Skip to content

fix(allocator): fix unsound lifetime extension in Box::new_in#23685

Merged
graphite-app[bot] merged 1 commit into
mainfrom
om/06-21-fix_allocator_fix_unsound_lifetime_extension_in_box_new_in_
Jun 21, 2026
Merged

fix(allocator): fix unsound lifetime extension in Box::new_in#23685
graphite-app[bot] merged 1 commit into
mainfrom
om/06-21-fix_allocator_fix_unsound_lifetime_extension_in_box_new_in_

Conversation

@overlookmotel

@overlookmotel overlookmotel commented Jun 21, 2026

Copy link
Copy Markdown
Member

Fix unsoundness in Box::new_in.

Box::new_in had this signature:

impl<T> Box<'_, T> {
    pub fn new_in(value: T, allocator: &Allocator) -> Self {
        Self(NonNull::from(allocator.alloc(value)), PhantomData)
    }
}

The returned Box<'alloc, T>'s lifetime 'alloc and the &Allocator borrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any 'alloc - including one that outlives the allocator. In effect you could mint a Box<'static, T> from a temporary Allocator:

let boxed = {
    let allocator = Allocator::default();
    Box::new_in(5, &allocator)   // returns Box<'_, i32> with a lifetime unrelated to `allocator`
};                               // `allocator` dropped here, freeing the backing memory
assert_eq!(*boxed, 5);           // use after free

Fix by tying the 2 lifetimes together.

impl<'alloc, T> Box<'alloc, T> {
    pub fn new_in(value: T, allocator: &'alloc Allocator) -> Self { ... }
}

This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use Box::new_in directly, and AstBuilder::alloc was correctly providing a tighter lifetime bound.

Copy link
Copy Markdown
Member Author

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

  • 0-merge - adds this PR to the back of the merge queue
  • hotfix - for urgent changes, fast-track this PR to the front of the merge queue

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

This stack of pull requests is managed by Graphite. Learn more about stacking.

@github-actions github-actions Bot added the A-allocator Area - Allocator label Jun 21, 2026
@codspeed-hq

codspeed-hq Bot commented Jun 21, 2026

Copy link
Copy Markdown

Merging this PR will not alter performance

✅ 62 untouched benchmarks
⏩ 9 skipped benchmarks1


Comparing om/06-21-fix_allocator_fix_unsound_lifetime_extension_in_box_new_in_ (7d7537c) with main (5597251)2

Open in CodSpeed

Footnotes

  1. 9 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports.

  2. No successful run was found on main (b1b83d5) during the generation of this report, so 5597251 was used instead as the comparison base. There might be some changes unrelated to this pull request in this report.

@overlookmotel overlookmotel marked this pull request as ready for review June 21, 2026 15:46
Copilot AI review requested due to automatic review settings June 21, 2026 15:46
@overlookmotel overlookmotel self-assigned this Jun 21, 2026

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes a soundness hole in oxc_allocator::Box::new_in by correctly tying the returned Box<'alloc, T> lifetime to the borrow of the Allocator, preventing callers from constructing arena-backed boxes that outlive their allocator (and thus avoiding potential use-after-free).

Changes:

  • Update Box::new_in signature to take &'alloc Allocator, constraining the returned Box lifetime to the allocator’s lifetime.
  • Expand rustdoc for Box::new_in with a compile_fail example demonstrating the intended lifetime restriction.

@overlookmotel overlookmotel added the 0-merge Merge with Graphite Merge Queue label Jun 21, 2026

overlookmotel commented Jun 21, 2026

Copy link
Copy Markdown
Member Author

Merge activity

Fix unsoundness in `Box::new_in`.

`Box::new_in` had this signature:

```rust
impl<T> Box<'_, T> {
    pub fn new_in(value: T, allocator: &Allocator) -> Self {
        Self(NonNull::from(allocator.alloc(value)), PhantomData)
    }
}
```

The returned `Box<'alloc, T>`'s lifetime `'alloc` and the `&Allocator` borrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any `'alloc` - including one that outlives the allocator. In effect you could mint a `Box<'static, T>` from a temporary `Allocator`:

```rust
let boxed = {
    let allocator = Allocator::default();
    Box::new_in(5, &allocator)   // returns Box<'_, i32> with a lifetime unrelated to `allocator`
};                               // `allocator` dropped here, freeing the backing memory
assert_eq!(*boxed, 5);           // use after free
```

Fix by tying the 2 lifetimes together.

```rust
impl<'alloc, T> Box<'alloc, T> {
    pub fn new_in(value: T, allocator: &'alloc Allocator) -> Self { ... }
}
```

This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use `Box::new_in` directly, and `AstBuilder::alloc` was correctly providing a tighter lifetime bound.
@graphite-app graphite-app Bot force-pushed the om/06-21-fix_allocator_fix_unsound_lifetime_extension_in_box_new_in_ branch from 7d7537c to 7231d55 Compare June 21, 2026 16:18
@graphite-app graphite-app Bot merged commit 7231d55 into main Jun 21, 2026
31 checks passed
@graphite-app graphite-app Bot removed the 0-merge Merge with Graphite Merge Queue label Jun 21, 2026
@graphite-app graphite-app Bot deleted the om/06-21-fix_allocator_fix_unsound_lifetime_extension_in_box_new_in_ branch June 21, 2026 16:26
camc314 added a commit that referenced this pull request Jun 29, 2026
### 💥 BREAKING CHANGES

- 94fbacb ast: [**BREAKING**] Only export `AstBuilder` and `NONE` in
`builder` module (#23876) (overlookmotel)
- 8de5122 ecmascript: [**BREAKING**] Switch to new `AstBuilder` (#23834)
(overlookmotel)
- dc0ef38 transformer: [**BREAKING**] Switch to new `AstBuilder`
(#23831) (overlookmotel)
- 88f4455 str: [**BREAKING**] `Str` and `Ident` methods take
`&GetAllocator` (#23781) (overlookmotel)
- 36009dd allocator: [**BREAKING**] `GetAllocator::allocator` take
`&self` (#23676) (overlookmotel)
- bd74f9d allocator: [**BREAKING**] Rename `AllocatorAccessor` trait to
`GetAllocator` (#23675) (overlookmotel)

### 🚀 Features

- 326fe25 transformer_plugins: Support `typeof` `define` keys (#23605)
(Alexander Lichter)
- f2091b3 ast: Unify old and new `AstBuilder`s (#23875) (overlookmotel)
- cd1fd12 codegen: Expose `Codegen::print_string` API (#23785) (camc314)
- 785461b ast: Add custom builder methods to AST types (#23651)
(overlookmotel)
- 05d1357 ast: Add AST creation methods to AST types (#23650)
(overlookmotel)
- 2580eda str: Add `Str::from_str_in` and `Ident::from_str_in` methods
(#23767) (overlookmotel)
- 6883fcf minifier: Fold write-once falsy var to false in boolean
context (#23540) (Dunqing)
- fcbf993 allocator: Add `Vec::from_value_in` method (#23718)
(overlookmotel)
- 989ddb7 allocator: Add `Vec::from_box_in` method (#23717)
(overlookmotel)
- 9d1aa7f allocator: Improve `PartialEq` for `Vec` (#23716)
(overlookmotel)

### 🐛 Bug Fixes

- da0e5bf minifier: Don't reorder a closed-over TDZ read when inlining a
var (#23771) (Dunqing)
- 0b3021f allocator: Remove `Vec::from_box_in` (#23873) (overlookmotel)
- 0ab64ec ast: Silence deprecation warnings within files defining
deprecated `AstBuilder` methods (#23889) (overlookmotel)
- 8c07cad all: Enable `disable_old_builder` Cargo feature for `oxc_ast`
crate in tests (#23888) (overlookmotel)
- 3800f01 ast: Legacy `AstBuilder` methods take `self` not `&self`
(#23891) (overlookmotel)
- 869ac20 semantic/cfg: Connect for update exit to loop test (#23791)
(camc314)
- d3e92d5 semantic/cfg: Connect while branches from condition exit
(#23790) (camc314)
- 025045d ast: `ExportNamedDeclaration` plain builder methods return
boxed nodes (#23783) (overlookmotel)
- 7537c58 ast: Fix name of `AstBuilder` method for
`Expression::V8IntrinsicExpression` (#23766) (overlookmotel)
- 3f574f5 traverse: Fix unsoundness in `Traverse` walk functions
(#23745) (overlookmotel)
- 585760f parser: String in AST reference arena (#23721) (overlookmotel)
- 7231d55 allocator: Fix unsound lifetime extension in `Box::new_in`
(#23685) (overlookmotel)

### ⚡ Performance

- d5c916a semantic: Flatten hoisting_variables to avoid per-scope map
allocation (#23927) (Lawrence Lin)
- e71609d minifier: Bail member-expr folding before the side-effect walk
(#23924) (Lawrence Lin)
- e1f89ab minifier: Reduce string allocations folding addition (#23846)
(overlookmotel)
- 9f6ee3b isolated-declarations: Pool scope maps to avoid per-scope
alloc/rehash (#23761) (Boshen)
- 0b07c4c semantic: Avoid heap alloc for catch-clause binding ids
(#23911) (Lawrence Lin)
- c5eef8b regular_expression: Skip capturing-group pre-parse when
pattern has no `(` (#23908) (Lawrence Lin)
- b4f5b4b isolated_declarations: Remove redundant clone of formal
parameter pattern (#23912) (Lawrence Lin)
- 53d083f isolated_declarations: Use `TakeIn` not `CloneIn` (#23847)
(overlookmotel)
- 3ea9304 react_compiler: Use faster API to arena allocate strings
(#23849) (overlookmotel)
- a6d8e45 parser: Avoid span lookup for arrow expression body (#23788)
(camc314)
- e1886a0 transformer, minifier: Use `static_ident!` macro to create
static `Ident`s (#23727) (overlookmotel)
- 5527bef transformer/object-rest-spread: Reduce iteration (#23720)
(overlookmotel)
- 680ffbc transformer: Allocate AST nodes in arena directly (#23711)
(overlookmotel)
- 1c63c66 parser: Allocate AST nodes in arena directly (#23712)
(overlookmotel)
- 3855f0c minifier: Allocate AST nodes in arena directly (#23710)
(overlookmotel)
- d025887 isolated_declarations: Allocate AST nodes in arena directly
(#23709) (overlookmotel)
- 10b96c6 parser: Remove string search from parsing JSX element name
(#23713) (overlookmotel)

### 📚 Documentation

- 3d61dea all: Correct capitalization in comments (#23887)
(overlookmotel)
- aa1ad74 ast: Add `#[deprecated]` to legacy `AstBuilder` methods
(#23877) (overlookmotel)
- a4676db ast: Correct doc comment for `NONE` (#23765) (overlookmotel)
- 419ec80 syntax: Fix typo in doc comment (#23674) (overlookmotel)

### 🛡️ Security

- 3cdd18f deps: Update npm packages (#23690) (renovate[bot])

Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Co-authored-by: Cameron <cameron.clark@hey.com>
camc314 pushed a commit that referenced this pull request Jul 3, 2026
Fix unsoundness in `Box::new_in`.

`Box::new_in` had this signature:

```rust
impl<T> Box<'_, T> {
    pub fn new_in(value: T, allocator: &Allocator) -> Self {
        Self(NonNull::from(allocator.alloc(value)), PhantomData)
    }
}
```

The returned `Box<'alloc, T>`'s lifetime `'alloc` and the `&Allocator` borrow were two independent, unconstrained lifetimes. Nothing tied them together, so the caller was free to choose any `'alloc` - including one that outlives the allocator. In effect you could mint a `Box<'static, T>` from a temporary `Allocator`:

```rust
let boxed = {
    let allocator = Allocator::default();
    Box::new_in(5, &allocator)   // returns Box<'_, i32> with a lifetime unrelated to `allocator`
};                               // `allocator` dropped here, freeing the backing memory
assert_eq!(*boxed, 5);           // use after free
```

Fix by tying the 2 lifetimes together.

```rust
impl<'alloc, T> Box<'alloc, T> {
    pub fn new_in(value: T, allocator: &'alloc Allocator) -> Self { ... }
}
```

This bug crept in in #2943 and has gone unnoticed since - largely because we rarely use `Box::new_in` directly, and `AstBuilder::alloc` was correctly providing a tighter lifetime bound.
camc314 added a commit that referenced this pull request Jul 3, 2026
### 💥 BREAKING CHANGES

- 94fbacb ast: [**BREAKING**] Only export `AstBuilder` and `NONE` in
`builder` module (#23876) (overlookmotel)
- 8de5122 ecmascript: [**BREAKING**] Switch to new `AstBuilder` (#23834)
(overlookmotel)
- dc0ef38 transformer: [**BREAKING**] Switch to new `AstBuilder`
(#23831) (overlookmotel)
- 88f4455 str: [**BREAKING**] `Str` and `Ident` methods take
`&GetAllocator` (#23781) (overlookmotel)
- 36009dd allocator: [**BREAKING**] `GetAllocator::allocator` take
`&self` (#23676) (overlookmotel)
- bd74f9d allocator: [**BREAKING**] Rename `AllocatorAccessor` trait to
`GetAllocator` (#23675) (overlookmotel)

