Skip to content

VecDeque's Drain::drop writes to memory that a shared reference points to #60076

New issue
New issue
Closed
#101299
Closed
VecDeque's Drain::drop writes to memory that a shared reference points to#60076
#101299

Description

@RalfJung

RalfJung
openedon Apr 18, 2019

liballoc's test_drain fails when run in Miri. The error occurs in the drain(...).collect() call:

  • collect is called with a vec_deque::Drain<usize> as argument. Drain contains Iter contains a shared reference to a slice; that slice is thus marked as "must not be mutated for the entire duration of this function call".
  • collect calls from_iter calls extend calls for_each calls fold, which eventually drops the Drain.
  • Drain::drop calls source_deque.wrap_copy to re-arrange stuff (I have not fully understood this yet), and in some cases this will end up writing to memory that the slice in Iter points to.

I am not sure what the best way to fix this is. We have to fix Drain holding (indirectly) a shared reference to something that it'll mutate during its Drop. The mutation is likely there for a reason, so I guess the shared reference has to go. (FWIW, this shared reference already caused other trouble, but that was fixed by #56161.)

Cc @nikomatsakis @gankro

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Assignees

Labels

A-collectionsArea: `std::collection`C-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions