miri/
eval.rs

1//! Main evaluator loop and setting up the initial stack frame.
2
3use std::ffi::{OsStr, OsString};
4use std::panic::{self, AssertUnwindSafe};
5use std::path::PathBuf;
6use std::rc::Rc;
7use std::task::Poll;
8use std::{iter, thread};
9
10use rustc_abi::ExternAbi;
11use rustc_data_structures::fx::{FxHashMap, FxHashSet};
12use rustc_hir::def::Namespace;
13use rustc_hir::def_id::DefId;
14use rustc_middle::ty::layout::{LayoutCx, LayoutOf};
15use rustc_middle::ty::{self, Ty, TyCtxt};
16use rustc_session::config::EntryFnType;
17
18use crate::concurrency::GenmcCtx;
19use crate::concurrency::thread::TlsAllocAction;
20use crate::diagnostics::report_leaks;
21use crate::shims::tls;
22use crate::*;
23
24#[derive(Copy, Clone, Debug)]
25pub enum MiriEntryFnType {
26    MiriStart,
27    Rustc(EntryFnType),
28}
29
30/// When the main thread would exit, we will yield to any other thread that is ready to execute.
31/// But we must only do that a finite number of times, or a background thread running `loop {}`
32/// will hang the program.
33const MAIN_THREAD_YIELDS_AT_SHUTDOWN: u32 = 256;
34
35#[derive(Copy, Clone, Debug, PartialEq)]
36pub enum AlignmentCheck {
37    /// Do not check alignment.
38    None,
39    /// Check alignment "symbolically", i.e., using only the requested alignment for an allocation and not its real base address.
40    Symbolic,
41    /// Check alignment on the actual physical integer address.
42    Int,
43}
44
45#[derive(Copy, Clone, Debug, PartialEq)]
46pub enum RejectOpWith {
47    /// Isolated op is rejected with an abort of the machine.
48    Abort,
49
50    /// If not Abort, miri returns an error for an isolated op.
51    /// Following options determine if user should be warned about such error.
52    /// Do not print warning about rejected isolated op.
53    NoWarning,
54
55    /// Print a warning about rejected isolated op, with backtrace.
56    Warning,
57
58    /// Print a warning about rejected isolated op, without backtrace.
59    WarningWithoutBacktrace,
60}
61
62#[derive(Copy, Clone, Debug, PartialEq)]
63pub enum IsolatedOp {
64    /// Reject an op requiring communication with the host. By
65    /// default, miri rejects the op with an abort. If not, it returns
66    /// an error code, and prints a warning about it. Warning levels
67    /// are controlled by `RejectOpWith` enum.
68    Reject(RejectOpWith),
69
70    /// Execute op requiring communication with the host, i.e. disable isolation.
71    Allow,
72}
73
74#[derive(Debug, Copy, Clone, PartialEq, Eq)]
75pub enum BacktraceStyle {
76    /// Prints a terser backtrace which ideally only contains relevant information.
77    Short,
78    /// Prints a backtrace with all possible information.
79    Full,
80    /// Prints only the frame that the error occurs in.
81    Off,
82}
83
84#[derive(Debug, Copy, Clone, PartialEq, Eq)]
85pub enum ValidationMode {
86    /// Do not perform any kind of validation.
87    No,
88    /// Validate the interior of the value, but not things behind references.
89    Shallow,
90    /// Fully recursively validate references.
91    Deep,
92}
93
94/// Configuration needed to spawn a Miri instance.
95#[derive(Clone)]
96pub struct MiriConfig {
97    /// The host environment snapshot to use as basis for what is provided to the interpreted program.
98    /// (This is still subject to isolation as well as `forwarded_env_vars`.)
99    pub env: Vec<(OsString, OsString)>,
100    /// Determine if validity checking is enabled.
101    pub validation: ValidationMode,
102    /// Determines if Stacked Borrows or Tree Borrows is enabled.
