eddyb/bad.rs Secret

## bad.rs
#![no_std]
#![feature(test, maybe_uninit_extra)]

#[no_mangle]
#[inline(always)]
fn c_abort() -> ! {
    extern "C" {
        fn abort() -> !;
    }
    unsafe { abort() }
}

#[panic_handler]
#[no_mangle]
fn panic_handler(_: &core::panic::PanicInfo) -> ! {
    c_abort()
}

use core::mem::MaybeUninit;

#[inline(never)]
#[no_mangle]
extern "win64" fn opaque_id(x: Option<&mut MaybeUninit<Evil>>) -> Option<&mut MaybeUninit<Evil>> {
    x
}

#[repr(C)]
struct Evil {
    data: ([u8; 8], [u8; 8], [u8; 8]),
    padding: MaybeUninit<[u64; 22]>,
}

#[no_mangle]
pub fn main() -> i32 {
    let mut allocator = [MaybeUninit::uninit()];
    let mut allocator = allocator.iter_mut();
    loop {
        let evil3 = {
            let evil1 = {
                if core::hint::black_box(false) {
                    c_abort()
                }
                Evil {
                    data: ([1; 8], [2; 8], [3; 8]),
                    padding: MaybeUninit::uninit(),
                }
            };
            let evil2 = evil1;
            evil2
        };
        let evil4 = evil3;
        let allocated = match opaque_id(allocator.next()) {
            Some(x) => x,
            None => c_abort(),
        };
        let data = &allocated.write(evil4).data;
        if core::hint::black_box(true) {
            return if ({*data}) == ([1; 8], [2; 8], [3; 8]) { 0 } else { -1 };
        }
    }
}

## bugpoint-helper.sh
#!/bin/sh

llvm-dis "$1" -o bad.ll
./repro.sh && exit 1 || exit 0

## repro.sh
#!/bin/sh

sed 's/win64cc //' bad.ll > good.ll
llc --filetype=obj -o bad.o bad.ll
llc --filetype=obj -o good.o good.ll
cc -o bad bad.o
cc -o good good.o
./bad && exit 1
./good

## run-bugpoint.sh
#!/bin/sh

./run-standalone.sh
bugpoint -compile-custom -compile-command ./bugpoint-helper.sh bad.ll

## run-standalone.sh
#!/bin/sh

rustc -C opt-level=3 -C codegen-units=1 -C target-cpu=znver1 -C panic=abort \
    --crate-type=staticlib --edition=2018 --emit=llvm-ir bad.rs
./repro.sh && echo "Successful reproduction" || echo "Failed to reproduce"
	#![no_std]
	#![feature(test, maybe_uninit_extra)]

	#[no_mangle]
	#[inline(always)]
	fn c_abort() -> ! {
	extern "C" {
	fn abort() -> !;
	}
	unsafe { abort() }
	}

	#[panic_handler]
	#[no_mangle]
	fn panic_handler(_: &core::panic::PanicInfo) -> ! {
	c_abort()
	}

	use core::mem::MaybeUninit;

	#[inline(never)]
	#[no_mangle]
	extern "win64" fn opaque_id(x: Option<&mut MaybeUninit<Evil>>) -> Option<&mut MaybeUninit<Evil>> {
	x
	}

	#[repr(C)]
	struct Evil {
	data: ([u8; 8], [u8; 8], [u8; 8]),
	padding: MaybeUninit<[u64; 22]>,
	}

	#[no_mangle]
	pub fn main() -> i32 {
	let mut allocator = [MaybeUninit::uninit()];
	let mut allocator = allocator.iter_mut();
	loop {
	let evil3 = {
	let evil1 = {
	if core::hint::black_box(false) {
	c_abort()
	}
	Evil {
	data: ([1; 8], [2; 8], [3; 8]),
	padding: MaybeUninit::uninit(),
	}
	};
	let evil2 = evil1;
	evil2
	};
	let evil4 = evil3;
	let allocated = match opaque_id(allocator.next()) {
	Some(x) => x,
	None => c_abort(),
	};
	let data = &allocated.write(evil4).data;
	if core::hint::black_box(true) {
	return if ({*data}) == ([1; 8], [2; 8], [3; 8]) { 0 } else { -1 };
	}
	}
	}
	#!/bin/sh

	llvm-dis "$1" -o bad.ll
	./repro.sh && exit 1 \|\| exit 0
	#!/bin/sh

	sed 's/win64cc //' bad.ll > good.ll
	llc --filetype=obj -o bad.o bad.ll
	llc --filetype=obj -o good.o good.ll
	cc -o bad bad.o
	cc -o good good.o
	./bad && exit 1
	./good
	#!/bin/sh

	./run-standalone.sh
	bugpoint -compile-custom -compile-command ./bugpoint-helper.sh bad.ll
	#!/bin/sh

	rustc -C opt-level=3 -C codegen-units=1 -C target-cpu=znver1 -C panic=abort \
	--crate-type=staticlib --edition=2018 --emit=llvm-ir bad.rs
	./repro.sh && echo "Successful reproduction" \|\| echo "Failed to reproduce"