Skip to content

/rust

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Borrowck regression: allows segfault in 1.27.1 #52213

Closed
NilSet opened this Issue Jul 10, 2018 · 10 comments

Comments

Assignees

@pnkfelix pnkfelix

Labels
C-bug I-unsound 💥 T-compiler regression-from-stable-to-stable
Projects
  
Fixed in 1.28 regressions
Milestone
No milestone
7 participants
@NilSet @est31 @kennytm @nagisa @arielb1 @stephaneyfx @pnkfelix
@NilSet
Copy link
Contributor

NilSet commented Jul 10, 2018

The following sample correctly fails to build on stable channel, but erroneously passes on beta and nightly.

It's worth noting that with NLL turned on it also correctly fails to build.

enum Inner {
    Stack {
        data: [u8;23]
    },
    Heap {
        capacity: usize,
        data: *mut u8
    }
}

struct SmallString {
    len: usize,
    inner: Inner
}

impl SmallString {
    fn push_str(&mut self, item: &str) {
        match (&mut self.inner, self.len + item.len()) {
            (Inner::Heap { capacity, ref data }, x) => {
                if x > *capacity {
                    self.grow();
                    // data is now null pointer
                }
                unsafe {
                    ::std::ptr::copy_nonoverlapping(item.as_ptr(), data.add(self.len), item.len())
                }
            },
            _ => ()
        }
    }
    fn grow(&mut self){
        // Invalidate borrowed Heap.data
        self.inner = Inner::Stack { data: [0;23] };
    }
}

@NilSet NilSet changed the title Borrowck regression: multiple mut borrows Borrowck regression: allows segfault in safe rust on beta Jul 10, 2018

@NilSet

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

NilSet commented Jul 10, 2018
edited

Here is an example of being able to segfault in safe rust on beta

enum Inner {
    Stack {
        data: [u8;23]
    },
    Heap {
        data: Box<[u8]>
    }
}

struct SmallString {
    len: usize,
    inner: Inner
}

impl SmallString {
    fn push_str(&mut self, item: &str) {
        match (&mut self.inner, self.len + item.len()) {
            (Inner::Heap { data }, x) => {
                println!("{}", data.len());
                if x > data.len() {
                    self.grow();
                    // data is now garbage pointer
                }
                println!("{:?}", data);
            },
            _ => ()
        }
    }
    fn grow(&mut self){
        // Invalidate borrowed Heap.data
        self.inner = Inner::Stack { data: [1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1,0,1] };
    }
}

fn main (){
    let slice = "this is gonna go bad".to_owned().into_bytes().into_boxed_slice();
    let mut ss = SmallString { len: slice.len(), inner: Inner::Heap { data: slice } };
    ss.push_str(" right now");
}

http://play.rust-lang.org/?gist=e9ebe1460df7a817467ee017de9655dc&version=beta&mode=debug&edition=2015

@NilSet NilSet changed the title Borrowck regression: allows segfault in safe rust on beta Borrowck regression: allows segfault in 1.27.1 Jul 10, 2018

@NilSet

This comment has been minimized.

Sign in to view
Copy link
Contributor Author

NilSet commented Jul 10, 2018

Turns out this regression is now also in the new patch release on stable!

@kennytm kennytm added T-compiler regression-from-stable-to-stable I-unsound 💥 C-bug labels Jul 10, 2018

@est31

This comment has been minimized.

Sign in to view
Copy link
Contributor

est31 commented Jul 10, 2018

If this can be reproduced on 1.27.1 but can't be reproduced on 1.27.0 (@NilSet said that on IRC), I guess that this regression is caused by #51686 .
@kennytm

This comment has been minimized.

Sign in to view
Copy link
Member

kennytm commented Jul 10, 2018

cc @nikomatsakis #51686.
@nagisa

This comment has been minimized.

Sign in to view
Copy link
Contributor

nagisa commented Jul 10, 2018

@rust-lang/compiler the obligatory ping to all of you.
@arielb1

This comment has been minimized.

