Closed
Description
I tried this code:
#![feature(generators)]
#![feature(generator_clone)]
#![feature(generator_trait)]
#![feature(box_syntax)]
use std::pin::Pin;
use std::ops::Generator;
fn copy<T: Copy>(x: T) -> T { x }
fn main() {
let mut g = || {
// This is desuraged as 4 stages:
// - allocate a `*mut u8` with `exchange_malloc`;
// - create a Box that is ignored for trait computations;
// - compute fields (and yields);
// - assign to `t`.
let t = box (5, yield);
drop(t);
};
// Allocate the temporary box.
Pin::new(&mut g).resume(());
// The temporary box is in generator locals.
// As it is not taken into account for trait computation,
// the generator is `Copy`.
let mut h = copy(g);
// We now have 2 boxes with the same backing allocation:
// one inside `g` and one inside `h`.
// Proceed and drop `t` in `g`.
Pin::new(&mut g).resume(());
// Proceed and drop `t` in `h` -> double free!
Pin::new(&mut h).resume(());
}I expected to see this happen: compilation fails.
Instead, this happened: double free
Compiling playground v0.0.1 (/playground)
Finished dev [unoptimized + debuginfo] target(s) in 0.68s
Running `target/debug/playground`
free(): double free detected in tcache 2
timeout: the monitored command dumped core
Note: if we do not resume the generators after the copy, we get a memory leak.
Meta
rustc version: tested on playground nightly on 2022-11-30.
Metadata
Metadata
Assignees
Labels
Area: CoroutinesCategory: This is a bug.`#![feature(coroutine_clone)]``#![feature(coroutines)]`Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessRelevant to the compiler team, which will review and decide on the PR/issue.This issue requires a nightly compiler in some way.