-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Double free in Vec::from_iter specialization when drop panics #83618
Comments
Thanks, I totally didn't consider that case! The question is whether it is necessary to attempt to drop the stuff moved to output vec or whether we can leak those too. @rustbot claim |
Assigning |
…r=m-ou-se Fix double-drop in `Vec::from_iter(vec.into_iter())` specialization when items drop during panic This fixes the double-drop but it leaves a behavioral difference compared to the default implementation intact: In the default implementation the source and the destination vec are separate objects, so they get dropped separately. Here they share an allocation and the latter only exists as a pointer into the former. So if dropping the former panics then this fix will leak more items than the default implementation would. Is this acceptable or should the specialization also mimic the default implementation's drops-during-panic behavior? Fixes rust-lang#83618 `@rustbot` label T-libs-impl
…r=m-ou-se Fix double-drop in `Vec::from_iter(vec.into_iter())` specialization when items drop during panic This fixes the double-drop but it leaves a behavioral difference compared to the default implementation intact: In the default implementation the source and the destination vec are separate objects, so they get dropped separately. Here they share an allocation and the latter only exists as a pointer into the former. So if dropping the former panics then this fix will leak more items than the default implementation would. Is this acceptable or should the specialization also mimic the default implementation's drops-during-panic behavior? Fixes rust-lang#83618 `@rustbot` label T-libs-impl
rust/library/alloc/src/vec/source_iter_marker.rs
Lines 71 to 72 in 4a20eb6
rust/library/alloc/src/vec/into_iter.rs
Lines 88 to 93 in 4a20eb6
SpecFromIter<T, I> for Vec<T>
callsVec::IntoIter::drop_remaining()
.drop_remaining()
callsdrop_in_place()
before overwriting the pointer. As a result, dropped elements are not invalidated and dropped again under panic.PoC:
Output:
Tested with
rustc 1.51.0
. Here is a playground link to the code snippet.The text was updated successfully, but these errors were encountered: