dropck combined with type erasure allows use after free 

While I was trying attempting (and failing) to implement pythonesque's suggestion of using dropck to ensure that cycles were not visible from the destructors of any of the contained objects (thus allowing cycles and a cycle collector without the possibility of deref ever failing), I came across a situation (explicitly including a type-erased box in the structure) that seemed like it really _should_ cause the compiler to enforce what I wanted it to, and that it was being overly permissive.

I have now created a test case that shows that this can, indeed, be used to obtain incorrect behavior. Specifically, this code...

``` rust
use std::cell::RefCell;

struct VecHolder {
    v: Vec<u32>,
}

impl Drop for VecHolder {
    fn drop(&mut self) {
        println!("Dropping Vec");
    }
}

struct Container<'a> {
    v: VecHolder,
    d: RefCell<Vec<Box<Drop+'a>>>,
}

impl<'a> Container<'a> {
    fn new() -> Container<'a> {
        Container{d: RefCell::new(Vec::new()), v: VecHolder{v: vec![42; 100]}}
    }

    fn store<T: 'a+Drop>(&'a self, val: T) {
        self.d.borrow_mut().push(Box::new(val));
    }
}

struct Test<'a> {
    test: &'a Container<'a>,
}

impl<'a> Drop for Test<'a> {
    fn drop(&mut self) {
        println!("Val from Vec: {}", self.test.v.v[30]);
    }
}

fn main() {
    let container = Container::new();
    let test = Test{test: &container};
    container.store(test);
}
```

will reliably output the following:

```
Dropping Vec
Val from Vec: 42
```

You can see it in action [on the playpen](https://play.rust-lang.org/?code=use%20std%3A%3Acell%3A%3ARefCell%3B%0A%0Astruct%20VecHolder%20%7B%0A%09v%3A%20Vec%3Cu32%3E%2C%0A%7D%0A%0Aimpl%20Drop%20for%20VecHolder%20%7B%0A%09fn%20drop%28%26mut%20self%29%20%7B%0A%09%09println!%28%22Dropping%20Vec%22%29%3B%0A%09%7D%0A%7D%0A%0Astruct%20Container%3C'a%3E%20%7B%0A%09v%3A%20VecHolder%2C%0A%09d%3A%20RefCell%3CVec%3CBox%3CDrop%2B'a%3E%3E%3E%2C%0A%7D%0A%0Aimpl%3C'a%3E%20Container%3C'a%3E%20%7B%0A%09fn%20new%28%29%20-%3E%20Container%3C'a%3E%20%7B%0A%09%09Container%7Bd%3A%20RefCell%3A%3Anew%28Vec%3A%3Anew%28%29%29%2C%20v%3A%20VecHolder%7Bv%3A%20vec!%5B42%3B%20100%5D%7D%7D%0A%09%7D%0A%0A%09fn%20store%3CT%3A%20'a%2BDrop%3E%28%26'a%20self%2C%20val%3A%20T%29%20%7B%0A%09%09self.d.borrow_mut%28%29.push%28Box%3A%3Anew%28val%29%29%3B%0A%09%7D%0A%7D%0A%0Astruct%20Test%3C'a%3E%20%7B%0A%09test%3A%20%26'a%20Container%3C'a%3E%2C%0A%7D%0A%0Aimpl%3C'a%3E%20Drop%20for%20Test%3C'a%3E%20%7B%0A%09fn%20drop%28%26mut%20self%29%20%7B%0A%09%09println!%28%22Val%20from%20Vec%3A%20%7B%7D%22%2C%20self.test.v.v%5B30%5D%29%3B%0A%09%7D%0A%7D%0A%0Afn%20main%28%29%20%7B%0A%09let%20container%20%3D%20Container%3A%3Anew%28%29%3B%0A%09let%20test%20%3D%20Test%7Btest%3A%20%26container%7D%3B%0A%09container.store%28test%29%3B%0A%7D&version=beta).


Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

dropck combined with type erasure allows use after free #25199

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

dropck combined with type erasure allows use after free #25199

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions