-
Notifications
You must be signed in to change notification settings - Fork 0
/
stack.rs
78 lines (75 loc) · 2.21 KB
/
stack.rs
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
use std::ptr::null_mut;
use std::sync::atomic::{Ordering::*, *};
// this stack uses the wrong orderings in some places and has ABA issues leading
// to the possibility of UAF and other bugs
pub struct BuggyStack<T> {
head: AtomicPtr<BuggyNode<T>>,
_boo: core::marker::PhantomData<T>,
}
struct BuggyNode<T> {
data: T,
next: AtomicPtr<BuggyNode<T>>,
}
impl<T> Drop for BuggyStack<T> {
fn drop(&mut self) {
while self.pop().is_some() {}
}
}
impl<T> BuggyStack<T> {
pub const fn new() -> Self {
Self {
head: AtomicPtr::new(null_mut()),
_boo: core::marker::PhantomData,
}
}
}
impl<T> BuggyStack<T> {
pub fn push(&self, data: T) {
let n = Box::into_raw(Box::new(BuggyNode {
next: AtomicPtr::new(null_mut()),
data,
}));
let mut next = self.head.load(Relaxed);
loop {
unsafe {
(*n).next.store(next, Relaxed);
}
match self.head.compare_exchange_weak(next, n, Release, Relaxed) {
Ok(_) => break,
Err(new) => next = new,
}
}
}
pub fn pop(&self) -> Option<T> {
let mut n = self.head.load(Acquire);
loop {
if n.is_null() {
return None;
}
let next = unsafe { (*n).next.load(Relaxed) };
match self.head.compare_exchange_weak(n, next, Acquire, Acquire) {
Ok(_) => break,
Err(h) => n = h,
}
}
debug_assert!(!n.is_null());
let n = unsafe { Box::from_raw(n) };
Some(n.data)
}
}
// send+sync for sendable data.
unsafe impl<T> Send for BuggyStack<T> where T: Send + 'static {}
unsafe impl<T> Sync for BuggyStack<T> where T: Send + 'static {}
fn main() {
cobb::run_test(cobb::TestCfg::<BuggyStack<usize>> {
threads: if cfg!(miri) { 8 } else { 16 },
iterations: if cfg!(miri) { 100 } else { 1000 },
sub_iterations: if cfg!(miri) { 10 } else { 20 },
setup: || BuggyStack::new(),
test: |stk, tctx| {
stk.push(tctx.thread_index());
let _ = stk.pop();
},
..Default::default()
});
}