Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

JoinIter::get allows mutable aliasing without the user writing any unsafe code. #647

Closed
allen-marshall opened this issue Sep 27, 2019 · 3 comments · Fixed by #765
Closed
Labels

Comments

@allen-marshall
Copy link

Description

Using the JoinIter::get method, it is possible for a user of specs to create two mutable references to the same component data, without the user writing any unsafe code. Here is a simple program that illustrates the issue:

use specs::{Builder, Component, DenseVecStorage, Join, World, WorldExt, WriteStorage};

#[derive(Default)]
struct TestComponent {
    value: u32,
}

impl Component for TestComponent {
    type Storage = DenseVecStorage<TestComponent>;
}

fn main() {
    let mut world = World::new();
    world.register::<TestComponent>();
    let entity = world.create_entity().with(TestComponent::default()).build();
    world.maintain();

    let mut storage: WriteStorage<TestComponent> = world.write_storage();
    let entities = world.entities();

    let mut join_iter = (&mut storage).join();
    let aliased_ref_0 = join_iter.get(entity, &entities).unwrap();
    let aliased_ref_1 = join_iter.get(entity, &entities).unwrap();

    println!("aliased_ref_0 is initially {}.", aliased_ref_0.value);
    aliased_ref_1.value += 1;
    println!(
        "After change to aliased_ref_1, aliased_ref_0 is now {}.",
        aliased_ref_0.value
    );
}

When I run this program, I get the following output:

aliased_ref_0 is initially 0.
After change to aliased_ref_1, aliased_ref_0 is now 1.

The issue doesn't seem too hard to avoid as long as I only use JoinIter for its intended purpose as an iterator, but even so, the fact that I can violate Rust's aliasing rules without writing unsafe seems like an issue. Perhaps JoinIter::get needs to be made private to the specs crate, or maybe it just needs to be marked unsafe? I imagine the same issue can occur with JoinIter::get_unchecked, though I haven't tested it.

Meta

Rust version: 1.37.0 (2018 edition)
Specs version / commit: 0.15.1
Operating system: Ubuntu 18.04.3 LTS 64-bit

Reproduction

Steps to reproduce the behavior:

  1. Compile the Rust program given above.
  2. Run the program.
  3. See in the output that the value at aliased_ref_0 changed even though aliased_ref_0 wasn't mutated directly.

Expected behavior

I would expect the above code not to compile, at least not without modifying it to include an unsafe block.

@WaDelma
Copy link
Member

WaDelma commented Sep 27, 2019

Here is version of that where the lifetimes are explicit:

    use specs::{Builder, Component, DenseVecStorage, Join, World, WorldExt, WriteStorage, Storage, Read, Entity};
    use specs::join::JoinIter;
    use shred::FetchMut;
    use specs::storage::MaskedStorage;
    use specs::world::EntitiesRes;

    #[derive(Default)]
    struct TestComponent {
        value: u32,
    }

    impl Component for TestComponent {
        type Storage = DenseVecStorage<TestComponent>;
    }

    #[test]
    fn testi() {
        let mut world = World::new();
        world.register::<TestComponent>();
        let entity = world.create_entity().with(TestComponent::default()).build();
        world.maintain();

        let mut storage: WriteStorage<TestComponent> = world.write_storage();
        let entities = world.entities();

        fn a<'a: 'b, 'b>(
            j: JoinIter<&'b mut Storage<'a, TestComponent, FetchMut<'a, MaskedStorage<TestComponent>>>>
        ) -> JoinIter<&'b mut Storage<'a, TestComponent, FetchMut<'a, MaskedStorage<TestComponent>>>>
        {
            j
        }
        let mut join_iter = a((&mut storage).join());
        fn b<'a: 'b, 'b, 'c, 'd>(
            j: &'c mut JoinIter<&'b mut Storage<'a, TestComponent, FetchMut<'a, MaskedStorage<TestComponent>>>>,
            e: Entity,
            es: &'d Read<'a, EntitiesRes>
        ) -> &'b mut TestComponent {
            JoinIter::get(j, e, es).unwrap()
        }
        let aliased_ref_0 = b(&mut join_iter, entity, &entities);
        let aliased_ref_1 = b(&mut join_iter, entity, &entities);

        println!("aliased_ref_0 is initially {}.", aliased_ref_0.value);
        aliased_ref_1.value += 1;
        println!(
            "After change to aliased_ref_1, aliased_ref_0 is now {}.",
            aliased_ref_0.value
        );
    }

and from this the reason why it's allowed is clear: 'c isn't connected with 'b.

