Skip to content

Panic safety issue in Zip::next_back() TrustedRandomAccess specialization #86443

New issue
New issue
Closed
#86452
Closed
Panic safety issue in Zip::next_back() TrustedRandomAccess specialization#86443
#86452
Assignees
the8472
Labels
A-iteratorsArea: IteratorsC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libsRelevant to the library team, which will review and decide on the PR/issue.
@Qwaz

Description

@Qwaz
Qwaz
opened on Jun 18, 2021

rust/library/core/src/iter/adapters/zip.rs

Lines 296 to 301 in 312b894

if A::MAY_HAVE_SIDE_EFFECT && sz_a > self.len {
for _ in 0..sz_a - self.len {
self.a.next_back();
}
self.a_len = self.len;
}

rust/library/core/src/iter/adapters/zip.rs

Lines 235 to 244 in 312b894

} else if A::MAY_HAVE_SIDE_EFFECT && self.index < self.a_len {
let i = self.index;
self.index += 1;
self.len += 1;
// match the base implementation's potential side effects
// SAFETY: we just checked that `i` < `self.a.len()`
unsafe {
self.a.__iterator_get_unchecked(i);
}
None

Yet another soundness bug in Zip's TRA specialization. Line 300 is not called when line 298 panics. This leaves self.a_len outdated, which results in calling __iterator_get_unchecked() with an invalid index in line 242.

Here is a playground link that demonstrates creating two mutable references to the same memory location without unsafe code.

Metadata

Metadata

Assignees

Labels

A-iteratorsArea: IteratorsC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libsRelevant to the library team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions