Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

soundness bug with polymorphic variants #6787

Closed
vicuna opened this issue Feb 18, 2015 · 5 comments
Closed

soundness bug with polymorphic variants #6787

vicuna opened this issue Feb 18, 2015 · 5 comments
Assignees

Comments

@vicuna
Copy link

vicuna commented Feb 18, 2015

Original bug ID: 6787
Reporter: mkoconnor
Assigned to: @garrigue
Status: closed (set by @xavierleroy on 2016-12-07T10:49:24Z)
Resolution: fixed
Priority: normal
Severity: major
Version: 4.02.1
Fixed in version: 4.02.2+dev / +rc1
Category: typing
Monitored by: @Drup jpdeplaix @gasche @yallop @hcarty

Bug description

The code below (also attached) gives a function which interprets an int as a string and produces a segfault when run. I think this code is roughly minimal (e.g., I think the [revapply] function is necessary).

let revapply x f = f x

module Contravariant : sig
type -'a t
val create : unit -> [< `Foo] t
end = struct
type 'a t = unit
let create () = ()
end

module M : sig
val int_to_string : [ Bar of int ] -> string end = struct let int_to_string x = let x = revapply x (fun (Bar int) -> (Bar int), Contravariant.create ()) in revapply x (fun ((Bar int), _) -> (int : string))
end

let () = Printf.printf "%s" (M.int_to_string (`Bar 0))

Steps to reproduce

Compile trial.ml with ocamlc or ocamlopt.opt and run.

File attachments

@vicuna
Copy link
Author

vicuna commented Feb 19, 2015

Comment author: @lpw25

I've got it down to the following case:

        OCaml version 4.02.1

# let revapply x f = f x

  let f x (g : [< `Foo]) =
    let y = `Bar x, g in
      revapply y (fun ((`Bar i), _) -> i)

  let segfault = (f 0 `Foo : string);;

Process ocaml-toplevel segmentation fault

@vicuna
Copy link
Author

vicuna commented Feb 19, 2015

Comment author: @garrigue

Interestingly, the bug does not occur with -principal.
And it seems to have been introduced in 4.01 (4.00 is ok).

@vicuna
Copy link
Author

vicuna commented Feb 19, 2015

Comment author: hnrgrgr

By using git bisect, the bug was introduced with commit 13221 :

c4d1bf8

@vicuna
Copy link
Author

vicuna commented Feb 19, 2015

Comment author: @garrigue

Fixed in trunk and 4.02 at revisions 15851 and 15852.

Some code added to allow the propagation of type information to patterns was breaking the invariant that two different polymorphic variant types should not share the same row variable.

@vicuna
Copy link
Author

vicuna commented May 18, 2015

Comment author: @lpw25

In case anyone comes across this elsewhere, one of the ways this bug can manifest itself is as code which takes the wrong branch on a match with polymorphic variants in it. For example:

  module Monad : sig
    type 'a t
    val return : 'a -> 'a t
    val ( >>= ) : 'a t -> ('a -> 'b t) -> 'b t
    val run : 'a t -> 'a
  end = struct
    type 'a t = 'a
    let return x = x
    let ( >>= ) m k = k m
    let run m = m
  end

  open Monad

  let foo x =
      match x with
      | `Error -> return `Error
      | `Ok y ->
        match y with
        | `Left | `Right -> return (`Ok y)

  let bar x =
    foo x
    >>= function
    | `Error -> return 1
    | `Ok `Left -> return 2
    | `Ok `Right -> return 3

  let () =
    Printf.printf "%d\n" (run (bar (`Ok `Right)))

will print 2 instead of 3 as the wrong branch is taken in bar.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

2 participants