-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Use After Free in safe code using Vec and HashMap #19537
Comments
The problem seems to be that we are constraining the pattern with a region that is too small. It should be the enclosing block. I'm trying to figure out just why it is doing that, the code looks not obviously wrong. |
If you remove the |
I take it back, I am incorrect about the source of the bug. but certainly you should not be able to call |
It wouldn't be unheard of for this to be a bug in either collection's unsafe handling. |
I'm wondering why this isn't a segfault since the two strings those slices point to should have been dropped in |
The bug I posted on reddit found it's way to the issue tracker, I haven't studied the issue further, but hopefully the problem is in unsafe-code from the collections library. |
I believe the following code highlights the same bug: struct Bar<'a> {
i: i32,
j: Option<&'a i32>,
}
impl <'a> Bar<'a> {
fn new() -> Bar<'a> {
Bar { i: 0, j: None }
}
fn set(&'a mut self, i: i32) {
self.i = i;
self.j = Some(&self.i);
}
}
fn main() {
let mut bar = Bar::new();
bar.set(1);
let j: &i32 = bar.j.unwrap();
println!("{}", j);
bar.i = 2;
println!("{}", j);
} Note that although |
@TimNN Same thing happens there, too. You can't shadow Technically you shouldn't be able to do this at all. |
Tried it with a bunch of other collections, and it works. Probably isn't an |
The problem is, I believe, that the rust compiler doesn't realise that due to the |
This is an issue with autoderef (free functions and method on a newtype of |
Seems to be similar to #18566 (which is fixed through). |
Rust 0.12.0 correctly reports an error: http://is.gd/VXLgyb. |
Minimal example ( #![feature(tuple_indexing)]
pub struct Bar<'a>(i32, &'a i32);
impl<'a> Bar<'a> {
pub fn set(&'a mut self) {
self.1 = &self.0;
}
}
// if I use this instead of bar.set I get a borrowck error
//pub fn set<'a>(b: &'a mut Bar<'a>) {
// b.1 = &b.0;
//}
pub fn unsound<'f>(bar: &'f mut Bar<'f>) -> &'f mut Bar<'f> {
bar.set();
bar
}
fn main() {
let r = &0i32;
let b = &mut Bar(0, r);
let b = unsound(b);
let new_r = &b.1;
b.0 = 1;
println!("{}", new_r);
} |
This seems like a regionck bug: #![feature(tuple_indexing)]
pub struct Bar<'bar>(&'bar i32);
impl<'bari> Bar<'bari> {
pub fn get_ref(&'bari mut self) -> &'bari mut &'bari i32 {
&mut self.0
}
}
pub fn unsound_2<'f, 'g>(bar: &'g mut Bar<'f>) -> &'g mut &'g i32 {
bar.get_ref()
}
fn main() {
let r = &0i32;
let bar = &mut Bar(r);
let mut v = 0;
{
let ir = unsound_2(bar);
*ir = &v;
}
v = 1;
println!("{}", bar.0);
} |
…hen constructing generics, so that we don't add unnecessary region parameters. 2. Correct the DeBruijn indices when substituting the self type into the method signature. Previously, the DeBruijn index for the self type was not being adjusted to account for the fn binder. This mean that when late-bound regions were instantiated, you sometimes wind up with two distinct lifetimes. Fixes rust-lang#19537.
This was introduced by HRTB, fix is in #19544 |
…hen constructing generics, so that we don't add unnecessary region parameters. 2. Correct the DeBruijn indices when substituting the self type into the method signature. Previously, the DeBruijn index for the self type was not being adjusted to account for the fn binder. This mean that when late-bound regions were instantiated, you sometimes wind up with two distinct lifetimes. Fixes rust-lang#19537.
…hen constructing generics, so that we don't add unnecessary region parameters. 2. Correct the DeBruijn indices when substituting the self type into the method signature. Previously, the DeBruijn index for the self type was not being adjusted to account for the fn binder. This mean that when late-bound regions were instantiated, you sometimes wind up with two distinct lifetimes. Fixes rust-lang#19537.
P-backcompat-lang. 1.0 patch enqueued. |
**First commit.** Patch up debruijn indices. Fixes #19537. **Second commit.** Stop reborrowing so much. Fixes #19147. Fixes #19261. r? @nick29581
Output:
via
CC @nikomatsakis
The text was updated successfully, but these errors were encountered: