rust-bindgen icon indicating copy to clipboard operation
rust-bindgen copied to clipboard
verified publisher icon rust-lang

Stack overflow when running into C++ union with variadic templates

Open talbenari1 opened this issue 5 years ago • 2 comments

This bizarre edge case in a library I'm consuming has caused bindgen to segfault. I've simplified it the best I can:

// input.h
template<typename T, typename... U> union Foo {
  Foo<U...> foo;
};

I get no output from bindgen, just a segfault:

$ bindgen input.h -- -x c++
zsh: segmentation fault (core dumped)  bindgen input.h -- -x c++

I know that C++ templates (and especially variadic templates) are beyond the scope of bindgen, but I believe that it would probably be better if it output "Unhandled cursor kind" or something along those lines.

Some other notes for debugging:

  • --blacklist-type Foo works, but discovering the type when it's buried deep in a library's header files takes a while (speaking from experience :wink:)

  • Removing T from the template does not invoke a segfault:

    template<typename... U> union Foo {
  Foo<U...> foo;
};
    Bindgen output 
    /* automatically generated by rust-bindgen 0.54.1 */

#[repr(C)]
pub struct __BindgenUnionField<T>(::std::marker::PhantomData<T>);
impl<T> __BindgenUnionField<T> {
    #[inline]
    pub const fn new() -> Self {
        __BindgenUnionField(::std::marker::PhantomData)
    }
    #[inline]
    pub unsafe fn as_ref(&self) -> &T {
        ::std::mem::transmute(self)
    }
    #[inline]
    pub unsafe fn as_mut(&mut self) -> &mut T {
        ::std::mem::transmute(self)
    }
}
impl<T> ::std::default::Default for __BindgenUnionField<T> {
    #[inline]
    fn default() -> Self {
        Self::new()
    }
}
impl<T> ::std::clone::Clone for __BindgenUnionField<T> {
    #[inline]
    fn clone(&self) -> Self {
        Self::new()
    }
}
impl<T> ::std::marker::Copy for __BindgenUnionField<T> {}
impl<T> ::std::fmt::Debug for __BindgenUnionField<T> {
    fn fmt(&self, fmt: &mut ::std::fmt::Formatter<'_>) -> ::std::fmt::Result {
        fmt.write_str("__BindgenUnionField")
    }
}
impl<T> ::std::hash::Hash for __BindgenUnionField<T> {
    fn hash<H: ::std::hash::Hasher>(&self, _state: &mut H) {}
}
impl<T> ::std::cmp::PartialEq for __BindgenUnionField<T> {
    fn eq(&self, _other: &__BindgenUnionField<T>) -> bool {
        true
    }
}
impl<T> ::std::cmp::Eq for __BindgenUnionField<T> {}
#[repr(C)]
pub struct Foo {
    pub foo: __BindgenUnionField<Foo>,
    pub bindgen_union_field: [u8; 0usize],
}

talbenari1 avatar Jul 25 '20 20:07 talbenari1

Huh, fun. Thanks for the reduced test-case, that's awesome! And sorry you hit this bug :(

We're overflowing the stack here:

#48539 0x0000555555921c58 in bindgen::ir::comp::CompInfo::layout (self=0x555556048570, ctx=0x7ffffffea598) at src/ir/comp.rs:1115
#48540 0x00005555558b4382 in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:256
#48541 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48542 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048538, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48543 0x00005555558b45af in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:267
#48544 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48545 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048a60, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48546 0x0000555555920112 in bindgen::ir::comp::Field::layout (self=0x555555fdcba0, ctx=0x7ffffffea598) at src/ir/comp.rs:207
#48547 0x0000555555921c58 in bindgen::ir::comp::CompInfo::layout (self=0x555556048570, ctx=0x7ffffffea598) at src/ir/comp.rs:1115
#48548 0x00005555558b4382 in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:256
#48549 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48550 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048538, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48551 0x00005555558b45af in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:267
#48552 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48553 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048a60, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48554 0x0000555555920112 in bindgen::ir::comp::Field::layout (self=0x555555fdcba0, ctx=0x7ffffffea598) at src/ir/comp.rs:207
#48555 0x0000555555921c58 in bindgen::ir::comp::CompInfo::layout (self=0x555556048570, ctx=0x7ffffffea598) at src/ir/comp.rs:1115
#48556 0x00005555558b4382 in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:256
#48557 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48558 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048538, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48559 0x00005555558b45af in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:267
#48560 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48561 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048a60, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48562 0x0000555555920112 in bindgen::ir::comp::Field::layout (self=0x555555fdcba0, ctx=0x7ffffffea598) at src/ir/comp.rs:207
#48563 0x0000555555921c58 in bindgen::ir::comp::CompInfo::layout (self=0x555556048570, ctx=0x7ffffffea598) at src/ir/comp.rs:1115
#48564 0x00005555558b4382 in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:256
#48565 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48566 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048538, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48567 0x00005555558b45af in bindgen::ir::ty::Type::layout::{{closure}} () at src/ir/ty.rs:267
#48568 0x000055555588a64c in core::option::Option<T>::or_else (self=..., f=...) at /home/emilio/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/src/libcore/option.rs:768
#48569 0x00005555559aae1f in bindgen::ir::ty::Type::layout (self=0x555556048a60, ctx=0x7ffffffea598) at src/ir/ty.rs:254
#48570 0x0000555555920112 in bindgen::ir::comp::Field::layout (self=0x555555fdcba0, ctx=0x7ffffffea598) at src/ir/comp.rs:207
#48571 0x0000555555921c58 in bindgen::ir::comp::CompInfo::layout (self=0x555556048570, ctx=0x7ffffffea598) at src/ir/comp.rs:1115

So we end up with a cyclic graph (which is not supposed to happen), and then trying to traverse it just gets us stuck :(

We should figure out what is going on here. I would expect this type to be rejected early because it has non-type template parameters (the variadic parameter list), but it clearly is not getting rejected properly.

emilio avatar Jul 27 '20 11:07 emilio

The behavior of bindgen on 0d805d70 has changed. Instead of overflowing the stack we hit a panic

 thread 'main' panicked at 'Not an item: ItemId(1)', /home/christian/Workspace/bindgen/rust-bindgen/src/ir/context.rs:1460:21

pvdrz avatar Sep 21 '22 20:09 pvdrz