I know that probably wont be of much help but I just got such an abort message with ra:
free(): invalid next size (fast)
It happened after I removed a dependency from my Cargo.toml
We do have some unsafe trickery with regards to how we store syntax trees in Rowan using ThinDST, my initial concern would be that. I'll a attempt to run with a sanitizer and reproduce later. Thanks for the tip
I've been unable to reproduce so far, but if you can boil it down to a reproducible test case I'll gladly investigate further.
I've been unable to reproduce as well. It seems that the scenario requires a very specific chain of actions for this to trigger.
Do you plan on getting rid of unsafe here? I think this could be very much exploitable.
There's only a single place where rust-analyzer fundamentally relies on unsafe -- in the syntax tree implementation.
It is very fancy data structure which requires unsafe to be efficient, and it indeed has quite a few of non-trivail
I believe that the (safe) public interface is sound and implementable, but:
In general, rust-analyzer assume non-hostile environment, security-wise. That is, UB is UB and must be fixed, but we generally don't try extremely hard to guarantee the absence of UB (or other security issues).