Stream: t-compiler/wg-rls-2.0

Topic: heap corruption/double free/invalid pointer free bug

Leo Le Bouter (Jan 11 2020 at 02:22, on Zulip):

I know that probably wont be of much help but I just got such an abort message with ra:

free(): invalid next size (fast)

It happened after I removed a dependency from my Cargo.toml

Emil Lauridsen (Jan 11 2020 at 09:04, on Zulip):

We do have some unsafe trickery with regards to how we store syntax trees in Rowan using ThinDST, my initial concern would be that. I'll a attempt to run with a sanitizer and reproduce later. Thanks for the tip

Emil Lauridsen (Jan 11 2020 at 11:40, on Zulip):

I've been unable to reproduce so far, but if you can boil it down to a reproducible test case I'll gladly investigate further.

Leo Le Bouter (Jan 11 2020 at 15:01, on Zulip):

I've been unable to reproduce as well. It seems that the scenario requires a very specific chain of actions for this to trigger.

Do you plan on getting rid of unsafe here? I think this could be very much exploitable.

matklad (Jan 11 2020 at 15:17, on Zulip):

There's only a single place where rust-analyzer fundamentally relies on unsafe -- in the syntax tree implementation.

It is very fancy data structure which requires unsafe to be efficient, and it indeed has quite a few of non-trivail unsafe block.

I believe that the (safe) public interface is sound and implementable, but:

matklad (Jan 11 2020 at 15:23, on Zulip):

In general, rust-analyzer assume non-hostile environment, security-wise. That is, UB is UB and must be fixed, but we generally don't try extremely hard to guarantee the absence of UB (or other security issues).

Last update: Jan 21 2020 at 08:20UTC