Closed
Description
In very lucky situations (dependent on file size, file name, comments, compiler flags), when compiling a struct pattern, rustc will segfault outright. In all situations, it will use-after-free.
Run rustc under valgrind on this code:
// #1: "x: T" produces 3x invalid reads.
// #2: "x: ()" produces 1x invalid read (only the first one listed).
// #3: Making everything monomorphic at "()" is the same as #2.
struct Crash<T> { x: T; }
fn unwrap_crash<T>(+c: Crash<T>) {
let Crash { x: _ } = c;
// Exactly the same with: match c { Crash { x: _ } => { } }
// If you write "Crash { _ }" it doesn't do any invalid reads
}
fn main() { }
You should see:
==26425== Invalid read of size 8
==26425== at 0x691AB35: middle::ty::subst
==26425== by 0x68DEFE6: middle::ty::lookup_field_type
==26425== by 0x6AAFA5E: middle::typeck::check::alt::check_pat
==26425== by 0x6AA7188: _ZN6middle6typeck5check3alt9check_alt4anonE410
==26425== by 0x6B42D96: middle::typeck::check::check_expr_with_unifier
==26425== Address 0xa4ae580 is 32 bytes inside a block of size 56 free'd
==26425==
==26425== Invalid read of size 8
==26425== at 0x6A22C6A: middle::ty::subst::do_subst
==26425== by 0x691AB62: middle::ty::subst
==26425== by 0x68DEFE6: middle::ty::lookup_field_type
==26425== by 0x6AAFA5E: middle::typeck::check::alt::check_pat
==26425== by 0x6AA7188: _ZN6middle6typeck5check3alt9check_alt4anonE410
==26425== by 0x6B42D96: middle::typeck::check::check_expr_with_unifier
==26425== Address 0xa4ae580 is 32 bytes inside a block of size 56 free'd
==26425==
==26425== Invalid read of size 8
==26425== at 0x6A22C74: middle::ty::subst::do_subst
==26425== by 0x691AB62: middle::ty::subst
==26425== by 0x68DEFE6: middle::ty::lookup_field_type
==26425== by 0x6AAFA5E: middle::typeck::check::alt::check_pat
==26425== by 0x6AA7188: _ZN6middle6typeck5check3alt9check_alt4anonE410
==26425== by 0x6B42D96: middle::typeck::check::check_expr_with_unifier
==26425== Address 0xa4ae590 is 48 bytes inside a block of size 56 free'd