From 70172f3a6474f14c2a66997c4652cb214a0eb0cb Mon Sep 17 00:00:00 2001 From: Oli Scherer Date: Mon, 22 Jan 2024 12:27:43 +0000 Subject: [PATCH] Add regression test --- tests/ui/traits/upcast_soundness_bug.rs | 69 +++++++++++++++++++++++++ 1 file changed, 69 insertions(+) create mode 100644 tests/ui/traits/upcast_soundness_bug.rs diff --git a/tests/ui/traits/upcast_soundness_bug.rs b/tests/ui/traits/upcast_soundness_bug.rs new file mode 100644 index 0000000000000..32e32850925f7 --- /dev/null +++ b/tests/ui/traits/upcast_soundness_bug.rs @@ -0,0 +1,69 @@ +#![feature(trait_upcasting)] +// known-bug: #120222 +// check-pass +//! This will segfault at runtime. + +pub trait SupSupA { + fn method(&self) {} +} +pub trait SupSupB {} +impl SupSupA for T {} +impl SupSupB for T {} + +pub trait Super: SupSupA + SupSupB {} + +pub trait Unimplemented {} + +pub trait Trait: Super + Super { + fn missing_method(&self) + where + T1: Unimplemented, + { + } +} + +impl Super for S {} + +impl Trait for S {} + +#[inline(never)] +pub fn user1() -> &'static dyn Trait { + &() + /* VTABLE: + .L__unnamed_2: + .quad core::ptr::drop_in_place<()> + .asciz "\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000" + .quad example::SupSupA::method + .quad .L__unnamed_4 // SupSupB vtable (pointer) + .zero 8 // null pointer for missing_method + */ +} + +#[inline(never)] +pub fn user2() -> &'static dyn Trait { + &() + /* VTABLE: + .L__unnamed_3: + .quad core::ptr::drop_in_place<()> + .asciz "\000\000\000\000\000\000\000\000\001\000\000\000\000\000\000" + .quad example::SupSupA::method + .quad .L__unnamed_4 // SupSupB vtable (pointer) + .quad .L__unnamed_5 // Super vtable (pointer) + .zero 8 // null pointer for missing_method + */ +} + +fn main() { + let p: *const dyn Trait = &(); + let p = p as *const dyn Trait; // <- this is bad! + let p = p as *const dyn Super; // <- this upcast accesses improper vtable entry + // accessing from L__unnamed_2 the position for the 'Super vtable (pointer)', + // thus reading 'null pointer for missing_method' + + let p = p as *const dyn SupSupB; // <- this upcast dereferences (null) pointer from that entry + // to read the SupSupB vtable (pointer) + + // SEGFAULT + + println!("{:?}", p); +}