Skip to content
New issue

Have a question about this project? # for a free GitHub account to open an issue and contact its maintainers and the community.

#

By clicking “#”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? # to your account

Jump to bottom

Using grow to shrink can cause corruption. #149

Closed
ehuss opened this issue Jun 6, 2019 · 1 comment · Fixed by #152
Closed

Using grow to shrink can cause corruption. #149

ehuss opened this issue Jun 6, 2019 · 1 comment · Fixed by #152
Labels
bug

Comments

@ehuss
Copy link
Contributor

ehuss commented Jun 6, 2019

If grow is given a size that is within the inline size after a SmallVec has been spilled, the resulting value is corrupted.

let mut v: SmallVec<[u8; 4]> = SmallVec::new();
v.push(1);
v.push(2);
v.push(3);
v.push(4);
// Cause it to spill.
v.push(5);
assert!(v.spilled());
v.clear();
// Shrink to inline.
v.grow(2);
// This should crash with 'entered unreachable code'.
println!("after grow {:?} len={} cap={}", v, v.len(), v.capacity());

This is admittedly unusual, most code would use shrink_to_fit.

I think the following should fix it.

diff --git a/lib.rs b/lib.rs
index 5af32ba..3767e3b 100644
--- a/lib.rs
+++ b/lib.rs
@@ -654,6 +654,7 @@ impl<A: Array> SmallVec<A> {
                 }
                 self.data = SmallVecData::from_inline(mem::uninitialized());
                 ptr::copy_nonoverlapping(ptr, self.data.inline_mut().ptr_mut(), len);
+                self.capacity = len;
             } else if new_cap != cap {
                 let mut vec = Vec::with_capacity(new_cap);
                 let new_alloc = vec.as_mut_ptr();
@jdm jdm added the bug label Jun 6, 2019
@jdm
Copy link
Member

jdm commented Jun 6, 2019

Would you like to make a pull request and add a unit test?

@ehuss ehuss mentioned this issue Jun 6, 2019
Merged
bors-servo pushed a commit that referenced this issue Jun 7, 2019
Auto merge of #152 - ehuss:grow-to-shrink, r=emilio
f96322b 
Fix using `grow` to shrink to inline.

Using `grow` on a spilled SmallVec to shrink to an unspilled SmallVec would result in a corrupted structure, as `capacity` was not updated.

Fixes #149

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/rust-smallvec/152)
<!-- Reviewable:end -->
@Shnatsel Shnatsel mentioned this issue Jun 23, 2019
Closed
Shnatsel referenced this issue Jun 29, 2019
@mbrubeck
Use a single ptr::drop_in_place call instead of a loop
b24b3d2 
This is what the standard Vec does; see rust-lang/rust#32012.
This was referenced Jun 29, 2019
Closed
Merged
@Shnatsel Shnatsel mentioned this issue Jul 19, 2019
Merged
@beta-vulnerability-notify beta-vulnerability-notify bot mentioned this issue Sep 19, 2019
Open
@Qwaz Qwaz mentioned this issue Oct 15, 2020
Closed
@tdunlap607 tdunlap607 mentioned this issue Apr 11, 2023
Merged
# for free to join this conversation on GitHub. Already have an account? # to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix using grow to shrink to inline. ehuss/rust-smallvec
2 participants
@jdm @ehuss