Is undefined behavior possible in safe Rust?

About

Asked 24/6, 2020 at 16:12 Answered 24/6, 2020 at 16:15

Solved rust undefined-behavior unsafe standard-library

Is there any way to achieve undefined behavior in Rust without using unsafe?

Of course, such behavior can be wrapped by a third-party library in a "safe" function so let's assume we're using only the standard one.

Heterochromous answered 24/6, 2020 at 16:12 Comment(0)

Absolutely, but any such case is a bug with Rust or the standard libary.

My favorite example is LLVM loop optimization can make safe programs crash, which actually occurs due to a poor interaction of Rust and LLVM semantics:

pub fn oops() {
    (|| loop {
        drop(42)
    })()
}

Compiled with optimizations on Rust 1.49.0, this produces the assembly:

playground::oops:
    ud2

such behavior can be wrapped by a third-party library in a "safe" function so let's assume we're using only the standard one

The standard library is a "third-party library", so I don't get the distinction.

Bonnes answered 24/6, 2020 at 16:15 Comment(10)

I meant std lib as something like "containing no bugs". As I can see, the answer is "no". – Heterochromous 24/6, 2020 at 16:19

@Heterochromous std has sometimes contained UB-causing bugs. That particular one was fixed, but you may be able to find other, more current examples by searching for issues tagged I-unsound 💥 on GitHub. – Beaudette 24/6, 2020 at 16:29

Does it mean "any such case is a bug IN THE LIBRARY" (not in its user's code)? – Heterochromous 24/6, 2020 at 18:9

@Heterochromous Clarified. – Bonnes 24/6, 2020 at 18:11

Are there any languages for which LLVM semantics are a good fit? It seems that LLVM semantics are based upon beliefs that (1) the C Standard is meant to specify all of the semantics that programmers should need to accomplish any and all kinds of tasks, rather than merely a core language which implementations intended for various tasks should extend to facilitate them, and (2) in cases where the C Standard specifies corner-case semantics that don't fit the LLVM abstraction model, it's a defect in the Standard, rather than a defect in the model. – Antenatal 24/6, 2020 at 18:42

@Antenatal It's a tradeoff. For Rust, LLVM is so good at optimization that the (pretty minor) divergence in semantics are well worth the gains in runtime performance. – Coast 25/6, 2020 at 2:5

@LambdaFairy: From what I understand, Rust had to disable some of LLVM's optimizations because their semantics weren't compatible with those of Rust. LLVM might be a decent back-end if the proper "optimizations" are disabled, but I guess my question should be whether there are any languages for which the semantics of LLVM with full optimizations enabled would be a good fit. – Antenatal 25/6, 2020 at 17:52

Only C++, I guess. – Eleemosynary 26/6, 2020 at 10:34

This has been fixed in 1.49 apparently! godbolt.org/z/GfTMvY – Perambulate 15/1, 2021 at 19:55

@LambdaFairy: I just managed to create another example of LLVM and Rust semantics disagreeing: godbolt.org/z/6cYE91 If Y happens to immediately follow X, something that could happen since the symbols are imported, and i is zero, Y[0] would be set to 4 but the function would return 3 (see line 17 of the assembly code). – Antenatal 18/1, 2021 at 23:26

Hot tags

Godot Unity Godot Help Programming Godot 4.X GUI GDScript 3D 2D Physics CSharp Godot 3.X VR XR Projects C++

Recommended topics

Hot tags