@WaDelma
Copy link
Member

WaDelma commented Sep 27, 2019

This basically the old streaming vs non-streaming iterator thing, but manifested in different form.

I thought I was clever before by adding this API for JoinIter as that allows easy way of getting multiple components for an entity.

To fix this we would need to either prevent using get with mutable references or create separate machinery for this stuff.

azriel91 pushed a commit to azriel91/specs that referenced this issue Sep 30, 2019
537: Update rand requirement from 0.5.5 to 0.6.1 r=torkleyy a=dependabot[bot]

Updates the requirements on [rand](https://github.com/rust-random/rand) to permit the latest version.
<details>
<summary>Changelog</summary>

*Sourced from [rand's changelog](https://github.com/rust-random/rand/blob/master/CHANGELOG.md).*

> ## [0.6.1] - 2018-11-22
> - Support sampling `Duration` also for `no_std` (only since Rust 1.25) ([amethyst#649](https://github-redirect.dependabot.com/rust-random/rand/issues/649))
> - Disable default features of `libc` ([amethyst#647](https://github-redirect.dependabot.com/rust-random/rand/issues/647))
> 
> ## [0.6.0] - 2018-11-14
> 
> ### Project organisation
> - Rand has moved from [rust-lang-nursery](https://github.com/rust-lang-nursery/rand)
>   to [rust-random](https://github.com/rust-random/rand)! ([amethyst#578](https://github-redirect.dependabot.com/rust-random/rand/issues/578))
> - Created [The Rust Random Book](https://rust-random.github.io/book/)
>   ([source](https://github.com/rust-random/book))
> - Update copyright and licence notices ([amethyst#591](https://github-redirect.dependabot.com/rust-random/rand/issues/591), [amethyst#611](https://github-redirect.dependabot.com/rust-random/rand/issues/611))
> - Migrate policy documentation from the wiki ([amethyst#544](https://github-redirect.dependabot.com/rust-random/rand/issues/544))
> 
> ### Platforms
> - Add fork protection on Unix ([amethyst#466](https://github-redirect.dependabot.com/rust-random/rand/issues/466))
> - Added support for wasm-bindgen. ([amethyst#541](https://github-redirect.dependabot.com/rust-random/rand/issues/541), [amethyst#559](https://github-redirect.dependabot.com/rust-random/rand/issues/559), [amethyst#562](https://github-redirect.dependabot.com/rust-random/rand/issues/562), [amethyst#600](https://github-redirect.dependabot.com/rust-random/rand/issues/600))
> - Enable `OsRng` for powerpc64, sparc and sparc64 ([amethyst#609](https://github-redirect.dependabot.com/rust-random/rand/issues/609))
> - Use `syscall` from `libc` on Linux instead of redefining it ([amethyst#629](https://github-redirect.dependabot.com/rust-random/rand/issues/629))
> 
> ### RNGs
> - Switch `SmallRng` to use PCG ([amethyst#623](https://github-redirect.dependabot.com/rust-random/rand/issues/623))
> - Implement `Pcg32` and `Pcg64Mcg` generators ([amethyst#632](https://github-redirect.dependabot.com/rust-random/rand/issues/632))
> - Move ISAAC RNGs to a dedicated crate ([amethyst#551](https://github-redirect.dependabot.com/rust-random/rand/issues/551))
> - Move Xorshift RNG to its own crate ([amethyst#557](https://github-redirect.dependabot.com/rust-random/rand/issues/557))
> - Move ChaCha and HC128 RNGs to dedicated crates ([amethyst#607](https://github-redirect.dependabot.com/rust-random/rand/issues/607), [amethyst#636](https://github-redirect.dependabot.com/rust-random/rand/issues/636))
> - Remove usage of `Rc` from `ThreadRng` ([amethyst#615](https://github-redirect.dependabot.com/rust-random/rand/issues/615))
> 
> ### Sampling and distributions
> - Implement `Rng.gen_ratio()` and `Bernoulli::new_ratio()` ([amethyst#491](https://github-redirect.dependabot.com/rust-random/rand/issues/491))
> - Make `Uniform` strictly respect `f32` / `f64` high/low bounds ([amethyst#477](https://github-redirect.dependabot.com/rust-random/rand/issues/477))
> - Allow `gen_range` and `Uniform` to work on non-`Copy` types ([amethyst#506](https://github-redirect.dependabot.com/rust-random/rand/issues/506))
> - `Uniform` supports inclusive ranges: `Uniform::from(a..=b)`. This is
>   automatically enabled for Rust >= 1.27. ([amethyst#566](https://github-redirect.dependabot.com/rust-random/rand/issues/566))
> - Implement `TrustedLen` and `FusedIterator` for `DistIter` ([amethyst#620](https://github-redirect.dependabot.com/rust-random/rand/issues/620))
> 
> #### New distributions
> - Add the `Dirichlet` distribution ([amethyst#485](https://github-redirect.dependabot.com/rust-random/rand/issues/485))
> - Added sampling from the unit sphere and circle. ([amethyst#567](https://github-redirect.dependabot.com/rust-random/rand/issues/567))
> - Implement the triangular distribution ([amethyst#575](https://github-redirect.dependabot.com/rust-random/rand/issues/575))
> - Implement the Weibull distribution ([amethyst#576](https://github-redirect.dependabot.com/rust-random/rand/issues/576))
> - Implement the Beta distribution ([amethyst#574](https://github-redirect.dependabot.com/rust-random/rand/issues/574))
> 
> #### Optimisations
> 
> - Optimise `Bernoulli::new` ([amethyst#500](https://github-redirect.dependabot.com/rust-random/rand/issues/500))
> - Optimise `char` sampling ([amethyst#519](https://github-redirect.dependabot.com/rust-random/rand/issues/519))
> - Optimise sampling of `std::time::Duration` ([amethyst#583](https://github-redirect.dependabot.com/rust-random/rand/issues/583))
> 
> ### Sequences
></table> ... (truncated)
</details>
<details>
<summary>Commits</summary>

