Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Unsound drop due to imperfect lifetime checks #90838

Closed
Patryk27 opened this issue Nov 12, 2021 · 7 comments · Fixed by #90840
Closed

Unsound drop due to imperfect lifetime checks #90838

Patryk27 opened this issue Nov 12, 2021 · 7 comments · Fixed by #90840
Assignees
@pnkfelix
Labels
A-destructors Area: Destructors (`Drop`, …) A-lifetimes Area: Lifetimes / regions C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority regression-from-stable-to-stable Performance or correctness regression from one stable version to another. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.

Comments

@Patryk27
Copy link
Contributor

Patryk27 commented Nov 12, 2021
edited
Loading

Looks like it's possible to impl Drop for a stricter lifetime than the one used in the type:

struct Wrapper<'a, T>(&'a T)
where
    T: 'a;

impl<'a, T> Drop for Wrapper<'a, T>
where
    T: 'static, // ayy ayy
{
    fn drop(&mut self) {
      //
    }
}

... which allows to essentially transmute from T: 'a to T: 'static, leading to unsoundness:

use std::{
    fmt::Debug,
    thread::{sleep, spawn},
    time::Duration,
};

struct Wrapper<'a, T>(&'a T)
where
    T: Clone + Debug + Send + 'a;

impl<'a, T> Drop for Wrapper<'a, T>
where
    T: Clone + Debug + Send + 'static,
{
    fn drop(&mut self) {
        let value = self.0.to_owned();

        spawn(move || {
            // Wait for `main()` to finish dropping `self.0`
            sleep(Duration::from_millis(100));

            // Use-after-free 
            println!("value: {:?}", value);
        });
    }
}

#[derive(Clone, Copy, Debug)]
struct StringWrapper<'a>(&'a String);

fn main() {
    let _ = Wrapper(&StringWrapper(&String::from("Hello!")));

    // Wait for the thread to complete
    sleep(Duration::from_secs(1));
}

On my machine, it prints:

value: StringWrapper("SU�Y\u{5}\u{0}")
@Patryk27 Patryk27 added the C-bug Category: This is a bug. label Nov 12, 2021
@camelid camelid added A-destructors Area: Destructors (`Drop`, …) A-lifetimes Area: Lifetimes / regions I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness labels Nov 12, 2021
@rustbot rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Nov 12, 2021
@camelid camelid added the T-compiler Relevant to the compiler team, which will review and decide on the PR/issue. label Nov 12, 2021
@BoxyUwU
Copy link
Member

BoxyUwU commented Nov 12, 2021

oops...

@BoxyUwU BoxyUwU mentioned this issue Nov 12, 2021
Merged
@camelid
Copy link
Member

camelid commented Nov 12, 2021

Looks like this regressed in 1.56.0.

@camelid camelid added the regression-from-stable-to-stable Performance or correctness regression from one stable version to another. label Nov 12, 2021
@BoxyUwU
Copy link
Member

BoxyUwU commented Nov 12, 2021

#87770 introduced this

@bors bors closed this as completed in e273fab Nov 14, 2021
@camelid
Copy link
Member

camelid commented Nov 16, 2021

Re-opening to track beta/stable backport.

@camelid camelid reopened this Nov 16, 2021
@apiraino
Copy link
Contributor

Assigning priority as discussed in the Zulip thread of the Prioritization Working Group.

@rustbot label -I-prioritize +P-critical

@rustbot rustbot added P-critical Critical priority and removed I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels Nov 18, 2021
@pnkfelix pnkfelix self-assigned this Nov 18, 2021
@pnkfelix
Copy link
Member

pnkfelix commented Nov 22, 2021
edited
Loading

(I'm investigating making a more limited version of this PR #90840 for backporting to beta/stable.)

@pnkfelix pnkfelix mentioned this issue Nov 22, 2021
Closed
@pnkfelix
Copy link
Member

pnkfelix commented Dec 2, 2021

we ended up backporting #90840 itself to the 1.57 release. So this is now closed.

@pnkfelix pnkfelix closed this as completed Dec 2, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pnkfelix pnkfelix

Labels
A-destructors Area: Destructors (`Drop`, …) A-lifetimes Area: Lifetimes / regions C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness P-critical Critical priority regression-from-stable-to-stable Performance or correctness regression from one stable version to another. T-compiler Relevant to the compiler team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

relate lifetime in TypeOutlives bounds on drop impls BoxyUwU/rust
6 participants
@pnkfelix @Patryk27 @apiraino @BoxyUwU @camelid @rustbot