Skip to content

Add task: ecvebench-rustracts-001 #246

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
jotalis merged 1 commit into from
Apr 26, 2026
Merged

Add task: ecvebench-rustracts-001 #246

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 35 additions & 0 deletions benchmark/data/tasks/ecvebench-rustracts-001.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,35 @@
{
"task_id": "ecvebench-rustracts-001",
"ghsa_id": "GHSA-xwxc-j97j-84gf",
"codebase": {
"repo": "https://github.com/hyyking/rustracts",
"language": "rust",
"ecosystem": "rust",
"commit": "c15541d7968aea40d06dadd5e2c5cb57b4d6d341"
},
"hints": {
"L0": null,
"L1": {
"area": "Concurrency trait implementations and thread-safety guarantees for smart pointer types"
},
"L2": {
"description": "A data race vulnerability exists where a smart pointer type unconditionally implements the Send trait without requiring the inner type to be Sync. This allows concurrent access to non-Sync data from multiple threads, leading to undefined behavior such as data races."
},
"L3": {
"area": "Thread-safety trait bounds for weak reference types in the shared ownership smart pointer module",
"description": "A data race vulnerability exists where a weak reference smart pointer type unconditionally implements the Send trait without requiring the inner type to be Sync. This allows enclosing non-Sync data and accessing it concurrently from multiple threads via child references, leading to undefined behavior including data races and potential memory corruption."
}
},
"ground_truth": {
"vulnerable": true,
"vuln_class": "race-condition",
"cvss": 8.1,
"reason": "LockWeak<T> unconditionally implements Send without requiring T: Sync, allowing concurrent access to non-Sync data from multiple threads, which causes undefined behavior such as data races.",
"locations": [
{
"file": "parc/src/lib.rs",
"function": null
}
]
}
}
8 changes: 8 additions & 0 deletions benchmark/internal/metadata/GHSA-xwxc-j97j-84gf.json
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,8 @@
{
"ghsa_id": "GHSA-xwxc-j97j-84gf",
"post_patch_commit": "5e43ee86e6a67153ff65da2051f6eb0a77f2c6b8",
"noisy_patch": false,
"curation_notes": "Patch is PR #6 (merged as 5e43ee8) in hyyking/rustracts. Only one source file changed: parc/src/lib.rs. The fix adds a Sync bound to the unsafe Send impl for LockWeak<T>, preventing concurrent access to non-Sync data. Pre-assigned class race-condition (CWE-362) is correct — the vulnerability is an unsound Send impl enabling data races. Location derived directly from the patch diff; no sibling files exist in parc/src/.",
"dataset_version": "0.1.0",
"snapshot_date": "2026-04-26"
}