Soundness issue with Dictionary find/get

[capickett]

Adding this test to dictionary.rs exhibits a runtime crash when running on an Apple Silicon mac with cargo test.

    #[test]
    fn this_is_ub() {
        let mut mut_dict: CFMutableDictionary<CFString, CFString> = CFMutableDictionary::new();
        let string_key = CFString::from_static_string("Bar");
        // make a runtime string that assuredly comes from the heap
        let string_val = CFString::new(format!("{:?}", SystemTime::now()).as_str());
        mut_dict.add(
            &string_key,
            &string_val,
        );

        let dict = mut_dict.to_immutable();
        let val = dict.get(string_key);

        mut_dict.remove_all();
        drop(string_val);

        print!("{}", *val);
    }

The issue here is that dict.get() returns an ItemRef<'a, CFString> which is tied to the lifetime of dict. However, dict is aliasing the same underlying storage as mut_dict, which means nothing prevents us removing the value and causing UB.

[capickett]

test dictionary::test::dict_find_and_contains_key ... error: test failed, to rerun pass `--lib`

Caused by:
  process didn't exit successfully: `/Users/pickett/github/core-foundation-rs/target/debug/deps/core_foundation-9eaa4f5982d05630` (signal: 5, SIGTRAP: trace/breakpoint trap)

Running RUSTFLAGS="-Zsanitizer=address" cargo +nightly address reveals:

AddressSanitizer:DEADLYSIGNAL
=================================================================
==75173==ERROR: AddressSanitizer: BUS on unknown address (pc 0x00018108d820 bp 0x00016ffa9ff0 sp 0x00016ffa9b80 T24)
==75173==The signal is caused by a READ memory access.
==75173==Hint: this fault was caused by a dereference of a high value address (see register values below).  Disassemble the provided pc to learn which register was used.
test dictionary::test::dict_find_and_contains_key ... ok
    #0 0x00018108d820 in objc_msgSend+0x20 (libobjc.A.dylib:arm64+0x9820)
    #1 0x000100f33598 in _$LT$core_foundation..string..CFString$u20$as$u20$core..fmt..Display$GT$::fmt::hb247b8cf00e6dfd0 string.rs:104
    #2 0x000100fae410 in core::fmt::write::h7d12250cecdddbdd+0x188 (core_foundation-3972cd86ff0357a4:arm64+0x1000fe410)
    #3 0x000100f91954 in std::io::Write::write_fmt::h2cf72199a89f21e8+0x2c (core_foundation-3972cd86ff0357a4:arm64+0x1000e1954)
    #4 0x000100f911e0 in std::io::stdio::print_to_buffer_if_capture_used::h9e9d8371aa09d068+0xac (core_foundation-3972cd86ff0357a4:arm64+0x1000e11e0)
    #5 0x000100f91360 in std::io::stdio::_print::ha39479449f7d4a23+0x24 (core_foundation-3972cd86ff0357a4:arm64+0x1000e1360)
    #6 0x000100f39890 in core_foundation::dictionary::test::this_is_ub::h990d6fd8d8e4f589 dictionary.rs:499
    #7 0x000100f189b4 in core_foundation::dictionary::test::this_is_ub::_$u7b$$u7b$closure$u7d$$u7d$::h721036028bc7e504 dictionary.rs:483
    #8 0x000100efb358 in core::ops::function::FnOnce::call_once::hbe9222f6c467a2dd function.rs:250
    #9 0x000100f6bf44 in test::__rust_begin_short_backtrace::h7cabe5eb11a69265+0x14 (core_foundation-3972cd86ff0357a4:arm64+0x1000bbf44)
    #10 0x000100f6b99c in test::run_test::_$u7b$$u7b$closure$u7d$$u7d$::hf6648e126fa4cc83+0x1a8 (core_foundation-3972cd86ff0357a4:arm64+0x1000bb99c)
    #11 0x000100f3afa8 in std::sys::backtrace::__rust_begin_short_backtrace::hf87ac20de127c0cb+0x90 (core_foundation-3972cd86ff0357a4:arm64+0x10008afa8)
    #12 0x000100f3e078 in core::ops::function::FnOnce::call_once$u7b$$u7b$vtable.shim$u7d$$u7d$::hfca5c1a5abcdb1f6+0xb4 (core_foundation-3972cd86ff0357a4:arm64+0x10008e078)
    #13 0x000100f99020 in std::sys::pal::unix::thread::Thread::new::thread_start::h32ebc818d3924195+0x30 (core_foundation-3972cd86ff0357a4:arm64+0x1000e9020)
    #14 0x00010173a408 in asan_thread_start(void*)+0x48 (librustc-nightly_rt.asan.dylib:arm64+0x4e408)
    #15 0x00018145c2e0 in _pthread_start+0x84 (libsystem_pthread.dylib:arm64+0x72e0)
    #16 0x0001814570f8 in thread_start+0x4 (libsystem_pthread.dylib:arm64+0x20f8)