- See full diff in [compare view](https://github.com/rust-random/rand/commits/0.6.1)
</details>
<br />

Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting `@dependabot rebase`.

[//]: # (dependabot-automerge-start)
[//]: # (dependabot-automerge-end)

---

**Note:** This repo was added to Dependabot recently, so you'll receive a maximum of 5 PRs for your first few update runs. Once an update run creates fewer than 5 PRs we'll remove that limit.

You can always request more updates by clicking `Bump now` in your [Dependabot dashboard](https://app.dependabot.com).

<details>
<summary>Dependabot commands and options</summary>
<br />

You can trigger Dependabot actions by commenting on this PR:
- `@dependabot rebase` will rebase this PR
- `@dependabot recreate` will recreate this PR, overwriting any edits that have been made to it
- `@dependabot merge` will merge this PR after your CI passes on it
- `@dependabot cancel merge` will cancel a previously requested merge
- `@dependabot reopen` will reopen this PR if it is closed
- `@dependabot ignore this [patch|minor|major] version` will close this PR and stop Dependabot creating any more for this minor/major version (unless you reopen the PR or upgrade to it yourself)
- `@dependabot ignore this dependency` will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
- `@dependabot use these labels` will set the current labels as the default for future PRs for this repo and language
- `@dependabot use these reviewers` will set the current reviewers as the default for future PRs for this repo and language
- `@dependabot use these assignees` will set the current assignees as the default for future PRs for this repo and language
- `@dependabot use this milestone` will set the current milestone as the default for future PRs for this repo and language
- `@dependabot badge me` will comment on this PR with code to add a "Dependabot enabled" badge to your readme

Additionally, you can set the following in your Dependabot [dashboard](https://app.dependabot.com):
- Update frequency (including time of day and day of week)
- Automerge options (never/patch/minor, and dev/runtime dependencies)
- Pull request limits (per update run and/or open at any time)
- Out-of-range updates (receive only lockfile updates, if desired)
- Security updates (receive only security updates, if desired)

Finally, you can contact us by mentioning @dependabot.

</details>



Co-authored-by: dependabot[bot] <[email protected]>
Co-authored-by: Thomas Schaller <[email protected]>
@pythonesque
Copy link

This API is very clearly unsound and needs to be removed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
Projects
None yet
Development

Successfully merging a pull request may close this issue.

3 participants