array types (fixed-size arrays on 32-bit, HashMap, Vec) can be large enough that indexing is unsound #18726
Comments
thestinger
added
A-libs
I-crash
|
I think the solution to this problem is defining the maximum size of an object or array type to be the maximum positive value representable by |
|
The non-jemalloc memory allocation support would need to branch in |
thestinger
changed the title
|
The problem is not exactly about size of allocations, for example a large bit container like |
|
@petrochenkov: This issue is about undefined behaviour from pointer arithmetic overflows, including in low-level language primitives like |
|
Rust, like C and C++, uses the That's what the pull request I opened about this does, and now the remaining problems with pointer arithmetic overflows in library collections need to be fixed. It can either be done by adding code deep inside the allocator where it will have zero overhead or by adding pervasive overflow checks that will be hard to get right and will hurt performance. I don't think bounding individual memory allocations from liballoc to half of the address space is a major sacrifice to make for simplicity and performance. |
|
@petrochenkov: I see, that means I misinterpreted the "unsound" in the title, i.e. overflow in |
Strictly speaking, certain uses of the resulting poison value have undefined behavior, not the pointer arithmetic itself. |
|
P-high, should not block 1.0. |
Per the top level comment: A low-level utility for more ergonomically allocating, reallocating, and deallocating a a buffer of memory on the heap without having to worry about all the corner cases involved. This type is excellent for building your own data structures like Vec and VecDeque. In particular: * Produces heap::EMPTY on zero-sized types * Produces heap::EMPTY on zero-length allocations * Catches all overflows in capacity computations (promotes them to "capacity overflow" panics) * Guards against 32-bit systems allocating more than isize::MAX bytes * Guards against overflowing your length * Aborts on OOM * Avoids freeing heap::EMPTY * Contains a ptr::Unique and thus endows the user with all related benefits This type does not in anyway inspect the memory that it manages. When dropped it *will* free its memory, but it *won't* try to Drop its contents. It is up to the user of RawVec to handle the actual things *stored* inside of a RawVec. Note that a RawVec always forces its capacity to be usize::MAX for zero-sized types. This enables you to use capacity growing logic catch the overflows in your length that might occur with zero-sized types. However this means that you need to be careful when roundtripping this type with a `Box<[T]>`: `cap()` won't yield the len. However `with_capacity`, `shrink_to_fit`, and `from_box` will actually set RawVec's private capacity field. This allows zero-sized types to not be special-cased by consumers of this type. Edit: fixes #18726 and fixes #23842
|
EAT IT SOUNDNESS HOLES On Fri, Jul 17, 2015 at 8:42 PM, bors notifications@github.com wrote:
|
This fixes the gap in the language definition causing rust-lang#18726 by defining a clear bound on the maximum size for libraries to enforce. Closes rust-lang#18069
fix: Reduce applicability of unnecessary_async assist
In a 32-bit process running on a 64-bit operating system, it's possible to allocate a
Vec<u8>of length1u32 << 31or greater. The maximum value whereuint as intproduces a positive number is(1u32 << 31) - 1), sointis not large enough foroffsetoperations to the end of these vectors. Everything from the language's built-in slice indexing operations to thepushmethod onVec<T>will perform an invalid negative (backwards) offset as thegetelementptrinstruction uses a signed offset.The text was updated successfully, but these errors were encountered: