Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Soundness issue in swc_visit #8817

Closed
mmastrac opened this issue Apr 5, 2024 · 1 comment
Closed

Soundness issue in swc_visit #8817

mmastrac opened this issue Apr 5, 2024 · 1 comment
Milestone
v1.4.13

Comments

@mmastrac
Copy link

mmastrac commented Apr 5, 2024

swc_visit has a soundness issue, detected by miri. In Map<T>, a reference to a "forgotten" self is kept. This reference is no longer valid when we try to use it as a pointer. While it is likely this works in most cases, there's a chance the compiler may optimize this into code that causes a crash. Instead, Box::into_raw should be used to get a pointer soundly.

Miri error:

error: Undefined Behavior: attempting a read access using <6189435> at alloc1599974[0x0], but that tag does not exist in the borrow stack for this location
   --> /Users/matt/.cargo/registry/src/index.crates.io-6f17d22bba15001f/swc_visit-0.5.11/src/util/map.rs:29:29
    |
29  |             ptr::write(p, f(ptr::read(p)));
    |                             ^^^^^^^^^^^^
    |                             |
    |                             attempting a read access using <6189435> at alloc1599974[0x0], but that tag does not exist in the borrow stack for this location
    |                             this error occurs as part of an access at alloc1599974[0x0..0x60]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <6189435> was created by a SharedReadWrite retag at offsets [0x0..0x60]
   --> src/transpiling/mod.rs:403:7
    |

Likely fix:

impl<T> Map<T> for Box<T> {
    fn map<F>(mut self, f: F) -> Self
    where
        F: FnOnce(T) -> T,
    {
        // Leak self in case of panic.
        let p = Box::into_raw(self);

        unsafe {
            ptr::write(p, f(ptr::read(p)));

            // Recreate self from the raw pointer.
            Box::from_raw(p)
        }
    }
}
@dsherret dsherret mentioned this issue Apr 5, 2024
Merged
@kdy1 kdy1 added this to the Planned milestone Apr 7, 2024
@kdy1 kdy1 closed this as completed in dc04657 Apr 9, 2024
@kdy1 kdy1 modified the milestones: Planned, v1.4.13 Apr 9, 2024
@swc-bot
Copy link
Collaborator

swc-bot commented May 9, 2024

This closed issue has been automatically locked because it had no new activity for a month. If you are running into a similar issue, please create a new issue with the steps to reproduce. Thank you.

@swc-project swc-project locked as resolved and limited conversation to collaborators May 9, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
None yet
Milestone
v1.4.13
Development

No branches or pull requests
3 participants
@mmastrac @kdy1 @swc-bot