rebis-dev: Fix UB in build_meta_predicate_clause #2764
Conversation
This one was a toughie: it turns out that using `ptr::align_of()`` was a bad idea, since the buffer in `Heap` itself is not aligned to `Heap::heap_cell_alignment()`, so `ptr::align_of()` would sometimes return lower values than expected. That made for an heisenbug: if the alignment of the heap happened to be 4, then the bug wouldn't trigger.
rebis-dev: Fix imports for benches
rebis-dev: Fix UB detected by miri in tests
I don't know if that function is still needed, as making it return Default::default() still passes all tests. Nonetheless, this is now one less source of segfaults. Fixes mthom#2763
|
Thank you a lot for such an impressive sequence of excellent contributions! It seems this could be related to dynamic compilation of arguments that are known to refer to goals (due to meta-predicate declarations): Scryer Prolog is able to make calls of partially known goals faster by compiling them to point to clauses that are generated specifically to suit these goals. For example: :- use_module(library(diag)).
:- use_module(library(format)).
:- use_module(library(lists)).
test(X) :-
call(pred, X).
pred(a).
Here, it is known that ?- wam_instructions(test/1, Is),
maplist(portray_clause, Is).
put_structure(pred,0,x(3)).
set_constant('$index_ptr'(29100)).
get_variable(x(2),1).
put_structure(:,2,x(1)).
set_constant(user).
set_value(x(3)).
execute(call,2).
Note the ?- inlined_instructions(29100, Is), maplist(portray_clause, Is). get_constant(level(shallow),a,x(1)). proceed. As I understand it (@mthom please correct if anything is wrong here!), this is done to avoid goal expansions at run time, which would otherwise take place when |
|
Hmm, I'm unsure about that, since turning off that preprocessor step (by making it return |
|
Apparently CI tests currently fail for this PR. |
|
The CI errors look to be the same problem that I fixed for master in #2793 |
This fixes #2763, where a logic bug in
build_meta_predicate_clausemakes it try to read out of bound in the heap, which, since it doesn't do bounds checking, triggers UB.Before this PR,
build_meta_predicate_clausewould erronerously access then-th argument of':-'/2, as it was invoked with the address of the predicate itself, rather than that of the meta call that was found within the goals of that predicate. See #2763 for an example of this.As I fixed the logic, I realized that when that function gets called, all the meta-predicate
module:prefixes were already populated, so I am unsure what this function actually "builds".This also seems to fix the segfault occasionally found in benchmarks; valgrind was able to pick that one up quite easily.