Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with HTTPS or Subversion.

Download ZIP

Loading…

Borrowed pointers in destructors enable use-after-free crashes #3167

Closed
bblum opened this Issue · 3 comments

3 participants

@bblum

This struct has a borrowed pointer to another one of itself. By making it mutable, I can build a cycle, and then no matter the order that the destructors run, the second one will segfault because the first one's id will have been freed.

This is sort of related to #3164, and more closely related to #3039.

Probably accessing mutable &-pointers in destructors should be unsafe. If they are immutable, it should be impossible to build a cycle.

struct oops {
    mut a: option<&oops>;
    id: ~~str;
    new(+a: option<&oops>, +id: ~~str) {
        self.a = a; self.id = id; 
    }   
    drop {
        do self.a.iter |nbr| {
            #error["Me: %?; Neighbour: %?", self.id, nbr.id];
        }   
    }   
}

fn main() {
    let x = oops(none, ~~"x");
    let y = oops(some(&x), ~~"y");
    x.a = some(&y);
}
@bblum

It occurs to me I could also abuse the cycle collector to cause even immutable borrowed pointers to escape their lifetimes. Build a cycle of @-boxes with a borrowed pointer to a thing in it, don't refer to the cycle after the thing gets freed, but the cycle is not collected until later, at which point if the destructors access it it's a use-after-free.

@catamorphism

Blocked on #4301 -- de-milestoning.

@thestinger

d4fee24 limited destructors to Owned types, so this is disallowed now.

@thestinger thestinger closed this
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Something went wrong with that request. Please try again.