Skip to content

/rust

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Can access invalid memory and cause sigsegv using safe Rust #31852

Closed
ruuda opened this Issue Feb 23, 2016 · 5 comments

Comments

Assignees
No one assigned
Labels
I-nominated T-compiler
Projects
None yet
Milestone
No milestone
3 participants
@ruuda @alexcrichton @rust-highfive
@ruuda
Copy link
Contributor

ruuda commented Feb 23, 2016

When working on a crate I discovered the following issue. I did not succeed in making a minimal example that reproduces on play.rust-lang.org, so let me just link to the actual code:

Note how this prints the contents of some memory that the function shouldn’t be able to access, and then terminates with sigsegv.

An observation: with reexports it is possible to reexport a type on which a method is defined that returns a type that is not reexported. In a sense this allows returning anonymous types. In the documentation these types are named but they do not link to a documentation page, and if you name them explicitly the compiler complains because they are not public. I am not sure whether this is a bug or feature.

Related (what initially made me suspicious): this function mutates a variable that was borrowed mutably by a closure.
@ruuda

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

ruuda commented Feb 23, 2016

Oh, and rustc version: rustc 1.8.0-nightly (75271d8f1 2016-02-09). I updated to rustc 1.8.0-nightly (c8fc4817d 2016-02-22) and the issue is still present.
@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Feb 23, 2016

After reducing this, it looks like the bug is that the compiler accepts this:

trait Foo {                          
    fn foo<T>(&self, t: T);          
}                                    

impl Foo for i32 {                   
    fn foo<T: 'static>(&self, t: T) {
    }                                
}                                    

fn foo(a: i32, not_static: &i32) {   
    a.foo(not_static);               
}

The i32 implementation is allowed to assume it's only given 'static content, when in fact we can feed in anything!
@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Feb 23, 2016

In your code specifically @ruud-v-a the Observable::subscribe method requires just an O parameter whereas SubjectObservable::subscribe adds on 'static
@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Feb 23, 2016

triage: I-nominated

This seems familiar as in we've had it reported before, but... I thought we fixed it with a bunch of well-formededness RFCs? Seems good to get visibility though!

cc @rust-lang/compiler

@rust-highfive rust-highfive added the I-nominated label Feb 23, 2016

@alexcrichton alexcrichton added the T-compiler label Feb 23, 2016

@alexcrichton

This comment has been minimized.

Sign in to view
Copy link
Member

alexcrichton commented Feb 23, 2016

Aha! and @nikomatsakis pointed out on IRC that this is #18937, so I'll just close in favor of that. Thanks for the report though @ruud-v-a!

@alexcrichton alexcrichton closed this Feb 23, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.