refactor(transformer/typescript): use a memory-safe implementation instead

[Dunqing]

The previous implementation causes memory double free, but I don't know why.

[graphite-app]

Your org has enabled the Graphite merge queue for merging into main

Add the label “merge” to the PR and Graphite will automatically add it to the merge queue when it’s ready to merge. Or use the label “hotfix” to add to the merge queue as a hot fix.

You must have a Graphite account and log in to Graphite in order to use the merge queue. Sign up using this link.

[Dunqing]

• refactor(transformer/typescript): use a memory-safe implementation instead #3481 : 2 dependent PRs (#3482 , #3484 ) 👈
• fix(transformer/typescript) if this statement is typescript syntax, replace it with a BlockStatement #3480
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

Join @Dunqing and the rest of your teammates on Graphite

[Dunqing]

Do you happen to know why that is? @overlookmotel

[codspeed-hq]

CodSpeed Performance Report

Merging #3481 will not alter performance

_{Comparing 05-31-refactor_transformer_typescript_use_a_memory-safe_implementation_instead (9dc58d5) with main (25e5bdd)}

Summary

✅ 22 untouched benchmarks

[overlookmotel]

@Dunqing I can't say for sure in this case, but I strongly suspect the culprit is AstBuilder::copy. I had been meaning to open an issue about the unsoundness of this API before, but hadn't got around to it - #3483.

What is odd is that all the objects being dealt with in this code are in the arena and don't have Drop impls, so nothing should get freed at all (much less double-freed). How did the double-free manifest? (error message? Miri found it?)

[Dunqing]

What is odd is that all the objects being dealt with in this code are in the arena and don't have Drop impls, so nothing should get freed at all (much less double-freed). How did the double-free manifest? (error message? Miri found it?)

I got this warning after I changed assignments: Vec<'a, Statement<'a>> to assignments: std:vec::Vec<'a, Statement<'a>>. I did this because I found that when I pushed the statement to assignments, the statement would change

I print AST here.

First print

ExpressionStatement(
    ExpressionStatement {
        span: Span {
            start: 0,
            end: 0,
        },
        expression: AssignmentExpression(
            AssignmentExpression {
                span: Span {
                    start: 0,
                    end: 0,
                },
                operator: Assign,
                left: StaticMemberExpression(
                    StaticMemberExpression {
                        span: Span {
                            start: 0,
                            end: 0,
                        },
                        object: ThisExpression(
                            ThisExpression {
                                span: Span {
                                    start: 0,
                                    end: 0,
                                },
                            },
                        ),
                        property: IdentifierName {
                            span: Span {
                                start: 0,
                                end: 0,
                            },
                            name: "y",
                        },
                        optional: false,
                    },
                ),
                right: Identifier(
                    IdentifierReference {
                        span: Span {
                            start: 0,
                            end: 0,
                        },
                        name: "y",
                        reference_id: Cell {
                            value: None,
                        },
                        reference_flag: ReferenceFlag(
                            0x0,
                        ),
                    },
                ),
            },
        ),
    },
)

Second print

Some(
    ExpressionStatement(
        ExpressionStatement {
            span: Span {
                start: 0,
                end: 0,
            },
            expression: AssignmentExpression(
                AssignmentExpression {
                    span: Span {
                        start: 0,
                        end: 0,
                    },
                    operator: Assign,
                    left: StaticMemberExpression(
                        StaticMemberExpression {
                            span: Span {
                                start: 0,
                                end: 0,
                            },
                            object: ThisExpression(
                                ThisExpression {
                                    span: Span {
                                        start: 2541748224,
                                        end: 87808,
                                    },
                                },
                            ),
                            property: IdentifierName {
                                span: Span {
                                    start: 0,
                                    end: 0,
                                },
                                name: "\u{c}",
                            },
                            optional: false,
                        },
                    ),
                    right: Identifier(
                        IdentifierReference {
                            span: Span {
                                start: 0,
                                end: 0,
                            },
                            name: "y",
                            reference_id: Cell {
                                value: None,
                            },
                            reference_flag: ReferenceFlag(
                                0x0,
                            ),
                        },
                    ),
                },
            ),
        },
    ),
)

You will find that the left expression of these two results is different. This is very odd.

[overlookmotel]

I can't claim to understand what exactly is causing the problem, but the data corruption looks like a use-after-free.

The change to std:vec::Vec would explain why the double-free warning appears - std:vec::Vec does implement Drop. I think this is just surfacing an existing problem - it was always UB, but the fact that none of the data gets dropped in the arena was hiding that until you switched to std:vec::Vec.

But whatever the exact cause, I strongly suspect AstBuilder::copy is the ultimate source of the problem. That API is completely unsound.

[Dunqing]

But whatever the exact cause, I strongly suspect AstBuilder::copy is the ultimate source of the problem. That API is completely unsound.

Yes! It's also very difficult to debug

[graphite-app]

Merge activity

• May 31, 7:15 AM EDT: Dunqing added this pull request to the Graphite merge queue.
• May 31, 7:20 AM EDT: Dunqing merged this pull request with the Graphite merge queue.