==75173==Register values:
 x[0] = 0x000060700000aac0   x[1] = 0x00000001f5549ce1   x[2] = 0x0000000000000001   x[3] = 0x0000000000000001
 x[4] = 0x000060600000ae40   x[5] = 0x0000000000000001   x[6] = 0x000000016fda8000   x[7] = 0x0000000000000001
 x[8] = 0x00000018000003e8   x[9] = 0x00007ffffffffff8  x[10] = 0x6ae160700000aac0  x[11] = 0x000000702e0153b3
x[12] = 0x000000702e0153b1  x[13] = 0x000000702e0153a0  x[14] = 0x00000018000003ef  x[15] = 0x00000018000003e8
x[16] = 0x00000018000003e8  x[17] = 0x00000001f34b2ef0  x[18] = 0x0000000000000000  x[19] = 0x000000016ffa9da0
x[20] = 0x0000000000000001  x[21] = 0x000000016ffaa340  x[22] = 0x000000016ffaa350  x[23] = 0x0000000100fcab08
x[24] = 0x00000001814648b0  x[25] = 0x0000000101033000  x[26] = 0x000000003b9aca00  x[27] = 0x0000000000000000
x[28] = 0x0000000000000000     fp = 0x000000016ffa9ff0     lr = 0x0000000100f23414     sp = 0x000000016ffa9b80
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: BUS (libobjc.A.dylib:arm64+0x9820) in objc_msgSend+0x20
Thread T24 created by T0 here:
    #0 0x000101735238 in pthread_create+0x58 (librustc-nightly_rt.asan.dylib:arm64+0x49238)
    #1 0x000100f98e84 in std::sys::pal::unix::thread::Thread::new::h36757e4409f8ca82+0xc8 (core_foundation-3972cd86ff0357a4:arm64+0x1000e8e84)
    #2 0x000100f6a160 in test::run_test::h158fb525dab1f104+0x7cc (core_foundation-3972cd86ff0357a4:arm64+0x1000ba160)
    #3 0x000100f50988 in test::console::run_tests_console::h6fceff377246963b+0x14cc (core_foundation-3972cd86ff0357a4:arm64+0x1000a0988)
    #4 0x000100f67984 in test::test_main::h601fb47e4b56444a+0x12c (core_foundation-3972cd86ff0357a4:arm64+0x1000b7984)
    #5 0x000100f6854c in test::test_main_static::h677202b6c39dc919+0x54 (core_foundation-3972cd86ff0357a4:arm64+0x1000b854c)
    #6 0x000100ebc9c4 in core_foundation::main::h9809b68546e8b593 lib.rs
    #7 0x000100efab48 in core::ops::function::FnOnce::call_once::h0f8a9659531d2ca9 function.rs:250
    #8 0x000100ee0630 in std::sys::backtrace::__rust_begin_short_backtrace::h90876a24ed99919b backtrace.rs:154
    #9 0x000100f135bc in std::rt::lang_start::_$u7b$$u7b$closure$u7d$$u7d$::h6c551cfc5e56aa43 rt.rs:195
    #10 0x000100f8de14 in std::rt::lang_start_internal::habe8da1df8d08a04+0x440 (core_foundation-3972cd86ff0357a4:arm64+0x1000dde14)
    #11 0x000100f133f4 in std::rt::lang_start::h63051a97db1a49b5 rt.rs:194
    #12 0x000100ebc9f0 in main+0x20 (core_foundation-3972cd86ff0357a4:arm64+0x10000c9f0)
    #13 0x0001810dc270  (<unknown module>)

==75173==ABORTING