-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Drop
and leaking &mut
references
#31567
Comments
The behaviour feels somewhat intuitive to me, but is certainly a memory safety issue. Nominating. cc @rust-lang/lang, I think? EDIT: affects MIR as well, without an obvious fix. |
Minified: struct VecWrapper<'a>(&'a mut S);
struct S(Box<u32>);
fn get_dangling<'a>(v: VecWrapper<'a>) -> &'a u32 {
let s_inner: &'a S = &*v.0;
&s_inner.0
}
impl<'a> Drop for VecWrapper<'a> {
fn drop(&mut self) {
*self.0 = S(Box::new(0));
}
}
fn main() {
let mut s = S(Box::new(11));
let vw = VecWrapper(&mut s);
let dangling = get_dangling(vw);
println!("{}", dangling);
} MIR borrowck would of course catch
|
Here's another minification (playground) struct DropSet<'a>(&'a mut u8);
impl<'a> DropSet<'a> {
fn get(self) -> &'a u8 {
self.0
}
}
impl<'a> Drop for DropSet<'a> {
fn drop(&mut self) {
*self.0 = 0;
}
}
fn main() {
let mut x = 64;
let s = DropSet(&mut x);
let r = s.get();
println!("{}", r);
} |
I suppose we can leave this to fix-by-MIR-borrowck. |
The problem (I think) is the special case rule in the borrow checker concerning |
triage: P-high |
so, just a quick note on some ways @nikomatsakis and I have talked about resolving this:
|
…ng#31567. My new variant, for better or worse, is carrying data that needs the `'tcx` lifetime, so I am threading that onto `bckerr_code`, for better or worse. One might reasonably aruge that the `BckError` already carries a `mc::cmt<'tcx>`, but I claim that distinguishing the identified destructor type is important for the quality of the presented error message. (I am also passing along the identified `owner` lvalue, which is probably of more use for internal debugging and less for error reporting, but we may still want to try to work it into the user-facing message as well.)
…31567. The main thing to fix is that there is too much text, too much code, and too much ad-hoc unchecked reasoning. (Regarding the text, the obvious fix is to recast the presentation of my comments into something appropriate for the README.md file.)
Surely you mean distinguish between a type that has a destructor and a type that may implement |
@arielb1 yes I just meant the more precise analysis needs to use the appropriate predicate (i.e. that the type implements |
I think we can just make it that a MIR |
@pnkfelix and I were talking. I think this can be cleanly integrated into regionck -- in fact, some of the rules that are enforced in borrowck (I suspect) ought to moved to regionck. I'm going to try and tinker a bit here. |
@rust-lang/compiler can you assign someone to this P-high bug? |
I tagged this a regression from a quick scan, but not sure. |
Ah, felix is assigned. Ignore me. |
@brson "stable", "nightly" or "version" do not appear in any comment here and the only mention of a regression is @pnkfelix discussing a potential solution. |
I can reproduce this all the way back to 1.0.0, at least. |
I suspect I won't be able to address this myself in this cycle, so keeping this at P-high is not a great idea. @arielb1 suggests we should let this be fixed by switching to MIR-based borrowck. |
…or-box, r=eddyb [NLL] Dangly paths for box Special-case `Box` in `rustc_mir::borrow_check`. Since we know dropping a box will not access any `&mut` or `&` references, it is safe to model its destructor as only touching the contents *owned* by the box. ---- There are three main things going on here: 1. The first main thing, this PR is fixing a bug in NLL where `rustc` previously would issue a diagnostic error in a case like this: ```rust fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } ``` such code was accepted by the AST-borrowck in the past, but NLL was rejecting it with the following message ([playground](https://play.rust-lang.org/?gist=13c5560f73bfb16d6dab3ceaad44c0f8&version=nightly&mode=release&edition=2015)) ``` error[E0597]: `**x` does not live long enough --> src/main.rs:3:40 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^ - `**x` dropped here while still borrowed | | | borrowed value does not live long enough | note: borrowed value must be valid for the anonymous lifetime rust-lang#1 defined on the function body at 3:1... --> src/main.rs:3:1 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error: aborting due to previous error ``` 2. The second main thing: The reason such code was previously rejected was because NLL (MIR-borrowck) incorporates a fix for issue rust-lang#31567, where it models a destructor's execution as potentially accessing any borrows held by the thing being destructed. The tests with `Scribble` model this, showing that the compiler now catches such unsoundness. However, that fix for issue rust-lang#31567 is too strong, in that NLL (MIR-borrowck) includes `Box` as one of the types with a destructor that potentially accesses any borrows held by the box. This thus was the cause of the main remaining discrepancy between AST-borrowck and MIR-borrowck, as documented in issue rust-lang#45696, specifically in [the last example of this comment](rust-lang#45696 (comment)), which I have adapted into the `fn foo` shown above. We did close issue rust-lang#45696 back in December of 2017, but AFAICT that example was not fixed by PR rust-lang#46268. (And we did not include a test, etc etc.) This PR fixes that case, by trying to model the so-called `DerefPure` semantics of `Box<T>` when we traverse the type of the input to `visit_terminator_drop`. 3. The third main thing is that during a review of the first draft of this PR, @matthewjasper pointed out that the new traversal of `Box<T>` could cause the compiler to infinite loop. I have adjusted the PR to avoid this (by tracking what types we have previously seen), and added a much needed test of this somewhat odd scenario. (Its an odd scenario because the particular case only arises for things like `struct A(Box<A>);`, something which cannot be constructed in practice.) Fix rust-lang#45696.
…or-box, r=eddyb [NLL] Dangly paths for box Special-case `Box` in `rustc_mir::borrow_check`. Since we know dropping a box will not access any `&mut` or `&` references, it is safe to model its destructor as only touching the contents *owned* by the box. ---- There are three main things going on here: 1. The first main thing, this PR is fixing a bug in NLL where `rustc` previously would issue a diagnostic error in a case like this: ```rust fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } ``` such code was accepted by the AST-borrowck in the past, but NLL was rejecting it with the following message ([playground](https://play.rust-lang.org/?gist=13c5560f73bfb16d6dab3ceaad44c0f8&version=nightly&mode=release&edition=2015)) ``` error[E0597]: `**x` does not live long enough --> src/main.rs:3:40 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^ - `**x` dropped here while still borrowed | | | borrowed value does not live long enough | note: borrowed value must be valid for the anonymous lifetime rust-lang#1 defined on the function body at 3:1... --> src/main.rs:3:1 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error: aborting due to previous error ``` 2. The second main thing: The reason such code was previously rejected was because NLL (MIR-borrowck) incorporates a fix for issue rust-lang#31567, where it models a destructor's execution as potentially accessing any borrows held by the thing being destructed. The tests with `Scribble` model this, showing that the compiler now catches such unsoundness. However, that fix for issue rust-lang#31567 is too strong, in that NLL (MIR-borrowck) includes `Box` as one of the types with a destructor that potentially accesses any borrows held by the box. This thus was the cause of the main remaining discrepancy between AST-borrowck and MIR-borrowck, as documented in issue rust-lang#45696, specifically in [the last example of this comment](rust-lang#45696 (comment)), which I have adapted into the `fn foo` shown above. We did close issue rust-lang#45696 back in December of 2017, but AFAICT that example was not fixed by PR rust-lang#46268. (And we did not include a test, etc etc.) This PR fixes that case, by trying to model the so-called `DerefPure` semantics of `Box<T>` when we traverse the type of the input to `visit_terminator_drop`. 3. The third main thing is that during a review of the first draft of this PR, @matthewjasper pointed out that the new traversal of `Box<T>` could cause the compiler to infinite loop. I have adjusted the PR to avoid this (by tracking what types we have previously seen), and added a much needed test of this somewhat odd scenario. (Its an odd scenario because the particular case only arises for things like `struct A(Box<A>);`, something which cannot be constructed in practice.) Fix rust-lang#45696.
…ddyb [NLL] Dangly paths for box Special-case `Box` in `rustc_mir::borrow_check`. Since we know dropping a box will not access any `&mut` or `&` references, it is safe to model its destructor as only touching the contents *owned* by the box. ---- There are three main things going on here: 1. The first main thing, this PR is fixing a bug in NLL where `rustc` previously would issue a diagnostic error in a case like this: ```rust fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } ``` such code was accepted by the AST-borrowck in the past, but NLL was rejecting it with the following message ([playground](https://play.rust-lang.org/?gist=13c5560f73bfb16d6dab3ceaad44c0f8&version=nightly&mode=release&edition=2015)) ``` error[E0597]: `**x` does not live long enough --> src/main.rs:3:40 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^ - `**x` dropped here while still borrowed | | | borrowed value does not live long enough | note: borrowed value must be valid for the anonymous lifetime #1 defined on the function body at 3:1... --> src/main.rs:3:1 | 3 | fn foo(x: Box<&mut i32>) -> &mut i32 { &mut **x } | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ error: aborting due to previous error ``` 2. The second main thing: The reason such code was previously rejected was because NLL (MIR-borrowck) incorporates a fix for issue #31567, where it models a destructor's execution as potentially accessing any borrows held by the thing being destructed. The tests with `Scribble` model this, showing that the compiler now catches such unsoundness. However, that fix for issue #31567 is too strong, in that NLL (MIR-borrowck) includes `Box` as one of the types with a destructor that potentially accesses any borrows held by the box. This thus was the cause of the main remaining discrepancy between AST-borrowck and MIR-borrowck, as documented in issue #45696, specifically in [the last example of this comment](#45696 (comment)), which I have adapted into the `fn foo` shown above. We did close issue #45696 back in December of 2017, but AFAICT that example was not fixed by PR #46268. (And we did not include a test, etc etc.) This PR fixes that case, by trying to model the so-called `DerefPure` semantics of `Box<T>` when we traverse the type of the input to `visit_terminator_drop`. 3. The third main thing is that during a review of the first draft of this PR, @matthewjasper pointed out that the new traversal of `Box<T>` could cause the compiler to infinite loop. I have adjusted the PR to avoid this (by tracking what types we have previously seen), and added a much needed test of this somewhat odd scenario. (Its an odd scenario because the particular case only arises for things like `struct A(Box<A>);`, something which cannot be constructed in practice.) Fix #45696.
Reopening for visibility (other fixed-by-NLL bugs are kept open) |
…hewjasper Rust 2015: No longer downgrade NLL errors As per decision on a language team meeting as described in rust-lang#63565 (comment), in Rust 2015, we refuse to downgrade NLL errors, that AST borrowck accepts, into warnings and keep them as hard errors. The remaining work to throw out AST borrowck and adjust some tests still remains after this PR. Fixes rust-lang#38899 Fixes rust-lang#53432 Fixes rust-lang#45157 Fixes rust-lang#31567 Fixes rust-lang#27868 Fixes rust-lang#47366 r? @matthewjasper
…hewjasper Rust 2015: No longer downgrade NLL errors As per decision on a language team meeting as described in rust-lang#63565 (comment), in Rust 2015, we refuse to downgrade NLL errors, that AST borrowck accepts, into warnings and keep them as hard errors. The remaining work to throw out AST borrowck and adjust some tests still remains after this PR. Fixes rust-lang#38899 Fixes rust-lang#53432 Fixes rust-lang#45157 Fixes rust-lang#31567 Fixes rust-lang#27868 Fixes rust-lang#47366 r? @matthewjasper
…hewjasper Rust 2015: No longer downgrade NLL errors As per decision on a language team meeting as described in rust-lang#63565 (comment), in Rust 2015, we refuse to downgrade NLL errors, that AST borrowck accepts, into warnings and keep them as hard errors. The remaining work to throw out AST borrowck and adjust some tests still remains after this PR. Fixes rust-lang#38899 Fixes rust-lang#53432 Fixes rust-lang#45157 Fixes rust-lang#31567 Fixes rust-lang#27868 Fixes rust-lang#47366 r? @matthewjasper
There's a way to leak a
&mut
member borrowed from a struct, and then manipulate that member from theDrop
handler -- even while it is immutably borrowed!playground output:
So this drop frees the vec's buffer, then an unrelated string allocation reuses the same memory, and those new values come out of the
vec::Iter
.I think if the member was immutable
&
, then this "leak" frominto_iter()
would be fine since they can both share that reference, andDrop
can't mutate it. But&mut
must be exclusive, of course...The text was updated successfully, but these errors were encountered: