libarena::TypedArena::alloc_from_iter does not allow for recursive allocations #67001
Labels
C-bug
Category: This is a bug.
I-unsound
Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
P-high
High priority
T-compiler
Relevant to the compiler team, which will review and decide on the PR/issue.
Comments
cjgillot
changed the title
|
Can you split out the fix (presuming it's to TypedArena itself) from the arena code? It sounds like if we're returning wrong pointers this is a "soundness" bug too, since that method is safe; which is not great. Nominating for compiler team so we can hopefully assign someone to investigate a proper fix. |
Mark-Simulacrum
added
T-compiler
bors
added a commit
that referenced
this issue
Dec 3, 2019
Fix TypedArena returning wrong pointers for recursive allocations Closes #67001
|
triage: sounds very bad. has PR. P-high. removing nomination. |
pnkfelix
added
I-unsound
Centril
added a commit
to Centril/rust
that referenced
this issue
Dec 7, 2019
Fix TypedArena returning wrong pointers for recursive allocations Closes rust-lang#67001
Centril
added a commit
to Centril/rust
that referenced
this issue
Dec 8, 2019
Fix TypedArena returning wrong pointers for recursive allocations Closes rust-lang#67001
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
I stumbled on this while debugging #66936
I tried calling
TypedArena::alloc_from_iterwith an iterator which itself allocates on the arena.If that iterator has fixed size (known through
size_hint), the allocation goes in the fast path.In that case, the allocation for the range and the recursive allocations get interlaced.
The returned pointers are wrong, and valid objects get overwritten.
This can lead to undropped objects and infinite loops.
A simple fix has been committed to #66936.
A more intelligent one may be better.
The text was updated successfully, but these errors were encountered: