Fix soundness hole in FSA due to nested drops #146
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Imagine a `Gc<T>` where `T` has a finalizer. Up until now, a value `v`
allocated locally inside `T::drop` could create a backdoor where
non-finalizer-safe stuff can happen without FSA knowing about it.
Consider the following example:
```rust
struct S { .. }
impl Drop for S {
fn drop(&mut self) {
... // something unsound if called from finalizer.
}
}
struct T { .. }
impl Drop for T {
fn drop(&mut self) {
let s = S { .. };
} // also calls 'S::drop' for the local 's'.
}
fn main() { Gc::new(T::new()) }
```
This program is unsound, but it would *not* be caught by FSA. By
allowing the alloca of `s`, we have inadvertently run the unsound nested
`S::drop` inside a finalizer without checking.
Note that my use of the term 'nested drops' here is distinct from drop
glue. Drop glue (i.e. where the drop methods for fields of a type are
automatically called too) works as intended.
This commit updates FSA to handle such nested drops. The approach is
very similar to how we handle drop methods which contain functions
calls. Using the same example from above, we know that the MIR for
`T::drop` (the type being finalized) will contain a terminator to call
`S::drop`, so after FSA has finished looking at `T::drop`, it will
obtain and then check the (potentially monomorphized) MIR for `S::drop`.
This fix also works when `S` has drop glue, because that would mean that
drop methods for any of `S`'s fields would also be added as terminators
in the MIR for `T::drop`.
If at any stage, the MIR for S::drop (or any other drop methods in its
drop glue, or anything it calls) is unavailable, then we emit an FSA
error.
With inline assembly you can do just about anything, so all bets are off. Deny!
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Imagine a
Gc<T>whereThas a finalizer. Up until now, a valuevallocated locally insideT::dropcould create a backdoor where non-finalizer-safe stuff can happen without FSA knowing about it. Consider the following example:This program is unsound, but it would not be caught by FSA. By allowing the alloca of
s, we have inadvertently run the unsound nestedS::dropinside a finalizer without checking.Note that my use of the term 'nested drops' here is distinct from drop glue. Drop glue (i.e. where the drop methods for fields of a type are automatically called too) works as intended.
This commit updates FSA to handle such nested drops. The approach is very similar to how we handle drop methods which contain functions calls. Using the same example from above, we know that the MIR for
T::drop(the type being finalized) will contain a terminator to callS::drop, so after FSA has finished looking atT::drop, it will obtain and then check the (potentially monomorphized) MIR forS::drop.This fix also works when
Shas drop glue, because that would mean that drop methods for any ofS's fields would also be added as terminators in the MIR forT::drop.If at any stage, the MIR for S::drop is unavailable, then we emit an FSA error.