ReferencePropagation exposed a latent miscompile, found in the wild with regex

[saethlin]

Better reproducer here: #114488 (comment)

---

I do not have proof that this isn't UB in regex but considering how much we have run that crate in Miri I think it is much more likely that this is a miscompilation of some kind.

fn main() {
    let _ = regex::Regex::new("");
}

Run with this pile of flags, as far as I can tell they are all required

$ RUSTFLAGS="-Cdebuginfo=2 -Zmir-opt-level=2 -Zmir-enable-passes=+DestinationPropagation -Cembed-bitcode=yes -Clto=fat -Cpanic=abort -Copt-level=3" cargo run
   Compiling memchr v2.5.0
   Compiling regex-syntax v0.7.4
   Compiling aho-corasick v1.0.2
   Compiling regex-automata v0.3.4
   Compiling regex v1.9.1
   Compiling scratch v0.1.0 (/tmp/scratch)
    Finished dev [unoptimized + debuginfo] target(s) in 16.62s
     Running `target/x86_64-unknown-linux-gnu/debug/scratch`
Segmentation fault (core dumped)

gdb says the segfault is here:

#0  core::sync::atomic::atomic_add<usize> (dst=0x1)
    at /rustc/474709a9a2a74a8bcf0055fadb335d0ca0d2d939/library/core/src/sync/atomic.rs:3217
#1  core::sync::atomic::AtomicUsize::fetch_add ()
    at /rustc/474709a9a2a74a8bcf0055fadb335d0ca0d2d939/library/core/src/sync/atomic.rs:2545
#2  alloc::sync::{impl#28}::clone<dyn regex_automata::util::prefilter::PrefilterI, alloc::alloc::Global> (self=<optimized out>)
    at /rustc/474709a9a2a74a8bcf0055fadb335d0ca0d2d939/library/alloc/src/sync.rs:2022
#3  regex_automata::util::prefilter::{impl#3}::clone () at src/util/prefilter/mod.rs:141
#4  core::option::{impl#5}::clone<regex_automata::util::prefilter::Prefilter> (self=<optimized out>)
    at /rustc/474709a9a2a74a8bcf0055fadb335d0ca0d2d939/library/core/src/option.rs:1968
#5  regex_automata::meta::wrappers::HybridEngine::new (info=0x7fff9afa5c90, pre=..., nfa=<optimized out>, 
    nfarev=<optimized out>) at src/meta/wrappers.rs:540
#6  regex_automata::meta::wrappers::Hybrid::new (info=0x7fff9afa5c90, pre=..., nfa=<optimized out>, nfarev=0x7fff9afa5e00)
    at src/meta/wrappers.rs:502
#7  0x0000559770000239 in regex_automata::meta::strategy::Core::new (info=..., pre=..., hirs=...) at src/meta/strategy.rs:517
#8  regex_automata::meta::strategy::new (info=<optimized out>, hirs=...) at src/meta/strategy.rs:151
#9  0x000055977002c439 in regex_automata::meta::regex::Builder::build_many_from_hir<regex_syntax::hir::Hir> (
    self=<optimized out>, hirs=...) at src/meta/regex.rs:3464
#10 regex_automata::meta::regex::Builder::build_many<&str> (self=<optimized out>, patterns=...) at src/meta/regex.rs:3352
#11 regex_automata::meta::regex::Builder::build (self=<optimized out>, pattern=...) at src/meta/regex.rs:3271
#12 0x000055976ffc4e88 in regex::builders::Builder::build_one_string (self=0x7fff9afa9488)
    at /home/ben/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-1.9.1/src/builders.rs:77
#13 regex::builders::string::RegexBuilder::build (self=0x7fff9afa9488)
    at /home/ben/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-1.9.1/src/builders.rs:223
#14 regex::regex::string::Regex::new (re=...)
    at /home/ben/.cargo/registry/src/index.crates.io-6f17d22bba15001f/regex-1.9.1/src/regex/string.rs:181
#15 scratch::main () at src/main.rs:2

searched nightlies: from nightly-2023-07-06 to nightly-2023-07-19
regressed nightly: nightly-2023-07-15
searched commit range: 7bd81ee...ad96323
regressed commit: 079e544

bisected with cargo-bisect-rustc v0.6.6

Host triple: x86_64-unknown-linux-gnu
Reproduce with:

cargo bisect-rustc --start 2023-07-06 --end 2023-07-19 --script script 

cc @cjgillot as the author of #109025

[apiraino]

WG-prioritization assigning priority (Zulip discussion).

@rustbot label -I-prioritize +P-high +T-compiler