Soundness issue in `Zip::next()` specialization

https://github.com/rust-lang/rust/blob/e708cbd91c9cae4426d69270248362b423324556/library/core/src/iter/adapters/zip.rs#L191-L211

https://github.com/rust-lang/rust/blob/e708cbd91c9cae4426d69270248362b423324556/library/core/src/iter/adapters/zip.rs#L395-L396

There is a panic safety issue in `Zip::next()` that allows to call `__iterator_get_unchecked()` to the same index twice. `__iterator_get_unchecked()` is called at line 204 and the `index` is updated at line 206. If line 204 panics, the index is not updated and the subsequent `next()` call will use the same index for `__iterator_get_unchecked()`. This violates the second safety requirement of `TrustedRandomAccess`.

Here is a [playground link](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=4634eb8e3ba2ea945e7eebe76f387ae0) that demonstrates creating two mutable references to the same memory location without using unsafe Rust.

	#[inline]
	fn next(&mut self) -> Option<(A::Item, B::Item)> {
	if self.index < self.len {
	let i = self.index;
	self.index += 1;
	// SAFETY: `i` is smaller than `self.len`, thus smaller than `self.a.len()` and `self.b.len()`
	unsafe {
	Some((self.a.__iterator_get_unchecked(i), self.b.__iterator_get_unchecked(i)))
	}
	} else if A::may_have_side_effect() && self.index < self.a.size() {
	// match the base implementation's potential side effects
	// SAFETY: we just checked that `self.index` < `self.a.len()`
	unsafe {
	self.a.__iterator_get_unchecked(self.index);
	}
	self.index += 1;
	None
	} else {
	None
	}
	}

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Soundness issue in `Zip::next()` specialization #81740

Qwaz
openedon Feb 4, 2021

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

	/// 2. If `self: !Clone`, then `get_unchecked` is never called with the same
	/// index on `self` more than once.

Soundness issue in Zip::next() specialization #81740

Description

Qwazopenedon Feb 4, 2021

Metadata