Undefined behavior in servo_arc HeaderSlice

Question

Undefined behavior in servo_arc HeaderSlice

brson opened this issue 4 years ago · comments

HeaderSlice constructs and dereferences invalid pointers created from non-pointer integers in from_header_and_iter_alloc.

Here's what miri has to say about it:

error: Undefined Behavior: invalid use of 8 as a pointer
    --> components/servo_arc/lib.rs:716:69
     |                                                                                                                                       
716  |             let fake_ref: &ArcInner<HeaderSlice<H, [T]>> = unsafe { &*fake_ptr };
     |                                                                     ^^^^^^^^^^ invalid use of 8 as a pointer                                |
     = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior                                 = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information                            = note: inside `Arc::<HeaderSlice<HeaderWithLength<u32>, [i32]>>::from_header_and_iter_alloc::<[closure@components/servo_arc/lib.rs:815:1
3: 826:14], std::iter::Empty<i32>>` at components/servo_arc/lib.rs:716:69

Brian Anderson · Answer 1 · Thu Apr 30 2020 08:06:08 GMT+0800 (China Standard Time)

Repro by running:

cargo +nightly-2020-04-10 miri test -p servo_arc -- -Zmiri-disable-isolation

inside the servo_arc directory.

Brian Anderson · Answer 2 · Thu Apr 30 2020 08:08:23 GMT+0800 (China Standard Time)

miri has at least one other issue with this block of code that can be repro'd the same way.

Ralf Jung · Answer 3 · Thu Apr 30 2020 16:22:46 GMT+0800 (China Standard Time)

Yeah, ArcInner is definitely not a ZST, so this code is creating a dangling shared reference, which is UB.