Borrowed pointers in destructors enable use-after-free crashes #3167

bblum opened this Issue Aug 9, 2012 · 3 comments


None yet
3 participants

bblum commented Aug 9, 2012

This struct has a borrowed pointer to another one of itself. By making it mutable, I can build a cycle, and then no matter the order that the destructors run, the second one will segfault because the first one's id will have been freed.

This is sort of related to #3164, and more closely related to #3039.

Probably accessing mutable &-pointers in destructors should be unsafe. If they are immutable, it should be impossible to build a cycle.

struct oops {
    mut a: option<&oops>;
    id: ~~str;
    new(+a: option<&oops>, +id: ~~str) {
        self.a = a; = id; 
    drop {
        do self.a.iter |nbr| {
            #error["Me: %?; Neighbour: %?",,];

fn main() {
    let x = oops(none, ~~"x");
    let y = oops(some(&x), ~~"y");
    x.a = some(&y);

bblum commented Sep 6, 2012

It occurs to me I could also abuse the cycle collector to cause even immutable borrowed pointers to escape their lifetimes. Build a cycle of @-boxes with a borrowed pointer to a thing in it, don't refer to the cycle after the thing gets freed, but the cycle is not collected until later, at which point if the destructors access it it's a use-after-free.


catamorphism commented Mar 29, 2013

Blocked on #4301 -- de-milestoning.


thestinger commented Mar 29, 2013

d4fee24 limited destructors to Owned types, so this is disallowed now.

thestinger closed this Mar 29, 2013

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment