It looks like it's possible to generate an invalid specptr for an OpaqueClosure, so that Julia segfaults when attempting to call it:
julia> foo(x, ::Val{B}, ::Val{RT}) where {B, RT} = begin
x = B ? x : Base.compilerbarrier(:type, x)
return Base.Experimental.@opaque _->RT (a)->x[]
end
foo (generic function with 1 method)
julia> const oc1 = foo(Ref{Any}(Int32(2)), Val(true), Val(Int32))
julia> const oc2 = foo(Ref{Any}(Int32(2)), Val(false), Val(Any))
julia> bar(f) = f(rand(Int32))
julia> bar(oc2)Running this gives a segfault:
[1319401] signal 11 (1): Segmentation fault
in expression starting at REPL[5]:1
typekeyvalue_hash at /home/topolarity/repos/dae_julia/src/jltypes.c:1662 [inlined]
lookup_typevalue at /home/topolarity/repos/dae_julia/src/jltypes.c:1088
jl_inst_arg_tuple_type at /home/topolarity/repos/dae_julia/src/jltypes.c:2319
arg_type_tuple at /home/topolarity/repos/dae_julia/src/gf.c:2372 [inlined]
jl_lookup_generic_ at /home/topolarity/repos/dae_julia/src/gf.c:3247 [inlined]
ijl_apply_generic at /home/topolarity/repos/dae_julia/src/gf.c:3294
bar at ./REPL[4]:4
unknown function (ip: 0x7f83ad4b1e32)
_jl_invoke at /home/topolarity/repos/dae_julia/src/gf.c:3121 [inlined]
ijl_apply_generic at /home/topolarity/repos/dae_julia/src/gf.c:3298
jl_apply at /home/topolarity/repos/dae_julia/src/julia.h:2185 [inlined]
do_call at /home/topolarity/repos/dae_julia/src/interpreter.c:127
...
I'm fairly certain the problem here is that this compile-time OpaqueClosure optimization applies when generating oc1, which causes us to store a specptr with the Int32 ABI (as enforced in the requested return type bounds) into a code instance with rettype == Any.
From that point on, we have an invalid CodeInstance in the cache.
When oc2 is constructed, we end up looking up the same CodeInstance in the cache, which claims to have a rettype of ::Any even though its specptr really has a rettype of ::Int32
It looks like it's possible to generate an invalid
specptrfor an OpaqueClosure, so that Julia segfaults when attempting to call it:Running this gives a segfault:
I'm fairly certain the problem here is that this compile-time OpaqueClosure optimization applies when generating
oc1, which causes us to store aspecptrwith theInt32ABI (as enforced in the requested return type bounds) into a code instance withrettype == Any.From that point on, we have an invalid CodeInstance in the cache.
When
oc2is constructed, we end up looking up the same CodeInstance in the cache, which claims to have arettypeof::Anyeven though its specptr really has a rettype of::Int32