Generativity mechanism is unsound 💥

[CAD97]

(sorry; I only found this because I was trying to imitate your closure-less generativity)

fn main() {
    compact_arena::mk_arena!(a, 0);
    compact_arena::mk_arena!(b, 0);
    let mut a: compact_arena::SmallArena<'_, usize> = a;
    let b: compact_arena::SmallArena<'_, usize> = b;

    let ix = a.add(0);
    dbg!(b[ix]);
}

This successfully compiles and panics with

thread 'main' panicked at 'assertion failed: (i.index as usize) < self.data.len()', D:\usr\.cargo\registry\src\cf-workers-proxy-enn.pages.dev-1ecc6299db9ec823\compact_arena-0.3.1\src\lib.rs:367:9
stack backtrace:
   0: std::sys_common::backtrace::_print
             at src\libstd\sys\windows\backtrace/mod.rs:95
             at src\libstd\sys\windows\backtrace/mod.rs:82
             at src\libstd\sys_common/backtrace.rs:71
   1: std::panicking::default_hook::{{closure}}
             at src\libstd\sys_common/backtrace.rs:59
             at src\libstd/panicking.rs:197
   2: std::panicking::default_hook
             at src\libstd/panicking.rs:211
   3: std::panicking::rust_panic_with_hook
             at src\libstd/panicking.rs:474
   4: std::panicking::begin_panic
             at /rustc/2bafaaf66556ba153fddb00def6d205abb5beff2\src\libstd/panicking.rs:408
   5: <compact_arena::SmallArena<T> as core::ops::index::Index<compact_arena::Idx<u32>>>::index
             at <::std::macros::/panic macros>:3
   6: playground::main
             at src/main.rs:8
   7: std::rt::lang_start::{{closure}}
             at /rustc/2bafaaf66556ba153fddb00def6d205abb5beff2\src\libstd/rt.rs:64
   8: std::panicking::try::do_call
             at src\libstd/rt.rs:49
             at src\libstd/panicking.rs:293
   9: _rust_maybe_catch_panic
             at src\libpanic_unwind/lib.rs:87
  10: std::rt::lang_start_internal
             at src\libstd/panicking.rs:272
             at src\libstd/panic.rs:388
             at src\libstd/rt.rs:48
  11: std::rt::lang_start
             at /rustc/2bafaaf66556ba153fddb00def6d205abb5beff2\src\libstd/rt.rs:64
  12: main
  13: _tmainCRTStartup
  14: mainCRTStartup
  15: unit_addrs_search
  16: unit_addrs_search
error: process didn't exit successfully: `target\debug\playground.exe` (exit code: 101)

and segfaults when compiled in release mode with

error: process didn't exit successfully: `target\release\playground.exe` (exit code: 0xc0000005, STATUS_ACCESS_VIOLATION)

(Windows)

[CAD97]

This seems to be NLL's "fault": mixup2.rs compiles fine with edition=2018 but errors with edition=2015.

[RalfJung]

So basically #18 was closed incorrectly because it got only tested on the old edition?

[CAD97]

That seems to be the case.

[CAD97]

I just pushed https://github.com/CAD97/generativity which I believe uses @matthewjasper 's trick to allow for closure-less unique lifetimes.

I know for sure that the closure generativity works, and rustc isn't going to introduce some full-program lifetime analysis to "fix" it. I'm unsure whether the impl Drop(&'id Invariant<'id>) is enough to guarantee resilience against future lifetime checker improvements, however.

[Shnatsel]

Looks like this can be used to trigger out-of-bounds accesses from safe code. Please file a security advisory at https://github.com/RustSec/advisory-db so that users of the crate can check if they're affected and upgrade. Please consider also yanking the affected versions from crates.io.