Evade borrowck by wrapping your lifetime crimes in a simple closure #112056
Labels
C-bug
Category: This is a bug.
I-unsound
Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
P-critical
Critical priority
regression-from-stable-to-stable
Performance or correctness regression from one stable version to another.
T-types
Relevant to the types team, which will review and decide on the PR/issue.
Comments
cormac-ainc
added
C-bug
rustbot
added
the
I-prioritize
|
@rustbot label I-unsound regression-from-stable-to-stable -regression-untriaged |
rustbot
added
I-unsound
compiler-errors
added
the
T-types
|
WG-prioritization assigning priority (Zulip discussion). @rustbot label -I-prioritize +P-critical |
rustbot
added
P-critical
|
uh, that's not good, looking into it |
|
a smaller guaranteed segfault, needs struct Spooky<'b> {
owned: Option<&'static u32>,
borrowed: &'b &'static u32,
}
impl<'b> Spooky<'b> {
fn create_self_reference<'a>(&'a mut self) {
let mut closure = || {
if let Some(owned) = &self.owned {
let borrow: &'a &'static u32 = owned;
self.borrowed = borrow;
}
};
closure();
}
}
fn main() {
let mut spooky: Spooky<'static> = Spooky {
owned: Some(&1),
borrowed: &&1,
};
spooky.create_self_reference();
spooky.owned = None;
println!("{}", **spooky.borrowed);
} |
This was referenced May 29, 2023
Dylan-DPC
added a commit
to Dylan-DPC/rust
that referenced
this issue
May 30, 2023
…r=oli-obk change `BorrowKind::Unique` to be a mutating `PlaceContext` fixes rust-lang#112056 I believe that `BorrowKind::Unique` is a footgun in general, so I added a FIXME and opened rust-lang#112072. This is a bit too involved for this PR though.
|
keeping this open until beta (and maybe stable) backport |
|
Stable backport complete, beta backport pending. |
|
fixed everywhere now |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
The following code compiles, since February nightlies and on stable version 1.69 (no older stable versions are affected). (playground):
This is clearly a use-after-free. On my Linux machine it prints a garbage string. It should not compile at all, the error should be basically the same as if you didn't wrap the offending lines in a closure. The issue still occurs with
self.borrowed = &self.owned, the annotations are just for clarity.The problem was introduced in #107969.
Hat tip to @ladecaz for writing the cursed code that got us here.
cargo-bisect-rustc results
searched nightlies: from nightly-2021-04-25 to nightly-2023-05-29
regressed nightly: nightly-2023-02-21
searched commit range: 7aa413d...5243ea5
regressed commit: e7eaed2
bisected with cargo-bisect-rustc v0.6.6
Host triple: x86_64-unknown-linux-gnu
Reproduce with:
The text was updated successfully, but these errors were encountered: