reproduce double free

petrosagg · petrosagg · commit 79372e95c934 · 2025-04-10T11:31:08.000+03:00
Signed-off-by: Petros Angelatos &lt;petrosagg@gmail.com&gt;
diff --git a/library/std/src/sync/mpmc/list.rs b/library/std/src/sync/mpmc/list.rs
@@ -213,6 +213,7 @@ impl<T> Channel<T> {
                     .compare_exchange(block, new, Ordering::Release, Ordering::Relaxed)
                     .is_ok()
                 {
+                    crate::thread::sleep(core::time::Duration::from_secs(2));
                     self.head.block.store(new, Ordering::Release);
                     block = new;
                 } else {
diff --git a/library/std/tests/sync/mpmc.rs b/library/std/tests/sync/mpmc.rs
@@ -16,6 +16,24 @@ fn smoke() {
     assert_eq!(rx.recv().unwrap(), 1);
 }
 
+#[test]
+fn gh_139553() {
+    let (s1, r) = channel::<u64>();
+    let s2 = s1.clone();
+    // This thread will sleep for 2000ms at the critical moment
+    let t1 = thread::spawn(move || assert!(s1.send(42).is_err()));
+    // Give some time for thread 1 to reach the critical state
+    thread::sleep(Duration::from_millis(100));
+    // Send another value which see the tail is not null and will just advance the tail offset to 1
+    // and write the value.
+    s2.send(42).unwrap();
+    // Now drop the receiver which will attempt to drop a message by reading it since head != tail
+    // but head is still a null pointer because the thread t1 is still preempted leading to a
+    // segfault.
+    drop(r);
+    t1.join().unwrap();
+}
+
 #[test]
 fn drop_full() {
     let (tx, _rx) = channel::<Box<isize>>();
diff --git a/src/tools/miri/tests/pass/gh_139553.rs b/src/tools/miri/tests/pass/gh_139553.rs
@@ -0,0 +1,20 @@
+use std::sync::mpsc::channel;
+use std::thread;
+use std::time::Duration;
+
+pub fn main() {
+    let (s1, r) = channel::<u64>();
+    let s2 = s1.clone();
+    // This thread will sleep for 2000ms at the critical moment
+    let t1 = thread::spawn(move || assert!(s1.send(42).is_err()));
+    // Give some time for thread 1 to reach the critical state
+    thread::sleep(Duration::from_millis(100));
+    // Send another value which see the tail is not null and will just advance the tail offset to 1
+    // and write the value.
+    s2.send(42).unwrap();
+    // Now drop the receiver which will attempt to drop a message by reading it since head != tail
+    // but head is still a null pointer because the thread t1 is still preempted leading to a
+    // segfault.
+    drop(r);
+    t1.join().unwrap();
+}

Original file line number	Diff line number	Diff line change
`@@ -213,6 +213,7 @@ impl<T> Channel<T> {`
`213`	`213`	`.compare_exchange(block, new, Ordering::Release, Ordering::Relaxed)`
`214`	`214`	`.is_ok()`
`215`	`215`	`{`
	`216`	`+ crate::thread::sleep(core::time::Duration::from_secs(2));`
`216`	`217`	`self.head.block.store(new, Ordering::Release);`
`217`	`218`	`block = new;`
`218`	`219`	`} else {`