This repository was archived by the owner on May 10, 2022. It is now read-only.
This repository was archived by the owner on May 10, 2022. It is now read-only.
Queue<T> should have a Send bound on its Send/Sync traits #1
Description
Hi there, we (Rust group @sslab-gatech) are scanning crates on crates.io for potential soundness bugs. We noticed that the Queue object implements Send and Sync unconiditionally:
rust-scottqueue/src/tlqueue.rs
Lines 27 to 28 in 875491d
However, this should probably be bounded by T: Send in both, otherwise it allows sending types that should never be sent across threads such as Rc or references to cells. You can see an example of such a data-race with cells below:
#![forbid(unsafe_code)]
use scottqueue::tlqueue::Queue;
use std::cell::Cell;
use crossbeam_utils::thread;
// A simple tagged union used to demonstrate problems with data races in Cell.
#[derive(Debug, Clone, Copy)]
enum RefOrInt { Ref(&'static u64), Int(u64) }
static SOME_INT: u64 = 123;
fn main() {
let cell = Cell::new(RefOrInt::Ref(&SOME_INT));
let queue = Queue::new();
queue.push(&cell);
thread::scope(|s| {
s.spawn(|_| {
let smuggled_cell = queue.pop().unwrap();
loop {
// Repeatedly write Ref(&addr) and Int(0xdeadbeef) into the cell.
smuggled_cell.set(RefOrInt::Ref(&SOME_INT));
smuggled_cell.set(RefOrInt::Int(0xdeadbeef));
}
});
loop {
if let RefOrInt::Ref(addr) = cell.get() {
// Hope that between the time we pattern match the object as a
// `Ref`, it gets written to by the other thread.
if addr as *const u64 == &SOME_INT as *const u64 { continue; }
println!("Pointer is now: {:p}", addr);
println!("Dereferencing addr will now segfault: {}", *addr);
}
}
});
}This outputs:
Pointer is now: 0xdeadbeef
Return Code: -11 (SIGSEGV)