-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double free in Vec::dedup_by when T's drop panics #85613
Comments
@rustbot label regression-from-stable-to-stable |
Assigning @rustbot modify labels +P-critical -I-prioritize |
Interestingly there was a test for this, but it is wrong. rust/library/alloc/tests/vec.rs Lines 2234 to 2285 in d8af907
The |
Learning about a double-free I introduced, a year later... 👀 |
rust/library/alloc/src/vec/mod.rs
Lines 1608 to 1637 in d8af907
gap.read
is not updated (line 1636) whendrop_in_place
(line 1623) panics. This letsFillGapOnDrop
'sDrop
implementation to retain the already dropped element.The bug was introduced in #82191 and affects stable Rust versions >= 1.52. Here is the playground link that demonstrates the double free without using unsafe Rust code.
Meta
rustc --version --verbose
:The text was updated successfully, but these errors were encountered: