Undetected use after move #18571

pepijndevos · 2014-11-03T14:28:51Z

So I was curious how Drop handles cycles, because this could lead to dangling pointers, which is why __del__ might not be called in Python. And indeed the below example does not call Drop.

But t is moved into u, so why does this compile at all?

struct Test {
    a: int,
    b: Option<Box<Test>>,
}

impl Drop for Test {
    fn drop(&mut self) {
        println!("Dropping {}", self.a);
    }
}

fn stuff() {
    let mut t = Test { a: 1, b: None};
    let mut u = Test { a: 2, b: Some(box t)};    
    t.b = Some(box u);
    println!("done");
}

fn main() {
    stuff();
    println!("Hello, world!")
}

The text was updated successfully, but these errors were encountered:

alexcrichton · 2014-11-03T16:46:56Z

Nominating, seems like a soundness hole.

arielb1 · 2014-11-03T18:03:51Z

This is an issue with zeroing dynamic drops (which are going to be removed: rust-lang/rfcs#320) – when t is moved, its drop flag is cleared, which prevents the destructor of t.b from running.

A clearer example is:

struct Test;

struct Test2 {
    b: Option<Test>,
}

impl Drop for Test {
    fn drop(&mut self) {
        println!("Dropping");
    }
}

#[cfg(leaks)]
impl Drop for Test2 {
    fn drop(&mut self) {}
}

fn stuff() {
    let mut t = Test2 { b: None };
    let u = Test;
    drop(t);
    t.b = Some(u);
}

fn main() {
    stuff();
}

nikomatsakis · 2014-11-06T22:33:05Z

Structs that implement drop are not supposed to be in a partially initialized state. We already prevents moves out from individual fields, but we also need to prevent individual fields from being re-initialized.

cc @zwarich since (iirc?) he was working on the patches that made us more accepting around re-initializing fields and so forth, and maybe this bug is of interest to him.

pnkfelix · 2014-11-06T22:33:31Z

So we are not supposed to allow structs that implement drop to be partially initialized.

We already disallow going from fully-initialized to partially initialized.

But it seems (from the first example) that we missed disallowing going from fully-uninitialized to partially initializd. That needs to be fixed.

Assigning P-backcompat-lang, 1.0.

enumerations that implement the `Drop` trait. This breaks code like: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x.f = ...; } Change this code to not create partially-initialized structures. For example: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x = Struct { f: ..., g: ..., } } Closes rust-lang#18571. [breaking-change]

pnkfelix · 2015-02-08T10:12:10Z

While this will hopefully be fixed soon, as there is a PR up, it seems to have fallen through the cracks as a P-backcompat-lang issue that is only on the 1.0 milestone and not 1.0 beta.

Nominating for 1.0 beta. (Also, I guess I will try to run through and find any other such overlooked issues.)

enumerations that implement the `Drop` trait. This breaks code like: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x.f = ...; } Change this code to not create partially-initialized structures. For example: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x = Struct { f: ..., g: ..., } } Closes rust-lang#18571. [breaking-change] ---- (Joint authorship by pcwalton and Ryman; thanks all!)

enumerations that implement the `Drop` trait. This breaks code like: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x.f = ...; } Change this code to not create partially-initialized structures. For example: struct Struct { f: String, g: String, } impl Drop for Struct { ... } fn main() { let x = Struct { ... }; drop(x); x = Struct { f: ..., g: ..., } } Closes rust-lang#18571. [breaking-change]

pnkfelix · 2015-02-12T21:20:25Z

Assigning 1.0 beta.

borrowck: Prevent partial reinitialization of uninitialized structures This is a pnkfelix-swiped squash of #22079, which was a rebase and revision of #18963 Fixes #18571.

alexcrichton added the I-nominated label Nov 3, 2014

pnkfelix added the P-backcompat-lang label Nov 6, 2014

pnkfelix added this to the 1.0 milestone Nov 6, 2014

pnkfelix removed the I-nominated label Nov 6, 2014

pcwalton mentioned this issue Nov 14, 2014

librustc: Forbid partial reinitialization of uninitialized structures or enumerations that implement the Drop trait. #18963

Closed

sfackler mentioned this issue Nov 30, 2014

Incorrect Allowance Of Assignment Of Moved Variable (NoCopy) #19408

Closed

sfackler mentioned this issue Feb 1, 2015

No error setting fields after a non-Copy struct has moved #21844

Closed

Ryman mentioned this issue Feb 8, 2015

borrowck: Prevent partial reinitialization of uninitialized structures #22079

Closed

pnkfelix added the I-nominated label Feb 8, 2015

pnkfelix mentioned this issue Feb 12, 2015

borrowck: Prevent partial reinitialization of uninitialized structures #22219

Merged

pnkfelix modified the milestones: 1.0 beta, 1.0 Feb 12, 2015

pnkfelix removed the I-nominated label Feb 12, 2015

pnkfelix self-assigned this Feb 12, 2015

bors closed this as completed in #22219 Feb 13, 2015

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Undetected use after move #18571

Undetected use after move #18571

pepijndevos commented Nov 3, 2014

alexcrichton commented Nov 3, 2014

arielb1 commented Nov 3, 2014

nikomatsakis commented Nov 6, 2014

pnkfelix commented Nov 6, 2014

pnkfelix commented Feb 8, 2015

pnkfelix commented Feb 12, 2015

Undetected use after move #18571

Undetected use after move #18571

Comments

pepijndevos commented Nov 3, 2014

alexcrichton commented Nov 3, 2014

arielb1 commented Nov 3, 2014

nikomatsakis commented Nov 6, 2014

pnkfelix commented Nov 6, 2014

pnkfelix commented Feb 8, 2015

pnkfelix commented Feb 12, 2015