fix(allocator): fix unsound lifetime extension in Box::new_in#23685
Conversation
How to use the Graphite Merge QueueAdd either label to this PR to merge it via the merge queue:
You must have a Graphite account in order to use the merge queue. Sign up using this link. An organization admin has enabled the Graphite Merge Queue in this repository. Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue. This stack of pull requests is managed by Graphite. Learn more about stacking. |
Merging this PR will not alter performance
Comparing Footnotes
|
There was a problem hiding this comment.
Pull request overview
Fixes a soundness hole in oxc_allocator::Box::new_in by correctly tying the returned Box<'alloc, T> lifetime to the borrow of the Allocator, preventing callers from constructing arena-backed boxes that outlive their allocator (and thus avoiding potential use-after-free).
Changes:
- Update
Box::new_insignature to take&'alloc Allocator, constraining the returnedBoxlifetime to the allocator’s lifetime. - Expand rustdoc for
Box::new_inwith acompile_failexample demonstrating the intended lifetime restriction.
Merge activity
|
Fix unsoundness in `Box::new_in`.
`Box::new_in` had this signature:
```rust
impl<T> Box<'_, T> {
pub fn new_in(value: T, allocator: &Allocator) -> Self {
Self(NonNull::from(allocator.alloc(value)), PhantomData)
}
}
```
The returned `Box<'alloc, T>`'s lifetime `'alloc` and the `&Allocator` borrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any `'alloc` - including one that outlives the allocator. In effect you could mint a `Box<'static, T>` from a temporary `Allocator`:
```rust
let boxed = {
let allocator = Allocator::default();
Box::new_in(5, &allocator) // returns Box<'_, i32> with a lifetime unrelated to `allocator`
}; // `allocator` dropped here, freeing the backing memory
assert_eq!(*boxed, 5); // use after free
```
Fix by tying the 2 lifetimes together.
```rust
impl<'alloc, T> Box<'alloc, T> {
pub fn new_in(value: T, allocator: &'alloc Allocator) -> Self { ... }
}
```
This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use `Box::new_in` directly, and `AstBuilder::alloc` was correctly providing a tighter lifetime bound.
7d7537c to
7231d55
Compare
### 💥 BREAKING CHANGES - 94fbacb ast: [**BREAKING**] Only export `AstBuilder` and `NONE` in `builder` module (#23876) (overlookmotel) - 8de5122 ecmascript: [**BREAKING**] Switch to new `AstBuilder` (#23834) (overlookmotel) - dc0ef38 transformer: [**BREAKING**] Switch to new `AstBuilder` (#23831) (overlookmotel) - 88f4455 str: [**BREAKING**] `Str` and `Ident` methods take `&GetAllocator` (#23781) (overlookmotel) - 36009dd allocator: [**BREAKING**] `GetAllocator::allocator` take `&self` (#23676) (overlookmotel) - bd74f9d allocator: [**BREAKING**] Rename `AllocatorAccessor` trait to `GetAllocator` (#23675) (overlookmotel) ### 🚀 Features - 326fe25 transformer_plugins: Support `typeof` `define` keys (#23605) (Alexander Lichter) - f2091b3 ast: Unify old and new `AstBuilder`s (#23875) (overlookmotel) - cd1fd12 codegen: Expose `Codegen::print_string` API (#23785) (camc314) - 785461b ast: Add custom builder methods to AST types (#23651) (overlookmotel) - 05d1357 ast: Add AST creation methods to AST types (#23650) (overlookmotel) - 2580eda str: Add `Str::from_str_in` and `Ident::from_str_in` methods (#23767) (overlookmotel) - 6883fcf minifier: Fold write-once falsy var to false in boolean context (#23540) (Dunqing) - fcbf993 allocator: Add `Vec::from_value_in` method (#23718) (overlookmotel) - 989ddb7 allocator: Add `Vec::from_box_in` method (#23717) (overlookmotel) - 9d1aa7f allocator: Improve `PartialEq` for `Vec` (#23716) (overlookmotel) ### 🐛 Bug Fixes - da0e5bf minifier: Don't reorder a closed-over TDZ read when inlining a var (#23771) (Dunqing) - 0b3021f allocator: Remove `Vec::from_box_in` (#23873) (overlookmotel) - 0ab64ec ast: Silence deprecation warnings within files defining deprecated `AstBuilder` methods (#23889) (overlookmotel) - 8c07cad