`&'s T` → `&'static T` in safe code (UAF)

I tried this code:

```rust
fn static_str_identity()
  -> for<'s> fn(&'s str) -> (
        [&'static &'s (); 0],
        &'static str,
    )
{
    |s: &str| (
        [],
        s,
    )
}

fn main()
{
    let f = static_str_identity();
    let local = String::from("123");
    let s: &'static str = f(&local).1; // <- should be rejected!
    drop(local);
    let _unrelated = String::from("UAF!");
    dbg!(s); // <- compiles and prints `"UAF!"`
}
```

I expected to see this happen: *argument requires that `s` is borrowed for `'static`*

Instead, this happened: **code compiles successfully** and the excution potentially triggers  Use-After-Free on the String `local`.

```shell
rogram returned: 0
Program stderr
[/app/example.rs:21:5] s = "UAF!"
```

This seems very much like a Use-After-Free issue, and it's quite likely related to the compiler.It can be reproduced in the latest version of the Rust compiler.

- Demo: [godbolt permalink](https://godbolt.org/z/5h7hEsnMb)
- Demo: [on current playground](https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=c89674498c1334f3f3909f40c3e8385e)

`rustc --version --verbose`:

```shell
rustc 1.84.0-nightly (c1db4dc24 2024-10-25)
```

**note**: This issue appears to be different from [#114936](https://github.com/rust-lang/rust/issues/114936), which was related to the `Fn*` Trait and was fixed in version 1.78; whereas this problem can still trigger a vulnerability in the latest version.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

`&'s T` → `&'static T` in safe code (UAF) #132186

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

&'s T → &'static T in safe code (UAF) #132186

Description

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

`&'s T` → `&'static T` in safe code (UAF) #132186