103    pub borrow_tracker: Option<BorrowTrackerMethod>,
104    /// Controls alignment checking.
105    pub check_alignment: AlignmentCheck,
106    /// Action for an op requiring communication with the host.
107    pub isolated_op: IsolatedOp,
108    /// Determines if memory leaks should be ignored.
109    pub ignore_leaks: bool,
110    /// Environment variables that should always be forwarded from the host.
111    pub forwarded_env_vars: Vec<String>,
112    /// Additional environment variables that should be set in the interpreted program.
113    pub set_env_vars: FxHashMap<String, String>,
114    /// Command-line arguments passed to the interpreted program.
115    pub args: Vec<String>,
116    /// The seed to use when non-determinism or randomness are required (e.g. ptr-to-int cast, `getrandom()`).
117    pub seed: Option<u64>,
118    /// The stacked borrows pointer ids to report about.
119    pub tracked_pointer_tags: FxHashSet<BorTag>,
120    /// The allocation ids to report about.
121    pub tracked_alloc_ids: FxHashSet<AllocId>,
122    /// For the tracked alloc ids, also report read/write accesses.
123    pub track_alloc_accesses: bool,
124    /// Determine if data race detection should be enabled.
125    pub data_race_detector: bool,
126    /// Determine if weak memory emulation should be enabled. Requires data race detection to be enabled.
127    pub weak_memory_emulation: bool,
128    /// Determine if we are running in GenMC mode. In this mode, Miri will explore multiple concurrent executions of the given program.
129    pub genmc_mode: bool,
130    /// Track when an outdated (weak memory) load happens.
131    pub track_outdated_loads: bool,
132    /// Rate of spurious failures for compare_exchange_weak atomic operations,
133    /// between 0.0 and 1.0, defaulting to 0.8 (80% chance of failure).
134    pub cmpxchg_weak_failure_rate: f64,
135    /// If `Some`, enable the `measureme` profiler, writing results to a file
136    /// with the specified prefix.
137    pub measureme_out: Option<String>,
138    /// Which style to use for printing backtraces.
139    pub backtrace_style: BacktraceStyle,
140    /// Which provenance to use for int2ptr casts.
141    pub provenance_mode: ProvenanceMode,
142    /// Whether to ignore any output by the program. This is helpful when debugging miri
143    /// as its messages don't get intermingled with the program messages.
144    pub mute_stdout_stderr: bool,
145    /// The probability of the active thread being preempted at the end of each basic block.
146    pub preemption_rate: f64,
147    /// Report the current instruction being executed every N basic blocks.
148    pub report_progress: Option<u32>,
149    /// Whether Stacked Borrows and Tree Borrows retagging should recurse into fields of datatypes.
150    pub retag_fields: RetagFields,
151    /// The location of a shared object file to load when calling external functions
152    /// FIXME! consider allowing users to specify paths to multiple files, or to a directory
153    pub native_lib: Option<PathBuf>,
154    /// Run a garbage collector for BorTags every N basic blocks.
155    pub gc_interval: u32,
156    /// The number of CPUs to be reported by miri.
157    pub num_cpus: u32,
158    /// Requires Miri to emulate pages of a certain size.
159    pub page_size: Option<u64>,
160    /// Whether to collect a backtrace when each allocation is created, just in case it leaks.
161    pub collect_leak_backtraces: bool,
162    /// Probability for address reuse.
163    pub address_reuse_rate: f64,
164    /// Probability for address reuse across threads.
165    pub address_reuse_cross_thread_rate: f64,
166    /// Round Robin scheduling with no preemption.
167    pub fixed_scheduling: bool,
168    /// Always prefer the intrinsic fallback body over the native Miri implementation.
169    pub force_intrinsic_fallback: bool,
170}
171
172impl Default for MiriConfig {
173    fn default() -> MiriConfig {
174        MiriConfig {
175            env: vec![],
176            validation: ValidationMode::Shallow,
177            borrow_tracker: Some(BorrowTrackerMethod::StackedBorrows),
178            check_alignment: AlignmentCheck::Int,
179            isolated_op: IsolatedOp::Reject(RejectOpWith::Abort),
180            ignore_leaks: false,
181            forwarded_env_vars: vec![],
182            set_env_vars: FxHashMap::default(),
183            args: vec![],
184            seed: None,
185            tracked_pointer_tags: FxHashSet::default(),
186            tracked_alloc_ids: FxHashSet::default(),
187            track_alloc_accesses: false,
188            data_race_detector: true,
189            weak_memory_emulation: true,
190            genmc_mode: false,
191            track_outdated_loads: false,
192            cmpxchg_weak_failure_rate: 0.8, // 80%
193            measureme_out: None,
194            backtrace_style: BacktraceStyle::Short,
195            provenance_mode: ProvenanceMode::Default,
196            mute_stdout_stderr: false,
197            preemption_rate: 0.01, // 1%
198            report_progress: None,
199            retag_fields: RetagFields::Yes,
200            native_lib: None,
201            gc_interval: 10_000,
202            num_cpus: 1,
203            page_size: None,
204            collect_leak_backtraces: true,
205            address_reuse_rate: 0.5,
206            address_reuse_cross_thread_rate: 0.1,
207            fixed_scheduling: false,
208            force_intrinsic_fallback: false,
209        }
210    }
211}
212
213/// The state of the main thread. Implementation detail of `on_main_stack_empty`.
214#[derive(Default, Debug)]
215enum MainThreadState<'tcx> {
216    #[default]
217    Running,
218    TlsDtors(tls::TlsDtorsState<'tcx>),
219    Yield {
220        remaining: u32,
221    },
222    Done,
223}
224
225impl<'tcx> MainThreadState<'tcx> {
226    fn on_main_stack_empty(
227        &mut self,
228        this: &mut MiriInterpCx<'tcx>,
229    ) -> InterpResult<'tcx, Poll<()>> {
230        use MainThreadState::*;
231        match self {
232            Running => {
233                *self = TlsDtors(Default::default());
234            }
235            TlsDtors(state) =>
236                match state.on_stack_empty(this)? {
237                    Poll::Pending => {} // just keep going
238                    Poll::Ready(()) => {
239                        if this.machine.data_race.as_genmc_ref().is_some() {
240                            // In GenMC mode, we don't yield at the end of the main thread.
241                            // Instead, the `GenmcCtx` will ensure that unfinished threads get a chance to run at this point.
242                            *self = Done;
243                        } else {
244                            // Give background threads a chance to finish by yielding the main thread a
245                            // couple of times -- but only if we would also preempt threads randomly.
246                            if this.machine.preemption_rate > 0.0 {
247                                // There is a non-zero chance they will yield back to us often enough to
248                                // make Miri terminate eventually.
249                                *self = Yield { remaining: MAIN_THREAD_YIELDS_AT_SHUTDOWN };
250                            } else {
251                                // The other threads did not get preempted, so no need to yield back to
252                                // them.
253                                *self = Done;
254                            }
255                        }
256                    }
257                },
258            Yield { remaining } =>
259                match remaining.checked_sub(1) {
260                    None => *self = Done,
261                    Some(new_remaining) => {
262                        *remaining = new_remaining;
263                        this.yield_active_thread();
264                    }
265                },
266            Done => {
267                // Figure out exit code.
268                let ret_place = this.machine.main_fn_ret_place.clone().unwrap();
269                let exit_code = this.read_target_isize(&ret_place)?;
270                // Rust uses `isize` but the underlying type of an exit code is `i32`.
271                // Do a saturating cast.
272                let exit_code = i32::try_from(exit_code).unwrap_or(if exit_code >= 0 {
273                    i32::MAX
274                } else {
275                    i32::MIN
276                });
277                // Deal with our thread-local memory. We do *not* want to actually free it, instead we consider TLS
278                // to be like a global `static`, so that all memory reached by it is considered to "not leak".
279                this.terminate_active_thread(TlsAllocAction::Leak)?;
280
281                // Machine cleanup. Only do this if all threads have terminated; threads that are still running
282                // might cause Stacked Borrows errors (https://github.com/rust-lang/miri/issues/2396).
283                if this.have_all_terminated() {
284                    // Even if all threads have terminated, we have to beware of data races since some threads
285                    // might not have joined the main thread (https://github.com/rust-lang/miri/issues/2020,
286                    // https://github.com/rust-lang/miri/issues/2508).
287                    this.allow_data_races_all_threads_done();
288                    EnvVars::cleanup(this).expect("error during env var cleanup");
289                }
290
291                // Stop interpreter loop.
292                throw_machine_stop!(TerminationInfo::Exit { code: exit_code, leak_check: true });
293            }
294        }
295        interp_ok(Poll::Pending)
296    }
297}
298
299/// Returns a freshly created `InterpCx`.
300/// Public because this is also used by `priroda`.
301pub fn create_ecx<'tcx>(
302    tcx: TyCtxt<'tcx>,
303    entry_id: DefId,
304    entry_type: MiriEntryFnType,
305    config: &MiriConfig,
306    genmc_ctx: Option<Rc<GenmcCtx>>,
307) -> InterpResult<'tcx, InterpCx<'tcx, MiriMachine<'tcx>>> {
308    let typing_env = ty::TypingEnv::fully_monomorphized();
309    let layout_cx = LayoutCx::new(tcx, typing_env);
310    let mut ecx = InterpCx::new(
311        tcx,
312        rustc_span::DUMMY_SP,
313        typing_env,
314        MiriMachine::new(config, layout_cx, genmc_ctx),
315    );
316
317    // Some parts of initialization require a full `InterpCx`.
318    MiriMachine::late_init(&mut ecx, config, {
319        let mut state = MainThreadState::default();
320        // Cannot capture anything GC-relevant here.
321        Box::new(move |m| state.on_main_stack_empty(m))
322    })?;
323
324    // Make sure we have MIR. We check MIR for some stable monomorphic function in libcore.
325    let sentinel =
326        helpers::try_resolve_path(tcx, &["core", "ascii", "escape_default"], Namespace::ValueNS);
327    if !matches!(sentinel, Some(s) if tcx.is_mir_available(s.def.def_id())) {
328        tcx.dcx().fatal(
329            "the current sysroot was built without `-Zalways-encode-mir`, or libcore seems missing. \
330            Use `cargo miri setup` to prepare a sysroot that is suitable for Miri."
331        );
332    }
333
334    // Setup first stack frame.
335    let entry_instance = ty::Instance::mono(tcx, entry_id);
336
337    // First argument is constructed later, because it's skipped for `miri_start.`
338
339    // Second argument (argc): length of `config.args`.
340    let argc =
341        ImmTy::from_int(i64::try_from(config.args.len()).unwrap(), ecx.machine.layouts.isize);
342    // Third argument (`argv`): created from `config.args`.
343    let argv = {
344        // Put each argument in memory, collect pointers.
345        let mut argvs = Vec::<Immediate<Provenance>>::with_capacity(config.args.len());
346        for arg in config.args.iter() {
347            // Make space for `0` terminator.
348            let size = u64::try_from(arg.len()).unwrap().strict_add(1);
349            let arg_type = Ty::new_array(tcx, tcx.types.u8, size);
350            let arg_place =
351                ecx.allocate(ecx.layout_of(arg_type)?, MiriMemoryKind::Machine.into())?;
352            ecx.write_os_str_to_c_str(OsStr::new(arg), arg_place.ptr(), size)?;
353            ecx.mark_immutable(&arg_place);
354            argvs.push(arg_place.to_ref(&ecx));
355        }
356        // Make an array with all these pointers, in the Miri memory.
