From 142e7f3c5058f498f263c24d94604e5e6521d358 Mon Sep 17 00:00:00 2001 From: TheRawMeatball Date: Fri, 4 Feb 2022 03:21:31 +0000 Subject: [PATCH] Backport soundness fix (#3685) #3001 discovered a soundness bug in World::resource_scope, this PR backports the fix with a smaller PR to patch out the bug sooner. Fixes #3147 --- crates/bevy_ecs/src/world/mod.rs | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/crates/bevy_ecs/src/world/mod.rs b/crates/bevy_ecs/src/world/mod.rs index f53f4f38508d0..c39528285ebd5 100644 --- a/crates/bevy_ecs/src/world/mod.rs +++ b/crates/bevy_ecs/src/world/mod.rs @@ -926,24 +926,30 @@ impl World { // the ptr value / drop is called when T is dropped unsafe { column.swap_remove_and_forget_unchecked(0) } }; - // SAFE: pointer is of type T - let value = Mut { - value: unsafe { &mut *ptr.cast::() }, + // SAFE: pointer is of type T and valid to move out of + // Read the value onto the stack to avoid potential mut aliasing. + let mut value = unsafe { std::ptr::read(ptr.cast::()) }; + let value_mut = Mut { + value: &mut value, ticks: Ticks { component_ticks: &mut ticks, last_change_tick: self.last_change_tick(), change_tick: self.change_tick(), }, }; - let result = f(self, value); + let result = f(self, value_mut); + assert!(!self.contains_resource::()); let resource_archetype = self.archetypes.resource_mut(); let unique_components = resource_archetype.unique_components_mut(); let column = unique_components .get_mut(component_id) .unwrap_or_else(|| panic!("resource does not exist: {}", std::any::type_name::())); + + // Wrap the value in MaybeUninit to prepare for passing the value back into the ECS + let mut nodrop_wrapped_value = std::mem::MaybeUninit::new(value); unsafe { - // SAFE: pointer is of type T - column.push(ptr, ticks); + // SAFE: pointer is of type T, and valid to move out of + column.push(nodrop_wrapped_value.as_mut_ptr() as *mut _, ticks); } result }