Mutable slices as function parameters allow aliasing mutable references

[abonander]

This currently affects all 3 release channels.

If you have a mutable slice of references as an input to a function, it allows borrows to escape and cause aliasing. The following example compiles and prints "3", but it shouldn't compile at all (Playground):

fn save_ref<'a>(refr: &'a i32, to: &mut [&'a i32]) {
    for val in &mut *to {
        *val = refr;
    }
}

fn main() {
    let ref init = 0i32;
    let ref mut refr = 1i32;

    let mut out = [init];
    
    save_ref(&*refr, &mut out);
    
    // This shouldn't be allowed as `refr` is borrowed
    *refr = 3;
    
    // Prints 3?!
    println!("{:?}", out[0]);
}

This appears to be tied to slices as the non-slice equivalent fails to compile as expected (Playground):

fn save_ref<'a>(refr: &'a i32, to: &mut &'a i32) {
    *to = refr;
}

fn main() {
    let ref mut refr = 1i32;
    let mut out = &0i32;
    
    save_ref(&*refr, &mut out);
    
    // ERROR: cannot assign to `*refr` because it is borrowed
    *refr = 3;

    println!("{:?}", out);
}

cc seanmonstar/httparse#34

[alexcrichton]

cc @rust-lang/compiler

[eddyb]

This is genuinely scary. I would've expected [T; N]: Unsize<[T]> to link up the lifetimes, but if it doesn't... Borrows are based on lifetimes, the same lifetimes that prevent use-after-free. If this has to do with unsizing in general, then it could mean you can produce any lifetime you want?!

[eddyb]

Single-function, use-after-free, and showing that the lifetime can become 'static:

fn prove_static(_: [&'static str; 1]) {}

fn main() {
    let mut out = ["foo"];
    {
        let mut x = String::from("bar");
        let slice: &mut [_] = &mut out;
        slice[0] = &x[..];
    }
    let _new = String::from("boo");
    println!("{}", out[0]);
    prove_static(out);
}

[eddyb]

General-purpose lifetime_transmute (well, limited to references but still very much unsound):

fn prove_static<T: 'static + ?Sized>(_: &'static T) {}

fn lifetime_transmute<'a, T: ?Sized>(x: &'a T, y: &T) -> &'a T {
    let mut out = [x];
    (&mut out as &mut [_])[0] = y;
    out[0]
}

fn main() {
    prove_static(lifetime_transmute("", &String::from("foo")));
}

[eddyb]

fn lifetime_transmute<'a, 'b, T: ?Sized>(x: &'a T, y: &'b T) -> &'a T {
    let mut out = [x];
    // Neither 'a nor 'b work here, they both error correctly.
    (&mut out as &mut [&'b T])[0] = y;
    out[0]
}

Maybe we're using subtyping in the wrong direction, or should be using equality instead?

EDIT: Yupp, subtyping alright (two more cases above and below).

EDIT2: Just confirmed it was introduced by #24619, you get an error in 1.0.

[abonander]

Good stuff, glad I caught this.

[nikomatsakis]

triage: P-high