Skip to content

GAT's arent typechecked, and can cause UB #68641

New issue
New issue
Closed
#72788
Closed
GAT's arent typechecked, and can cause UB#68641
#72788
Labels
A-GATsArea: Generic associated types (GATs)C-bugCategory: This is a bug.F-generic_associated_types`#![feature(generic_associated_types)]` a.k.a. GATsI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.requires-nightlyThis issue requires a nightly compiler in some way.
@DutchGhost

Description

@DutchGhost
DutchGhost
opened on Jan 29, 2020

It looks like Generic Associated Types aren't validated on whether the specified type on the impl-side indeed implements the traits as written down in the definition of the associated type.

The following program shows a use-after-free of a String:

#![feature(generic_associated_types)] trait UnsafeCopy { type Item<'a>: Copy; fn copy<'a>(item: &Self::Item<'a>) -> Self::Item<'a> { *item } } impl <T> UnsafeCopy for T { type Item<'a> = T; } fn main() { let mut s = String::from("Hello world!"); let copy = String::copy(&s); // Do we indeed point to the samme memory? assert!(s.as_ptr() == copy.as_ptr()); // Any use of `copy` is certeinly UB after this drop(s); // UB UB UB UB UB!! println!("{}", copy); }

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-GATsArea: Generic associated types (GATs)C-bugCategory: This is a bug.F-generic_associated_types`#![feature(generic_associated_types)]` a.k.a. GATsI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.requires-nightlyThis issue requires a nightly compiler in some way.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions