Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

reflectType does not check type parameter bounds #59862

Closed
lrhn opened this issue Jan 8, 2025 · 2 comments
Closed

reflectType does not check type parameter bounds #59862

lrhn opened this issue Jan 8, 2025 · 2 comments
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. closed-not-planned Closed as we don't intend to take action on the reported issue library-mirrors type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)

Comments

@lrhn
Copy link
Member

lrhn commented Jan 8, 2025

You can invoke reflectType with a type argument that is not a valid bound, creating a reflection of a mal-bounded type.
If you do so, you can also invoke newInstance to create an instance of that invalid type.

Example:

import "dart:mirrors";
void main() {
  dynamic d = (reflectType(E, [String]) as ClassMirror)
      .newInstance(Symbol.empty, ["A string"]).reflectee;
  E<dynamic> e =  d; // Successful cast.
  print(e.runtimeType); // E<String>
  num n = e.numValue;
  print(n.runtimeType); // String. Soundness broken.

  d = (reflectType(F, [int]) as ClassMirror)
      .newInstance(Symbol.empty, [42]).reflectee; // seg-fault here.
  F<dynamic> f = d;
  F<dynamic> i = f.typedValue;
  print(i.runtimeType);
}

class E<T extends num> {
  final T value;
  E(this.value);
  num get numValue => value; // Valid up-cast.
}

class F<T extends F<T>> {
  final T value;
  F(this.value);
  F<T> get typedValue => value; // Valid up-cast.
}

The first, non-F-bounded, example succeeds in assigning a String to a variable of type num, breaking soundness.

The second part crashes with a segmentation fault in the F constructor, suggesting that it tries to do something with the type argument, maybe assuming it to implement F or at least have a type variable, but it then fails horribly when it finds int. (If I change int to List<int> and 42 to <int>[42] the code runs and prints List<int>, so the crash is probably related to not being a generic type).

@lrhn lrhn added area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. library-mirrors type-bug Incorrect behavior (everything from a crash to more subtle misbehavior) labels Jan 8, 2025
@a-siva a-siva added the closed-not-planned Closed as we don't intend to take action on the reported issue label Jan 8, 2025
@a-siva
Copy link
Contributor

a-siva commented Jan 8, 2025

dart:mirrors is an unsupported library and we do not intend on fixing this issue.

@a-siva a-siva closed this as completed Jan 8, 2025
@lrhn
Copy link
Member Author

lrhn commented Jan 10, 2025

The JIT runtime seems to handle unsoundness gracefully, and mirrors cant be used in AOT compiled code, so it's probably not unsafe.

You can crash things, fx by putting a Smi into a position where an object is expected.

import "dart:mirrors";

void main() {
  String v = unsafeCast(0x20000000);
  print(v[10000]);
}

Never unsafeCast(Object? value) {
  var result = (reflectType(_UnsafeCast, [dynamic]) as ClassMirror)
      .newInstance(Symbol.empty, [value]).reflectee;
  return (result as _UnsafeCast<Object?>).value;
}

final class _UnsafeCast<T extends Never> {
  final Never value;
  _UnsafeCast(T this.value);
}

which gives a segmentation fault, but simply breaking exhaustiveness or soundness doesn't always crash.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
area-vm Use area-vm for VM related issues, including code coverage, and the AOT and JIT backends. closed-not-planned Closed as we don't intend to take action on the reported issue library-mirrors type-bug Incorrect behavior (everything from a crash to more subtle misbehavior)
Projects
None yet
Development

No branches or pull requests

2 participants