357        let argvs_layout = ecx.layout_of(Ty::new_array(
358            tcx,
359            Ty::new_imm_ptr(tcx, tcx.types.u8),
360            u64::try_from(argvs.len()).unwrap(),
361        ))?;
362        let argvs_place = ecx.allocate(argvs_layout, MiriMemoryKind::Machine.into())?;
363        for (idx, arg) in argvs.into_iter().enumerate() {
364            let place = ecx.project_field(&argvs_place, idx)?;
365            ecx.write_immediate(arg, &place)?;
366        }
367        ecx.mark_immutable(&argvs_place);
368        // Store `argc` and `argv` for macOS `_NSGetArg{c,v}`.
369        {
370            let argc_place =
371                ecx.allocate(ecx.machine.layouts.isize, MiriMemoryKind::Machine.into())?;
372            ecx.write_immediate(*argc, &argc_place)?;
373            ecx.mark_immutable(&argc_place);
374            ecx.machine.argc = Some(argc_place.ptr());
375
376            let argv_place = ecx.allocate(
377                ecx.layout_of(Ty::new_imm_ptr(tcx, tcx.types.unit))?,
378                MiriMemoryKind::Machine.into(),
379            )?;
380            ecx.write_pointer(argvs_place.ptr(), &argv_place)?;
381            ecx.mark_immutable(&argv_place);
382            ecx.machine.argv = Some(argv_place.ptr());
383        }
384        // Store command line as UTF-16 for Windows `GetCommandLineW`.
385        {
386            // Construct a command string with all the arguments.
387            let cmd_utf16: Vec<u16> = args_to_utf16_command_string(config.args.iter());
388
389            let cmd_type =
390                Ty::new_array(tcx, tcx.types.u16, u64::try_from(cmd_utf16.len()).unwrap());
391            let cmd_place =
392                ecx.allocate(ecx.layout_of(cmd_type)?, MiriMemoryKind::Machine.into())?;
393            ecx.machine.cmd_line = Some(cmd_place.ptr());
394            // Store the UTF-16 string. We just allocated so we know the bounds are fine.
395            for (idx, &c) in cmd_utf16.iter().enumerate() {
396                let place = ecx.project_field(&cmd_place, idx)?;
397                ecx.write_scalar(Scalar::from_u16(c), &place)?;
398            }
399            ecx.mark_immutable(&cmd_place);
400        }
401        ecx.mplace_to_ref(&argvs_place)?
402    };
403
404    // Return place (in static memory so that it does not count as leak).
405    let ret_place = ecx.allocate(ecx.machine.layouts.isize, MiriMemoryKind::Machine.into())?;
406    ecx.machine.main_fn_ret_place = Some(ret_place.clone());
407    // Call start function.
408
409    match entry_type {
410        MiriEntryFnType::Rustc(EntryFnType::Main { .. }) => {
411            let start_id = tcx.lang_items().start_fn().unwrap_or_else(|| {
412                tcx.dcx().fatal("could not find start lang item");
413            });
414            let main_ret_ty = tcx.fn_sig(entry_id).no_bound_vars().unwrap().output();
415            let main_ret_ty = main_ret_ty.no_bound_vars().unwrap();
416            let start_instance = ty::Instance::try_resolve(
417                tcx,
418                typing_env,
419                start_id,
420                tcx.mk_args(&[ty::GenericArg::from(main_ret_ty)]),
421            )
422            .unwrap()
423            .unwrap();
424
425            let main_ptr = ecx.fn_ptr(FnVal::Instance(entry_instance));
426
427            // Always using DEFAULT is okay since we don't support signals in Miri anyway.
428            // (This means we are effectively ignoring `-Zon-broken-pipe`.)
429            let sigpipe = rustc_session::config::sigpipe::DEFAULT;
430
431            ecx.call_function(
432                start_instance,
433                ExternAbi::Rust,
434                &[
435                    ImmTy::from_scalar(
436                        Scalar::from_pointer(main_ptr, &ecx),
437                        // FIXME use a proper fn ptr type
438                        ecx.machine.layouts.const_raw_ptr,
439                    ),
440                    argc,
441                    argv,
442                    ImmTy::from_uint(sigpipe, ecx.machine.layouts.u8),
443                ],
444                Some(&ret_place),
445                StackPopCleanup::Root { cleanup: true },
446            )?;
447        }
448        MiriEntryFnType::MiriStart => {
449            ecx.call_function(
450                entry_instance,
451                ExternAbi::Rust,
452                &[argc, argv],
453                Some(&ret_place),
454                StackPopCleanup::Root { cleanup: true },
455            )?;
456        }
457    }
458
459    interp_ok(ecx)
460}
461
462/// Evaluates the entry function specified by `entry_id`.
463/// Returns `Some(return_code)` if program execution completed.
464/// Returns `None` if an evaluation error occurred.
465pub fn eval_entry<'tcx>(
466    tcx: TyCtxt<'tcx>,
467    entry_id: DefId,
468    entry_type: MiriEntryFnType,
469    config: &MiriConfig,
470    genmc_ctx: Option<Rc<GenmcCtx>>,
471) -> Option<i32> {
472    // Copy setting before we move `config`.
473    let ignore_leaks = config.ignore_leaks;
474
475    if let Some(genmc_ctx) = &genmc_ctx {
476        genmc_ctx.handle_execution_start();
477    }
478
479    let mut ecx = match create_ecx(tcx, entry_id, entry_type, config, genmc_ctx).report_err() {
480        Ok(v) => v,
481        Err(err) => {
482            let (kind, backtrace) = err.into_parts();
483            backtrace.print_backtrace();
484            panic!("Miri initialization error: {kind:?}")
485        }
486    };
487
488    // Perform the main execution.
489    let res: thread::Result<InterpResult<'_, !>> =
490        panic::catch_unwind(AssertUnwindSafe(|| ecx.run_threads()));
491    let res = res.unwrap_or_else(|panic_payload| {
492        ecx.handle_ice();
493        panic::resume_unwind(panic_payload)
494    });
495    // `Ok` can never happen; the interpreter loop always exits with an "error"
496    // (but that "error" might be just "regular program termination").
497    let Err(err) = res.report_err();
498
499    // Show diagnostic, if any.
500    let (return_code, leak_check) = report_error(&ecx, err)?;
501
502    // We inform GenMC that the execution is complete.
503    if let Some(genmc_ctx) = ecx.machine.data_race.as_genmc_ref()
504        && let Err(error) = genmc_ctx.handle_execution_end(&ecx)
505    {
506        // FIXME(GenMC): Improve error reporting.
507        tcx.dcx().err(format!("GenMC returned an error: \"{error}\""));
508        return None;
509    }
510
511    // If we get here there was no fatal error.
512
513    // Possibly check for memory leaks.
514    if leak_check && !ignore_leaks {
515        // Check for thread leaks.
516        if !ecx.have_all_terminated() {
517            tcx.dcx().err("the main thread terminated without waiting for all remaining threads");
518            tcx.dcx().note("set `MIRIFLAGS=-Zmiri-ignore-leaks` to disable this check");
519            return None;
520        }
521        // Check for memory leaks.
522        info!("Additional static roots: {:?}", ecx.machine.static_roots);
523        let leaks = ecx.take_leaked_allocations(|ecx| &ecx.machine.static_roots);
524        if !leaks.is_empty() {
525            report_leaks(&ecx, leaks);
526            tcx.dcx().note("set `MIRIFLAGS=-Zmiri-ignore-leaks` to disable this check");
527            // Ignore the provided return code - let the reported error
528            // determine the return code.
