Support unwinding after a panic

Fixes #658

This commit adds support for unwinding after a panic. It requires a
companion rustc PR to be merged, in order for the necessary hooks to
work properly.

Currently implemented:
* Selecting between unwind/abort mode based on the rustc Session
* Properly popping off stack frames, unwinding back the caller
* Running 'unwind' blocks in Mir terminators

Not yet implemented:
* 'Abort' terminators

This PR was getting fairly large, so I decided to open it for review without
implementing 'Abort' terminator support. This could either be added on
to this PR, or merged separately.

Author: Aaron1011

src/fn_call.rs

@@ -1,6 +1,7 @@
 use rustc::ty;
 use rustc::ty::layout::{Align, LayoutOf, Size};
-use rustc::hir::def_id::DefId;
+use rustc::ty::InstanceDef;
+use rustc_target::spec::PanicStrategy;
 use rustc::mir;
 use syntax::attr;
 use syntax::symbol::sym;
@@ -19,10 +20,15 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
         ret: Option<mir::BasicBlock>,
     ) -> EvalResult<'tcx, Option<&'mir mir::Body<'tcx>>> {
         let this = self.eval_context_mut();
-        trace!("eval_fn_call: {:#?}, {:?}", instance, dest.map(|place| *place));
+        trace!("eval_fn_call: {:#?}, {:?} {:?}", instance, instance.def_id(), dest.map(|place| *place));
 
         // First, run the common hooks also supported by CTFE.
-        if this.hook_fn(instance, args, dest)? {
+        // We *don't* forward panic-related items to the common hooks,
+        // as we want to handle those specially
+        if Some(instance.def_id()) != this.tcx.lang_items().panic_fn() && 
+            Some(instance.def_id()) != this.tcx.lang_items().begin_panic_fn() &&
+            this.hook_fn(instance, args, dest)? {
+
             this.goto_block(ret)?;
             return Ok(None);
         }
@@ -40,11 +46,9 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
 
         // Try to see if we can do something about foreign items.
         if this.tcx.is_foreign_item(instance.def_id()) {
-            // An external function that we cannot find MIR for, but we can still run enough
+            // An external function that we (possibly) cannot find MIR for, but we can still run enough
             // of them to make miri viable.
-            this.emulate_foreign_item(instance.def_id(), args, dest, ret)?;
-            // `goto_block` already handled.
-            return Ok(None);
+            return Ok(this.emulate_foreign_item(instance, args, dest, ret)?);
         }
 
         // Otherwise, load the MIR.
@@ -135,11 +139,12 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
     /// This function will handle `goto_block` if needed.
     fn emulate_foreign_item(
         &mut self,
-        def_id: DefId,
-        args: &[OpTy<'tcx, Tag>],
+        instance: ty::Instance<'tcx>,
+        args: &[OpTy<'tcx, Borrow>],
         dest: Option<PlaceTy<'tcx, Tag>>,
         ret: Option<mir::BasicBlock>,
-    ) -> EvalResult<'tcx> {
+    ) -> EvalResult<'tcx, Option<&'mir mir::Mir<'tcx>>> {
+        let def_id = instance.def_id();
         let this = self.eval_context_mut();
         let attrs = this.tcx.get_attrs(def_id);
         let link_name = match attr::first_attr_value_str_by_name(&attrs, sym::link_name) {
@@ -152,8 +157,195 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
 