Sign in to view
Copy link
Contributor

arielb1 commented Jul 10, 2018

Minified:

fn transmute_lifetime<'a, 'b, T>(t: &'a (T,)) -> &'b T {
    match (&t, ()) {
        ((t,), ()) => t,
    }
}

fn main() {
    let x = {
        let y = Box::new((42,));
        transmute_lifetime(&y)
    };

    println!("{}", x);
}
@arielb1

This comment has been minimized.

Sign in to view
Copy link
Contributor

arielb1 commented Jul 10, 2018

Did anyone verify that this reproduces on 1.27.1? I am not sure
@arielb1

This comment has been minimized.

Sign in to view
Copy link
Contributor

arielb1 commented Jul 10, 2018

And now I'm in the state of "how does this ever work", given that cat_pattern is returning Err "correctly".
@stephaneyfx

This comment has been minimized.

Sign in to view
Copy link
Contributor

stephaneyfx commented Jul 10, 2018

@arielb1: Your minified example compiles with 1.27.1, and so does the second example in this thread.

@pnkfelix pnkfelix self-assigned this Jul 10, 2018

@arielb1

This comment has been minimized.

Sign in to view
Copy link
Contributor

arielb1 commented Jul 10, 2018
edited

I have a fix up, will push it soon.

@arielb1 arielb1 referenced this issue Jul 10, 2018

Merged

use the adjusted type for cat_pattern in tuple patterns #52232

bors pushed a commit that referenced this issue Jul 11, 2018

@arielb1
use the adjusted type for cat_pattern in tuple patterns 
This looks like a typo introduced in #51686.

Fixes #52213.
05d6e55

bors pushed a commit that referenced this issue Jul 11, 2018

@arielb1
add test for #52213
Loading status checks…
4c04453

bors added a commit that referenced this issue Jul 11, 2018

@bors
Auto merge of #52232 - arielb1:ill-adjusted-tuples, r=pnkfelix 
 use the adjusted type for cat_pattern in tuple patterns

This looks like a typo introduced in #51686.

Fixes #52213.

r? @pnkfelix

beta + stable nominating because regression + unsoundness.
Loading status checks…
4700e11

@bors bors closed this in #52232 Jul 11, 2018

@kennytm kennytm added this to Triaged in 1.28 regressions via automation Jul 11, 2018

@kennytm kennytm moved this from Triaged to Backport in progress in 1.28 regressions Jul 11, 2018

pietroalbini added a commit to pietroalbini/rust that referenced this issue Jul 14, 2018

@arielb1 @pietroalbini
use the adjusted type for cat_pattern in tuple patterns 
This looks like a typo introduced in rust-lang#51686.

Fixes rust-lang#52213.
Verified
This commit was signed with a verified signature.
@pietroalbini pietroalbini Pietro Albini
GPG key ID: E8C1042DD1624519 Learn about signing commits
52d15f6

pietroalbini added a commit to pietroalbini/rust that referenced this issue Jul 14, 2018

@arielb1 @pietroalbini
add test for rust-lang#52213
Verified
This commit was signed with a verified signature.
@pietroalbini pietroalbini Pietro Albini
GPG key ID: E8C1042DD1624519 Learn about signing commits
e0e046c

@pietroalbini pietroalbini moved this from Backport in progress to Fixed in 1.28 regressions Jul 16, 2018

Mark-Simulacrum added a commit to Mark-Simulacrum/rust that referenced this issue Jul 18, 2018

@arielb1 @Mark-Simulacrum
use the adjusted type for cat_pattern in tuple patterns 
This looks like a typo introduced in rust-lang#51686.

Fixes rust-lang#52213.
14655a6

Mark-Simulacrum added a commit to Mark-Simulacrum/rust that referenced this issue Jul 18, 2018

@arielb1 @Mark-Simulacrum
add test for rust-lang#52213
1628b50
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.