Skip to content

UB dropping slice_deque::IntoIter containing dangling items #93

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
dtolnay opened this issue May 22, 2021 · 0 comments
Open

UB dropping slice_deque::IntoIter containing dangling items #93

dtolnay opened this issue May 22, 2021 · 0 comments

Comments

@dtolnay
Copy link

dtolnay commented May 22, 2021

Inside this Drop impl:

slice_deque/src/lib.rs

Lines 2454 to 2458 in 045fb28

unsafe impl<#[may_dangle] T> Drop for IntoIter<T> {
#[inline]
fn drop(&mut self) {
// destroy the remaining elements
for _x in self.by_ref() {}

those _x are of type T, based on:

slice_deque/src/lib.rs

Lines 2363 to 2364 in 045fb28

impl<T> Iterator for IntoIter<T> {
type Item = T;

However T is may_dangle, so it's UB to touch/pass/return an object of that type by value. Check out rust-lang/unsafe-code-guidelines#283.

Here is an example of code that triggers the problem. We have a SliceDeque<&usize> and drop its IntoIter, which ends up with _x: &'dangling usize inside of that Drop impl.

use slice_deque::SliceDeque;

fn main() {
    let _iter;
    let x = Box::new(0usize);
    let mut deque = SliceDeque::new();
    deque.push_back(&*x);
    _iter = deque.into_iter();

    // x is dropped
    // then _iter is dropped
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dtolnay