fix issue 20155 - Allocating a struct with dtor on the GC heap can produce false pointers

rainers · rainers · commit 62da4de999c6 · 2019-08-23T15:50:07.000+02:00
clear padding area not completely zeroed for struct allocations with dtor
diff --git a/src/rt/lifetime.d b/src/rt/lifetime.d
@@ -1096,15 +1096,19 @@ extern (C) void* _d_newitemU(in TypeInfo _ti)
     auto ti = unqualify(_ti);
     auto flags = !(ti.flags & 1) ? BlkAttr.NO_SCAN : 0;
     immutable tiSize = structTypeInfoSize(ti);
-    immutable size = ti.tsize + tiSize;
+    immutable itemSize = ti.tsize;
+    immutable size = itemSize + tiSize;
     if (tiSize)
         flags |= BlkAttr.STRUCTFINAL | BlkAttr.FINALIZE;
 
     auto blkInf = GC.qalloc(size, flags, ti);
     auto p = blkInf.base;
 
     if (tiSize)
+    {
+        *cast(TypeInfo*)(p + itemSize) = null; // the GC might not have cleared this area
         *cast(TypeInfo*)(p + blkInf.size - tiSize) = cast() ti;
+    }
 
     return p;
 }
@@ -2678,6 +2682,41 @@ deprecated unittest
     }
 }
 
+// test struct dtor handling not causing false pointers
+unittest
+{
+    if (!callStructDtorsDuringGC)
+        return;
+
+    // for 64-bit, allocate a struct of size 40
+    static struct S
+    {
+        size_t[4] data;
+        S* ptr4;
+    }
+    auto p1 = new S;
+    auto p2 = new S;
+    p2.ptr4 = p1;
+
+    // a struct with a dtor with size 32, but the dtor will cause
+    //  allocation to be larger by a pointer
+    static struct A
+    {
+        size_t[3] data;
+        S* ptr3;
+
+        ~this() {}
+    }
+
+    GC.free(p2);
+    auto a = new A; // reuse same memory
+    if (cast(void*)a is cast(void*)p2) // reusage not guaranteed
+    {
+        auto ptr = cast(S**)(a + 1);
+        assert(*ptr != p1); // still same data as p2.ptr4?
+    }
+}
+
 // test class finalizers exception handling
 unittest
 {
