct program
A bug in the Dafny compiler that causes a correct Dafny program to execute incorrectly
kind: bug
Crashes, unsoundness, incorrect output, etc. If possible, add a `part:` label
Comments
MikaelMayer
added
kind: bug
MikaelMayer
changed the title
MikaelMayer
added a commit
that referenced
this issue
Oct 24, 2024
…unt. Fixes #5851 I haven't been able to produce consistently any program that could exhibit the issue this PR is solving, the only hint I had that this happened was the report of #5851, which I reasoned manually must come from this function that is being skipped. By making it opaque to the compiler, we prevent optimizations that would skip the strong count from increasing. Alternative to this would be to pass &Rc<Self> instead of &Self, which is what https://github.com/dafny-lang/dafny/tree/fix-object-safety-rust does, but &Rc does not make traits object-safe, which means we can't yet use them in the code. I tried also passing a second arguments so that we directly have a `Rc<>` and don't need to recover it from the &T, but `this: Rc<Self>` again makes the trait not object-safe, and `this: Rc<dyn Any>` causes an issue because we can't create this argument when what we have is only the trait, and trait upcast to Any is currently unsound in Rust. This PR is the best workaround I found so far.
|
Reopening because the issue reappeared in nightly. |
MikaelMayer
added a commit
that referenced
this issue
Oct 29, 2024
…unt (#5858) Fixes #5851 I haven't been able to produce consistently any program that could exhibit the issue this PR is solving, the only hint I had that this happened was the report of #5851, which I reasoned manually must come from this function that is being skipped. By making it opaque to the compiler, we prevent optimizations that would skip the strong count from increasing. Alternative to this would be to pass &Rc<Self> instead of &Self, which is what https://github.com/dafny-lang/dafny/tree/fix-object-safety-rust does, but &Rc does not make traits object-safe, which means we can't yet use them in the code. I tried also passing a second arguments so that we directly have a `Rc<>` and don't need to recover it from the &T, but `this: Rc<Self>` again makes the trait not object-safe, and `this: Rc<dyn Any>` causes an issue because we can't create this argument when what we have is only the trait, and trait upcast to Any is currently unsound in Rust. This PR is the best workaround I found so far. <small>By submitting this pull request, I confirm that my contribution is made under the terms of the [MIT license](https://github.com/dafny-lang/dafny/blob/master/LICENSE.txt).</small>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This soundness test failed for an unrelated change.
https://github.com/dafny-lang/dafny/actions/runs/11447012699/job/31848553864?pr=5845
Exit code 132 is a segfault. The only likely segfaulting place for this code is the accidental removal of the manual incrementation of the strong count, which this test is verifying does not happen. That means the current workaround of
#[inline(never)]wasn't sufficient and the method was skipped.We need another solution that does not rely on converting the
&selfback to a&Rc<Self>manually.Anything that upcast a reference to a trait (including object) or use "this" without dereferencing a field might trigger this soundness issue.
The text was updated successfully, but these errors were encountered: