Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Vec::drain is unsound with range_bounds_assert_len feature #81157

Closed
KamilaBorowska opened this issue Jan 18, 2021 · 2 comments · Fixed by #81154
Closed

Vec::drain is unsound with range_bounds_assert_len feature #81157

KamilaBorowska opened this issue Jan 18, 2021 · 2 comments · Fixed by #81154
Labels
A-collections Area: `std::collections` C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness requires-nightly This issue requires a nightly compiler in some way. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.

Comments

@KamilaBorowska
Copy link
Contributor

KamilaBorowska commented Jan 18, 2021
edited
Loading

Manually implementing assert_len can cause unsoundness in Vec::drain. This only happens in nightly, as overriding assert_len is only possible in nightly releases.

The following program will segfault.

#![feature(range_bounds_assert_len)]

use std::cell::Cell;
use std::ops::{Bound, Range, RangeBounds};

struct EvilRange(Cell<bool>);

impl RangeBounds<usize> for EvilRange {
    fn start_bound(&self) -> Bound<&usize> {
        unimplemented!()
    }
    fn end_bound(&self) -> Bound<&usize> {
        unimplemented!()
    }
    fn assert_len(self, _len: usize) -> Range<usize> {
        0..42
    }
}

fn main() {
    vec![1, 2, 3].drain(EvilRange(Cell::new(false)));
}

Related issues: #76393, #81154.
@KamilaBorowska KamilaBorowska added the C-bug Category: This is a bug. label Jan 18, 2021
@jonas-schievink jonas-schievink added A-collections Area: `std::collections` I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. labels Jan 18, 2021
@rustbot rustbot added the I-prioritize Issue: Indicates that prioritization has been requested for this issue. label Jan 18, 2021
@lcnr lcnr added requires-nightly This issue requires a nightly compiler in some way. and removed I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels Jan 18, 2021
@bluss bluss mentioned this issue Jan 18, 2021
Open
4 tasks
@dylni
Copy link
Contributor

dylni commented Jan 18, 2021

Thanks for noticing this. I think the best fix is to define the method on Range instead. I'll update this PR with that change unless anyone has a better idea.

@RalfJung
Copy link
Member

Good catch!

@dylni dylni mentioned this issue Jan 18, 2021
Merged
JohnTitor added a commit to JohnTitor/rust that referenced this issue Feb 11, 2021
@JohnTitor
Rollup merge of rust-lang#81154 - dylni:improve-design-of-assert-len,…
8426154 
… r=KodrAus

Improve design of `assert_len`

It was discussed in the [tracking issue](rust-lang#76393 (comment)) that `assert_len`'s name and usage are confusing. This PR improves them based on a suggestion by `@scottmcm` in that issue.

I also improved the documentation to make it clearer when you might want to use this method.

Old example:

```rust
let range = range.assert_len(slice.len());
```

New example:

```rust
let range = range.ensure_subset_of(..slice.len());
```

Fixes rust-lang#81157
Dylan-DPC-zz pushed a commit to Dylan-DPC-zz/rust that referenced this issue Feb 23, 2021
@Dylan-DPC
Rollup merge of rust-lang#81154 - dylni:improve-design-of-assert-len,…
ff9fc7d 
… r=KodrAus

Improve design of `assert_len`

It was discussed in the [tracking issue](rust-lang#76393 (comment)) that `assert_len`'s name and usage are confusing. This PR improves them based on a suggestion by `@scottmcm` in that issue.

I also improved the documentation to make it clearer when you might want to use this method.

Old example:

```rust
let range = range.assert_len(slice.len());
```

New example:

```rust
let range = range.ensure_subset_of(..slice.len());
```

Fixes rust-lang#81157
@bors bors closed this as completed in 72e6d51 Feb 23, 2021
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
A-collections Area: `std::collections` C-bug Category: This is a bug. I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness requires-nightly This issue requires a nightly compiler in some way. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Improve design of assert_len
6 participants
@RalfJung @KamilaBorowska @jonas-schievink @lcnr @dylni @rustbot