Can UB be triggered by mem::forget of a ScopeGuard?

[LunNova]

Attempts at guarding a lifetime in this manner typically are unsound as leaking - whether via RC cycles or mem::forget or any other mechanism - can be done in safe code.

use scoped_static::{ScopeGuard, Scoped};

#[tokio::main]
async fn main() {
    let value = Box::new(1.0);
    let ref_value = &value;
    // `guard` ensures no derived "lifted" values exist when dropped
    let guard = ScopeGuard::new(ref_value);
    // `lifted` holds a `'static` reference to `'ref_value`
    let lifted: Scoped<Box<f64>> = guard.lift();
    tokio::spawn(async move {
        // lifted moved here
        let value = **lifted + 1.0;
        assert_eq!(value, 2.0);
        // lifted dropped
    })
    .await
    .unwrap();
   
    std::mem::forget(guard);
}

There have been proposals to add a new auto trait to make this sort of usage safe, called Forget or Leak or Forgettable.

rust-lang/compiler-team#727

rust-lang/rust#120706

[mcmah309]

Yes it can trigger UB in this case and it has always been documented in the docs https://docs.rs/scoped_static/latest/scoped_static/struct.ScopeGuard.html#:~:text=UNDEFINED%20BEHAVIOR:

But after more thought, I will change the Scoped::defer api to be explicitly unsafe and remove Deref from ScopeGuard because of this edge case.

Funny enough, I also created an RFC yesterday to try and address this, but I ended up closing because it did not address Rc cycles: rust-lang/rfcs#3867

[LunNova]

rust-lang/rfcs#3782 seems to cover Rc/leakpocalypse

[mcmah309]

Yes, though I doubt it will be merged since it does not address perfectly safe types outside of std from leaking !Forget types in perfectly safe rust. So though it makes it harder to leak these types, based on the current implementation there really is no compiler enforcement, it is just a flag at the end of the day.

[Ddystopia]

Yes, though I doubt it will be merged since it does not address perfectly safe types outside of std from leaking !Forget types in perfectly safe rust. So though it makes it harder to leak these types, based on the current implementation there really is no compiler enforcement, it is just a flag at the end of the day.

Well, it addresses. Can you base your criticism?

[Ddystopia]

Additionally, there is already a library for lifetime extension that is safe.

https://docs.rs/extend_mut/latest/extend_mut/index.html

[mcmah309]

Well, it addresses. Can you base your criticism?

I’ve read it, I never saw anything that addresses it. Care to explain how?

One could copy the Arc implementation without !Forgot. No additional unsafe needed.

[mcmah309]

ScopedRefGuard::new is now marked as unsafe

The scoped_static! macro was added for a safe api.

Closing.

[Ddystopia]

@mcmah309

The scoped_static! macro was added for a safe api.

That trick with &mut ... will not guarantee that the value can't be leaked. If it was going on inside a box pinned future, you can still easily forget or even drop it.

[mcmah309]

Can you provide a working example of UB?