all: Enable `disable_old_builder` Cargo feature for `oxc_ast` crate in tests (#23888) (overlookmotel) - 3800f01 ast: Legacy `AstBuilder` methods take `self` not `&self` (#23891) (overlookmotel) - 869ac20 semantic/cfg: Connect for update exit to loop test (#23791) (camc314) - d3e92d5 semantic/cfg: Connect while branches from condition exit (#23790) (camc314) - 025045d ast: `ExportNamedDeclaration` plain builder methods return boxed nodes (#23783) (overlookmotel) - 7537c58 ast: Fix name of `AstBuilder` method for `Expression::V8IntrinsicExpression` (#23766) (overlookmotel) - 3f574f5 traverse: Fix unsoundness in `Traverse` walk functions (#23745) (overlookmotel) - 585760f parser: String in AST reference arena (#23721) (overlookmotel) - 7231d55 allocator: Fix unsound lifetime extension in `Box::new_in` (#23685) (overlookmotel) ### ⚡ Performance - d5c916a semantic: Flatten hoisting_variables to avoid per-scope map allocation (#23927) (Lawrence Lin) - e71609d minifier: Bail member-expr folding before the side-effect walk (#23924) (Lawrence Lin) - e1f89ab minifier: Reduce string allocations folding addition (#23846) (overlookmotel) - 9f6ee3b isolated-declarations: Pool scope maps to avoid per-scope alloc/rehash (#23761) (Boshen) - 0b07c4c semantic: Avoid heap alloc for catch-clause binding ids (#23911) (Lawrence Lin) - c5eef8b regular_expression: Skip capturing-group pre-parse when pattern has no `(` (#23908) (Lawrence Lin) - b4f5b4b isolated_declarations: Remove redundant clone of formal parameter pattern (#23912) (Lawrence Lin) - 53d083f isolated_declarations: Use `TakeIn` not `CloneIn` (#23847) (overlookmotel) - 3ea9304 react_compiler: Use faster API to arena allocate strings (#23849) (overlookmotel) - a6d8e45 parser: Avoid span lookup for arrow expression body (#23788) (camc314) - e1886a0 transformer, minifier: Use `static_ident!` macro to create static `Ident`s (#23727) (overlookmotel) - 5527bef transformer/object-rest-spread: Reduce iteration (#23720) (overlookmotel) - 680ffbc transformer: Allocate AST nodes in arena directly (#23711) (overlookmotel) - 1c63c66 parser: Allocate AST nodes in arena directly (#23712) (overlookmotel) - 3855f0c minifier: Allocate AST nodes in arena directly (#23710) (overlookmotel) - d025887 isolated_declarations: Allocate AST nodes in arena directly (#23709) (overlookmotel) - 10b96c6 parser: Remove string search from parsing JSX element name (#23713) (overlookmotel) ### 📚 Documentation - 3d61dea all: Correct capitalization in comments (#23887) (overlookmotel) - aa1ad74 ast: Add `#[deprecated]` to legacy `AstBuilder` methods (#23877) (overlookmotel) - a4676db ast: Correct doc comment for `NONE` (#23765) (overlookmotel) - 419ec80 syntax: Fix typo in doc comment (#23674) (overlookmotel) ### 🛡️ Security - 3cdd18f deps: Update npm packages (#23690) (renovate[bot]) Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com> Co-authored-by: Cameron <cameron.clark@hey.com>
Fix unsoundness in `Box::new_in`.
`Box::new_in` had this signature:
```rust
impl<T> Box<'_, T> {
pub fn new_in(value: T, allocator: &Allocator) -> Self {
Self(NonNull::from(allocator.alloc(value)), PhantomData)
}
}
```
The returned `Box<'alloc, T>`'s lifetime `'alloc` and the `&Allocator` borrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any `'alloc` - including one that outlives the allocator. In effect you could mint a `Box<'static, T>` from a temporary `Allocator`:
```rust
let boxed = {
let allocator = Allocator::default();
Box::new_in(5, &allocator) // returns Box<'_, i32> with a lifetime unrelated to `allocator`
}; // `allocator` dropped here, freeing the backing memory
assert_eq!(*boxed, 5); // use after free
```
Fix by tying the 2 lifetimes together.
```rust
impl<'alloc, T> Box<'alloc, T> {
pub fn new_in(value: T, allocator: &'alloc Allocator) -> Self { ... }
}
```
This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use `Box::new_in` directly, and `AstBuilder::alloc` was correctly providing a tighter lifetime bound.
### 💥 BREAKING CHANGES - 94fbacb ast: [**BREAKING**] Only export `AstBuilder` and `NONE` in `builder` module (#23876) (overlookmotel) - 8de5122 ecmascript: [**BREAKING**] Switch to new `AstBuilder` (#23834) (overlookmotel) - dc0ef38 transformer: [**BREAKING**] Switch to new `AstBuilder` (#23831) (overlookmotel) - 88f4455 str: [**BREAKING**] `Str` and `Ident` methods take `&GetAllocator` (#23781) (overlookmotel) - 36009dd allocator: [**BREAKING**] `GetAllocator::allocator` take `&self` (#23676) (overlookmotel) - bd74f9d allocator: [**BREAKING**] Rename `AllocatorAccessor` trait to `GetAllocator` (#23675) (overlookmotel) ### 🚀 Features - 326fe25 transformer_plugins: Support `typeof` `define` keys (#23605) (Alexander Lichter) - f2091b3 ast: Unify old and new `AstBuilder`s (#23875) (overlookmotel) - cd1fd12 codegen: Expose `Codegen::print_string` API (#23785) (camc314) - 785461b ast: Add custom builder methods to AST types (#23651) (overlookmotel) - 05d1357 ast: Add AST creation methods to AST types (#23650) (overlookmotel) - 2580eda str: Add `Str::from_str_in` and `Ident::from_str_in` methods (#23767) (overlookmotel) - 6883fcf minifier: Fold write-once falsy var to false in boolean context (#23540) (Dunqing) - fcbf993 allocator: Add `Vec::from_value_in` method (#23718) (overlookmotel) - 989ddb7 allocator: Add `Vec::from_box_in` method (#23717) (overlookmotel) - 9d1aa7f allocator: Improve `PartialEq` for `Vec` (#23716) (overlookmotel) ### 🐛 Bug Fixes - da0e5bf minifier: Don't reorder a closed-over TDZ read when inlining a var (#23771) (Dunqing) - 0b3021f allocator: Remove `Vec::from_box_in` (#23873) (overlookmotel) - 0ab64ec ast: Silence deprecation warnings within files defining deprecated `AstBuilder` methods (#23889) (overlookmotel) - 8c07cad all: Enable `disable_old_builder` Cargo feature for `oxc_ast` crate in tests (#23888) (overlookmotel) - 3800f01 ast: Legacy `AstBuilder` methods take `self` not `&self` (#23891) (overlookmotel) - 869ac20 semantic/cfg: Connect for update exit to loop test (#23791) (camc314) - d3e92d5 semantic/cfg: Connect while branches from condition exit (#23790) (camc314) - 025045d ast: `ExportNamedDeclaration` plain builder methods return boxed nodes (#23783) (overlookmotel) - 7537c58 ast: Fix name of `AstBuilder` method for `Expression::V8IntrinsicExpression` (#23766) (overlookmotel) - 3f574f5 traverse: Fix unsoundness in `Traverse` walk functions (#23745) (overlookmotel) - 585760f parser: String in AST reference arena (#23721) (overlookmotel) - 7231d55 allocator: Fix unsound lifetime extension in `Box::new_in` (#23685) (overlookmotel) ### ⚡ Performance - d5c916a semantic: Flatten hoisting_variables to avoid per-scope map allocation (#23927) (Lawrence Lin) - e71609d minifier: Bail member-expr folding before the side-effect walk (#23924) (Lawrence Lin) - e1f89ab minifier: Reduce string allocations folding addition (#23846) (overlookmotel) - 9f6ee3b isolated-declarations: Pool scope maps to avoid per-scope alloc/rehash (#23761) (Boshen) - 0b07c4c semantic: Avoid heap alloc for catch-clause binding ids (#23911) (Lawrence Lin) - c5eef8b regular_expression: Skip capturing-group pre-parse when pattern has no `(` (#23908) (Lawrence Lin) - b4f5b4b isolated_declarations: Remove redundant clone of formal parameter pattern (#23912) (Lawrence Lin) - 53d083f isolated_declarations: Use `TakeIn` not `CloneIn` (#23847) (overlookmotel) - 3ea9304 react_compiler: Use faster API to arena allocate strings (#23849) (overlookmotel) - a6d8e45 parser: Avoid span lookup for arrow expression body (#23788) (camc314) - e1886a0 transformer, minifier: Use `static_ident!` macro to create static `Ident`s (#23727) (overlookmotel) - 5527bef transformer/object-rest-spread: Reduce iteration (#23720) (overlookmotel) - 680ffbc transformer: Allocate AST nodes in arena directly (#23711) (overlookmotel) - 1c63c66 parser: Allocate AST nodes in arena directly (#23712) (overlookmotel) - 3855f0c minifier: Allocate AST nodes in arena directly (#23710) (overlookmotel) - d025887 isolated_declarations: Allocate AST nodes in arena directly (#23709) (overlookmotel) - 10b96c6 parser: Remove string search from parsing JSX element name (#23713) (overlookmotel) ### 📚 Documentation - 3d61dea all: Correct capitalization in comments (#23887) (overlookmotel) - aa1ad74 ast: Add `#[deprecated]` to legacy `AstBuilder` methods (#23877) (overlookmotel) - a4676db ast: Correct doc comment for `NONE` (#23765) (overlookmotel) - 419ec80 syntax: Fix typo in doc comment (#23674) (overlookmotel) ### 🛡️ Security - 3cdd18f deps: Update npm packages (#23690) (renovate[bot]) Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com> Co-authored-by: Cameron <cameron.clark@hey.com>

Fix unsoundness in
Box::new_in.Box::new_inhad this signature:The returned
Box<'alloc, T>'s lifetime'allocand the&Allocatorborrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any'alloc- including one that outlives the allocator. In effect you could mint aBox<'static, T>from a temporaryAllocator:Fix by tying the 2 lifetimes together.
This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use
Box::new_indirectly, andAstBuilder::allocwas correctly providing a tighter lifetime bound.