         // First: functions that diverge.
         match link_name {
-            "__rust_start_panic" | "panic_impl" => {
-                return err!(MachineError("the evaluated program panicked".to_string()));
+            "panic_impl" => {
+                // Manually forward to 'panic_impl' lang item
+                let panic_impl_real = this.tcx.lang_items().panic_impl().unwrap();
+
+                return Ok(Some(this.load_mir(InstanceDef::Item(panic_impl_real))?));
+            },
+            "__rust_start_panic" => {
+                // This function has the signature:
+                // 'fn __rust_start_panic(payload: usize) -> u32;'
+                //
+                // The caller constructs 'payload' as follows
+                // 1. We start with a type implementing core::panic::BoxMeUp
+                // 2. We make this type into a trait object, obtaining a '&mut dyn BoxMeUp'
+                // 3. We obtain a raw pointer to the above mutable reference: that is, we make:
+                //    '*mut &mut dyn BoxMeUp'
+                // 4. We convert the raw pointer to a 'usize'
+                //
+
+                // When a panic occurs, we (carefully!) reverse the above steps
+                // to get back to the actual panic payload
+                //
+                // Even though our argument is a 'usize', Miri will have kept track
+                // of the fact that it was created via a cast from a pointer.
+                // This allows us to construct an ImmTy with the proper layout,
+                // and dereference it
+                //
+                // Reference:
+                // https://github.com/rust-lang/rust/blob/9ebf47851a357faa4cd97f4b1dc7835f6376e639/src/libpanic_unwind/lib.rs#L101
+                // https://github.com/rust-lang/rust/blob/9ebf47851a357faa4cd97f4b1dc7835f6376e639/src/libpanic_unwind/lib.rs#L81
+                //
+                // payload_raw now represents our '&mut dyn BoxMeUp' - a fat pointer
+                //
+                // Note that we intentially call deref_operand before checking
+                // This ensures that we always check the validity of the argument,
+                // even if we don't end up using it
+               
+                trace!("__rustc_start_panic: {:?}", this.frame().span);
+
+
+                // Read our 'usize' payload argument (which was made by casting
+                // a '*mut &mut dyn BoxMeUp'
+                let payload_raw = this.read_scalar(args[0])?.not_undef()?;
+
+                // Construct an ImmTy, using the precomputed layout of '*mut &mut dyn BoxMeUp'
+                let imm_ty = ImmTy::from_scalar(
+                    payload_raw,
+                    this.machine.cached_data.as_ref().unwrap().box_me_up_layout
+                );
+
+                // Convert our ImmTy to an MPlace, and read it
+                let mplace = this.ref_to_mplace(imm_ty)?;
+
+                // This is an '&mut dyn BoxMeUp'
+                let payload_dyn = this.read_immediate(mplace.into())?;
+
+                // We deliberately do this after we do some validation of the
+                // 'payload'. This should help catch some basic errors in
+                // the caller of this function, even in abort mode
+                if this.tcx.tcx.sess.panic_strategy() == PanicStrategy::Abort  {
+                    return err!(MachineError("the evaluated program abort-panicked".to_string()));
+                }
+
+                // This part is tricky - we need to call BoxMeUp::box_me_up
+                // on the vtable.
+                //
+                // core::panic::BoxMeUp is declared as follows:
+                //
+                // pub unsafe trait BoxMeUp {
+                //     fn box_me_up(&mut self) -> *mut (dyn Any + Send);
+                //     fn get(&mut self) -> &(dyn Any + Send);
+                // }
+                //
+                // box_me_up is the first method in the vtable.
+                // First, we extract the vtable pointer from our fat pointer,
+                // and check its alignment
+
+                let vtable_ptr = payload_dyn.to_meta()?.expect("Expected fat pointer!").to_ptr()?; 
+                let data_ptr = payload_dyn.to_scalar_ptr()?;
+                this.memory().check_align(vtable_ptr.into(), this.tcx.data_layout.pointer_align.abi)?;
+
+                // Now, we derefernce the vtable pointer.
+                let alloc = this.memory().get(vtable_ptr.alloc_id)?;
+
+                // Finally, we extract the pointer to 'box_me_up'.
+                // The vtable is layed out in memory like this:
+                //
+                //```
+                // <drop_ptr> (usize)
+                // <size> (usize)
+                // <align> (usize)
+                // <method_ptr_1> (usize)
+                // <method_ptr_2> (usize)
+                // ...
+                // <method_ptr_n> (usize)
+                //```
+                //
+                // Since box_me_up is the first method pointer
+                // in the vtable, we use an offset of 3 pointer sizes
+                // (skipping over <drop_ptr>, <size>, and <align>)
+
+                let box_me_up_ptr = alloc.read_ptr_sized(
+                    this,
+                    vtable_ptr.offset(this.pointer_size() * 3, this)?
+                )?.to_ptr()?;
+
+                // Get the actual function instance
+                let box_me_up_fn = this.memory().get_fn(box_me_up_ptr)?;
+                let box_me_up_mir = this.load_mir(box_me_up_fn.def)?;
+
+                // Extract the signature
+                // We know that there are no HRBTs here, so it's fine to use
+                // skip_binder
+                let fn_sig_temp = box_me_up_fn.ty(*this.tcx).fn_sig(*this.tcx);
+                let fn_sig = fn_sig_temp.skip_binder();
+
+                // This is the layout of '*mut (dyn Any + Send)', which
+                // is the return type of 'box_me_up'
+                let dyn_ptr_layout = this.layout_of(fn_sig.output())?;
+
+                // We allocate space to store the return value of box_me_up:
+                // '*mut (dyn Any + Send)', which is a fat 
+                
+                let temp_ptr = this.allocate(dyn_ptr_layout, MiriMemoryKind::UnwindHelper.into());
+
+                // Keep track of our current frame
+                // This allows us to step throgh the exection of 'box_me_up',
+                // exiting when we get back to this frame
+                let cur_frame = this.cur_frame();
+
+                this.push_stack_frame(
+                    box_me_up_fn,
+                    box_me_up_mir.span,
+                    box_me_up_mir,
+                    Some(temp_ptr.into()),
+                    StackPopCleanup::None { cleanup: true }
+                )?;
+
+                let mut args = this.frame().mir.args_iter();
+                let arg_0 = this.eval_place(&mir::Place::Base(mir::PlaceBase::Local(args.next().unwrap())))?;
+                this.write_scalar(data_ptr, arg_0)?;
+
+                // Step through execution of 'box_me_up'
+                // We know that we're finished when our stack depth
+                // returns to where it was before.
+                //
+                // Note that everything will get completely screwed up
+                // if 'box_me_up' panics. This is fine, since this
+                // function should never panic, as it's part of the core
+                // panic handling infrastructure
+                //
+                // Normally, we would just let Miri drive
+                // the execution of this stack frame.
+                // However, we need to access its return value
+                // in order to properly unwind.
+                //
+                // When we 'return' from '__rustc_start_panic',
+                // we need to be executing the panic catch handler.
+                // Therefore, we take care all all of the unwinding logic
+                // here, instead of letting the Miri main loop do it
+                while this.cur_frame() != cur_frame {
+                    this.step()?;
+                }
+
+                // 'box_me_up' has finished. 'temp_ptr' now holds
+                // a '*mut (dyn Any + Send)'
+                // We want to split this into its consituient parts -
+                // the data and vtable pointers - and store them back
+                // into the panic handler frame
+                let real_ret = this.read_immediate(temp_ptr.into())?;
+                let real_ret_data = real_ret.to_scalar_ptr()?;
+                let real_ret_vtable = real_ret.to_meta()?.expect("Expected fat pointer");
+
+                // We're in panic unwind mode. We pop off stack
+                // frames until one of two things happens: we reach
+                // a frame with 'catch_panic' set, or we pop of all frames
+                //
+                // If we pop off all frames without encountering 'catch_panic',
+                // we exut.
+                //
+                // If we encounter 'catch_panic', we continue execution at that
+                // frame, filling in data from the panic
+                //
+                unwind_stack(this, real_ret_data, real_ret_vtable)?; 
+
+                this.memory_mut().deallocate(temp_ptr.to_ptr()?, None, MiriMemoryKind::UnwindHelper.into())?;
+                this.dump_place(*dest.expect("dest is None!"));
+
+                return Ok(None)
+
             }
             "exit" | "ExitProcess" => {
                 // it's really u32 for ExitProcess, but we have to put it into the `Exit` error variant anyway
@@ -341,13 +533,27 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
                 //     data_ptr: *mut usize,
                 //     vtable_ptr: *mut usize,
                 // ) -> u32
-                // We abort on panic, so not much is going on here, but we still have to call the closure.
                 let f = this.read_scalar(args[0])?.to_ptr()?;
                 let data = this.read_scalar(args[1])?.not_undef()?;
+                let data_ptr = this.deref_operand(args[2])?;
+                let vtable_ptr = this.deref_operand(args[3])?;
                 let f_instance = this.memory().get_fn(f)?;
                 this.write_null(dest)?;
                 trace!("__rust_maybe_catch_panic: {:?}", f_instance);
 
+                // In unwind mode, we tag this frame with some extra data.
+                // This lets '__rust_start_panic' know that it should jump back
+                // to this frame is a panic occurs.
+                if this.tcx.tcx.sess.panic_strategy() == PanicStrategy::Unwind {
+                    this.frame_mut().extra.catch_panic = Some(UnwindData {
+                        data: data.to_ptr()?,
+                        data_ptr,
+                        vtable_ptr,
+                        dest: dest.clone(),
+                        ret
+                    })
+                }
+
                 // Now we make a function call.
                 // TODO: consider making this reusable? `InterpretCx::step` does something similar
                 // for the TLS destructors, and of course `eval_main`.
@@ -361,6 +567,7 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
                     // Directly return to caller.
                     StackPopCleanup::Goto(Some(ret)),
                 )?;
+
                 let mut args = this.frame().mir.args_iter();
 
                 let arg_local = args.next().ok_or_else(||
@@ -378,7 +585,7 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
                 this.write_null(dest)?;
 
                 // Don't fall through, we do *not* want to `goto_block`!
-                return Ok(());
+                return Ok(None);
             }
 
             "memcmp" => {
@@ -892,7 +1099,7 @@ pub trait EvalContextExt<'a, 'mir, 'tcx: 'a + 'mir>: crate::MiriEvalContextExt<'
 
         this.goto_block(Some(ret))?;
         this.dump_place(*dest);
-        Ok(())
+        Ok(None)
     }
 
     fn write_null(&mut self, dest: PlaceTy<'tcx, Tag>) -> EvalResult<'tcx> {
@@ -946,3 +1153,89 @@ fn gen_random<'a, 'mir, 'tcx>(
     this.memory_mut().get_mut(ptr.alloc_id)?
         .write_bytes(tcx, ptr, &data)
 }
+
+/// A helper method to unwind the stack.
+///
+/// We execute the 'unwind' blocks associated with frame
+/// terminators as we go along (these blocks are responsible
+/// for dropping frame locals in the event of a panic)
+///
+/// When we find our target frame, we write the panic payload
+/// directly into its locals, and jump to it.
+/// After that, panic handling is done - from the perspective
+/// of the caller of '__rust_maybe_catch_panic', the function
+/// has 'returned' normally, after which point Miri excecution
+/// can proceeed normally.
+fn unwind_stack<'a, 'mir, 'tcx>(
+    this: &mut MiriEvalContext<'a, 'mir, 'tcx>,
+    payload_data_ptr: Scalar<Borrow>,
+    payload_vtable_ptr: Scalar<Borrow>
+) -> EvalResult<'tcx> {
+
+    let mut found = false;
+
+    while !this.stack().is_empty() {
+        // When '__rust_maybe_catch_panic' is called, it marks is frame
+        // with 'catch_panic'. When we find this marker, we've found
+        // our target frame to jump to.
+        if let Some(unwind_data) = this.frame_mut().extra.catch_panic.take() {
+            trace!("unwinding: found target frame: {:?}", this.frame().span);
+
+            let data_ptr = unwind_data.data_ptr.clone();
+            let vtable_ptr = unwind_data.vtable_ptr.clone();
+            let dest = unwind_data.dest.clone();
+            let ret = unwind_data.ret.clone();
+            drop(unwind_data);
+
+
+            // Here, we write directly into the frame of the function
+            // that called '__rust_maybe_catch_panic'.
+            // (NOT the function that called '__rust_start_panic')
+
+            this.write_scalar(payload_data_ptr, data_ptr.into())?;
+            this.write_scalar(payload_vtable_ptr, vtable_ptr.into())?;
+
+            // We 'return' the value 1 from __rust_maybe_catch_panic,
+            // since there was a panic
+            this.write_scalar(Scalar::from_int(1, dest.layout.size), dest)?;
+
+            // We're done - continue execution in the frame of the function
+            // that called '__rust_maybe_catch_panic,'
+            this.goto_block(Some(ret))?;
+            found = true;
+
+            break;
+        } else {
+            // This frame is above our target frame on the call stack.
+            // We pop it off the stack, running its 'unwind' block if applicable
+            trace!("unwinding: popping frame: {:?}", this.frame().span);
+            let block = &this.frame().mir.basic_blocks()[this.frame().block];
+
+            // All frames in the call stack should be executing their terminators.,
+            // as that's the only way for a basic block to perform a function call
+            if let Some(stmt) = block.statements.get(this.frame().stmt) {
+                panic!("Unexpcted statement '{:?}' for frame {:?}", stmt, this.frame().span);
+            }
+
+            // We're only interested in terminator types which allow for a cleanuup
+            // block (e.g. Call), and that also actually provide one
+            if let Some(Some(unwind)) = block.terminator().unwind() {
+                this.goto_block(Some(*unwind))?;
+
+                // Run the 'unwind' block until we encounter
+                // a 'Resume', which indicates that the block
+                // is done.
+                assert_eq!(this.run()?, StepOutcome::Resume);
+            }
+
+            // Pop this frame, and continue on to the next one
+            this.pop_stack_frame_unwind()?;
+        }
+    }
+
+    if !found {
+        // The 'start_fn' lang item should always install a panic handler
+        return err!(Unreachable);
+    }
+    return Ok(())
+}