Simple: Forgetting to drop FrozenContext will cause use after free
Techcable opened this issue · 1 comments
The pointer to a frozen collector's stack is only guaranteed to be valid for the lifetime of the FrozenContext. We store it in a hashtable.
Ideally, the user would always unfreeze!
through the standard API, which causes it to be removed.
However, if the user forgets to unfreeze (or runs mem::forget
) the frozen context, the old pointer will remain in the set of PersistentRoots
even if the underlying memory is freed (or moved).
Right now I actually even have this reflected in the API. If a FrozenContext
is ever dropped without unfreezing first it will panic with a "TODO message".
The code is undergoing temporary insanity 🚧
See also c9d70d8 for the unsafe implementation of freezing simple collectors that we currently use.
When we finally fix this issue, we need to remember to remove all the TODOs in the code (and the FrozenContext destructor that panics).
Fixed after I finished rewriting how collector states. Now the collector owns a boxed reference to the raw context, and the SimpleCollectorContexts unregister on drop. Worst case we never unregister and leak a reference to the context. This will deadlock any future collections, but it is technically safe.
I finished these changes around 7db75a1.
This is even less of an issue after I removed the unsound frozen roots.