Skip to content

libarena::TypedArena::alloc_from_iter does not allow for recursive allocations #67001

New issue
New issue
Closed
#67003
Closed
libarena::TypedArena::alloc_from_iter does not allow for recursive allocations#67001
#67003
Labels
C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.
@cjgillot

Description

@cjgillot
cjgillot
opened on Dec 3, 2019

I stumbled on this while debugging #66936

I tried calling TypedArena::alloc_from_iter with an iterator which itself allocates on the arena.
If that iterator has fixed size (known through size_hint), the allocation goes in the fast path.
In that case, the allocation for the range and the recursive allocations get interlaced.
The returned pointers are wrong, and valid objects get overwritten.
This can lead to undropped objects and infinite loops.

A simple fix has been committed to #66936.
A more intelligent one may be better.

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-highHigh priorityT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions