"9. Implementing Vec": Dangling pointer overflow?

I have an impression that in section [9.11. Final Code](https://doc.rust-lang.org/nomicon/vec/vec-final.html) any fragment containing
`usize) +` or 
`usize +` can overflow `usize` (equal to a dangling pointer), which will [result in a panic in debug mode](https://rust-book.cs.brown.edu/ch03-02-data-types.html?highlight=overflow#integer-overflow).

See also fragment of interest:
```rs
RawVec {
    ptr: NonNull::dangling(),
```
---
Details.
The vector's buffer pointer is initialized to a dangling pointer value (so potentially the [dangling](https://doc.rust-lang.org/std/ptr/struct.NonNull.html#method.dangling) buffer pointer can be close to overflowing). 

For the zero-sized types the buffer is never allocated (the `grow()` is never called). So the buffer pointer stays dangling.

During the iterator creation the iterator's pointer 
`RawValIter::end` is initialized to the value `((slice.as_ptr() as usize) + slice.len())`, where the fragment `as usize) +` can overflow the `usize` (equal to a dangling pointer);
also the iterator's pointer `RawValIter::start` is initialized to the dangling pointer value (possibly close to overflowing), and during subsequent `next()` the fragment `self.start as usize + 1` can overflow the `usize`.

---
Would be nice to see in the text of the book (e.g. in [9.11. Final Code](https://doc.rust-lang.org/nomicon/vec/vec-final.html)) 
* either the confirmation that the overflow can happen (and the reader should handle accordingly), 
* or the explanation why the overflow cannot happen.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"9. Implementing Vec": Dangling pointer overflow? #433

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development