529            return None;
530        }
531    }
532    Some(return_code)
533}
534
535/// Turns an array of arguments into a Windows command line string.
536///
537/// The string will be UTF-16 encoded and NUL terminated.
538///
539/// Panics if the zeroth argument contains the `"` character because doublequotes
540/// in `argv[0]` cannot be encoded using the standard command line parsing rules.
541///
542/// Further reading:
543/// * [Parsing C++ command-line arguments](https://docs.microsoft.com/en-us/cpp/cpp/main-function-command-line-args?view=msvc-160#parsing-c-command-line-arguments)
544/// * [The C/C++ Parameter Parsing Rules](https://daviddeley.com/autohotkey/parameters/parameters.htm#WINCRULES)
545fn args_to_utf16_command_string<I, T>(mut args: I) -> Vec<u16>
546where
547    I: Iterator<Item = T>,
548    T: AsRef<str>,
549{
550    // Parse argv[0]. Slashes aren't escaped. Literal double quotes are not allowed.
551    let mut cmd = {
552        let arg0 = if let Some(arg0) = args.next() {
553            arg0
554        } else {
555            return vec![0];
556        };
557        let arg0 = arg0.as_ref();
558        if arg0.contains('"') {
559            panic!("argv[0] cannot contain a doublequote (\") character");
560        } else {
561            // Always surround argv[0] with quotes.
562            let mut s = String::new();
563            s.push('"');
564            s.push_str(arg0);
565            s.push('"');
566            s
567        }
568    };
569
570    // Build the other arguments.
571    for arg in args {
572        let arg = arg.as_ref();
573        cmd.push(' ');
574        if arg.is_empty() {
575            cmd.push_str("\"\"");
576        } else if !arg.bytes().any(|c| matches!(c, b'"' | b'\t' | b' ')) {
577            // No quote, tab, or space -- no escaping required.
578            cmd.push_str(arg);
579        } else {
580            // Spaces and tabs are escaped by surrounding them in quotes.
581            // Quotes are themselves escaped by using backslashes when in a
582            // quoted block.
583            // Backslashes only need to be escaped when one or more are directly
584            // followed by a quote. Otherwise they are taken literally.
585
586            cmd.push('"');
587            let mut chars = arg.chars().peekable();
588            loop {
589                let mut nslashes = 0;
590                while let Some(&'\\') = chars.peek() {
591                    chars.next();
592                    nslashes += 1;
593                }
594
595                match chars.next() {
596                    Some('"') => {
597                        cmd.extend(iter::repeat_n('\\', nslashes * 2 + 1));
598                        cmd.push('"');
599                    }
600                    Some(c) => {
601                        cmd.extend(iter::repeat_n('\\', nslashes));
602                        cmd.push(c);
603                    }
604                    None => {
605                        cmd.extend(iter::repeat_n('\\', nslashes * 2));
606                        break;
607                    }
608                }
609            }
610            cmd.push('"');
611        }
612    }
613
614    if cmd.contains('\0') {
615        panic!("interior null in command line arguments");
616    }
617    cmd.encode_utf16().chain(iter::once(0)).collect()
618}
619
620#[cfg(test)]
621mod tests {
622    use super::*;
623    #[test]
624    #[should_panic(expected = "argv[0] cannot contain a doublequote (\") character")]
625    fn windows_argv0_panic_on_quote() {
626        args_to_utf16_command_string(["\""].iter());
627    }
628    #[test]
629    fn windows_argv0_no_escape() {
630        // Ensure that a trailing backslash in argv[0] is not escaped.
631        let cmd = String::from_utf16_lossy(&args_to_utf16_command_string(
632            [r"C:\Program Files\", "arg1", "arg 2", "arg \" 3"].iter(),
633        ));
634        assert_eq!(cmd.trim_end_matches('\0'), r#""C:\Program Files\" arg1 "arg 2" "arg \" 3""#);
635    }
636}