### 🚀 Features

- 326fe25 transformer_plugins: Support `typeof` `define` keys (#23605)
(Alexander Lichter)
- f2091b3 ast: Unify old and new `AstBuilder`s (#23875) (overlookmotel)
- cd1fd12 codegen: Expose `Codegen::print_string` API (#23785) (camc314)
- 785461b ast: Add custom builder methods to AST types (#23651)
(overlookmotel)
- 05d1357 ast: Add AST creation methods to AST types (#23650)
(overlookmotel)
- 2580eda str: Add `Str::from_str_in` and `Ident::from_str_in` methods
(#23767) (overlookmotel)
- 6883fcf minifier: Fold write-once falsy var to false in boolean
context (#23540) (Dunqing)
- fcbf993 allocator: Add `Vec::from_value_in` method (#23718)
(overlookmotel)
- 989ddb7 allocator: Add `Vec::from_box_in` method (#23717)
(overlookmotel)
- 9d1aa7f allocator: Improve `PartialEq` for `Vec` (#23716)
(overlookmotel)

### 🐛 Bug Fixes

- da0e5bf minifier: Don't reorder a closed-over TDZ read when inlining a
var (#23771) (Dunqing)
- 0b3021f allocator: Remove `Vec::from_box_in` (#23873) (overlookmotel)
- 0ab64ec ast: Silence deprecation warnings within files defining
deprecated `AstBuilder` methods (#23889) (overlookmotel)
- 8c07cad all: Enable `disable_old_builder` Cargo feature for `oxc_ast`
crate in tests (#23888) (overlookmotel)
- 3800f01 ast: Legacy `AstBuilder` methods take `self` not `&self`
(#23891) (overlookmotel)
- 869ac20 semantic/cfg: Connect for update exit to loop test (#23791)
(camc314)
- d3e92d5 semantic/cfg: Connect while branches from condition exit
(#23790) (camc314)
- 025045d ast: `ExportNamedDeclaration` plain builder methods return
boxed nodes (#23783) (overlookmotel)
- 7537c58 ast: Fix name of `AstBuilder` method for
`Expression::V8IntrinsicExpression` (#23766) (overlookmotel)
- 3f574f5 traverse: Fix unsoundness in `Traverse` walk functions
(#23745) (overlookmotel)
- 585760f parser: String in AST reference arena (#23721) (overlookmotel)
- 7231d55 allocator: Fix unsound lifetime extension in `Box::new_in`
(#23685) (overlookmotel)

### ⚡ Performance

- d5c916a semantic: Flatten hoisting_variables to avoid per-scope map
allocation (#23927) (Lawrence Lin)
- e71609d minifier: Bail member-expr folding before the side-effect walk
(#23924) (Lawrence Lin)
- e1f89ab minifier: Reduce string allocations folding addition (#23846)
(overlookmotel)
- 9f6ee3b isolated-declarations: Pool scope maps to avoid per-scope
alloc/rehash (#23761) (Boshen)
- 0b07c4c semantic: Avoid heap alloc for catch-clause binding ids
(#23911) (Lawrence Lin)
- c5eef8b regular_expression: Skip capturing-group pre-parse when
pattern has no `(` (#23908) (Lawrence Lin)
- b4f5b4b isolated_declarations: Remove redundant clone of formal
parameter pattern (#23912) (Lawrence Lin)
- 53d083f isolated_declarations: Use `TakeIn` not `CloneIn` (#23847)
(overlookmotel)
- 3ea9304 react_compiler: Use faster API to arena allocate strings
(#23849) (overlookmotel)
- a6d8e45 parser: Avoid span lookup for arrow expression body (#23788)
(camc314)
- e1886a0 transformer, minifier: Use `static_ident!` macro to create
static `Ident`s (#23727) (overlookmotel)
- 5527bef transformer/object-rest-spread: Reduce iteration (#23720)
(overlookmotel)
- 680ffbc transformer: Allocate AST nodes in arena directly (#23711)
(overlookmotel)
- 1c63c66 parser: Allocate AST nodes in arena directly (#23712)
(overlookmotel)
- 3855f0c minifier: Allocate AST nodes in arena directly (#23710)
(overlookmotel)
- d025887 isolated_declarations: Allocate AST nodes in arena directly
(#23709) (overlookmotel)
- 10b96c6 parser: Remove string search from parsing JSX element name
(#23713) (overlookmotel)

### 📚 Documentation

- 3d61dea all: Correct capitalization in comments (#23887)
(overlookmotel)
- aa1ad74 ast: Add `#[deprecated]` to legacy `AstBuilder` methods
(#23877) (overlookmotel)
- a4676db ast: Correct doc comment for `NONE` (#23765) (overlookmotel)
- 419ec80 syntax: Fix typo in doc comment (#23674) (overlookmotel)

### 🛡️ Security

- 3cdd18f deps: Update npm packages (#23690) (renovate[bot])

Co-authored-by: Boshen <1430279+Boshen@users.noreply.github.com>
Co-authored-by: Cameron <cameron.clark@hey.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

A-allocator Area - Allocator

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants