r? @withoutboats

(rust-highfive has picked a reviewer for you, use r? to override)

☔ The latest upstream changes (presumably #81159) made this pull request unmergeable. Please resolve the merge conflicts.

@dylni Would you like to include the example from #81138 as a test case to make sure we are still maintaining the UTF8 invariant?

I've just left a few comments. It would be good to include the EvilRange as a test case, but r=me at any time.

Would you like to include the example from #81138 as a test case to make sure we are still maintaining the UTF8 invariant?

Yes, good idea.

@dylni This looks good to me! Would you like to squash these down then we should be good to go.

Thanks @KodrAus! Is this what you had in mind? Squashing is a little awkward with merge commits.

@bors r+ p=1

📌 Commit b96063c has been approved by KodrAus

That's it, thanks! A rebase and squash is what I'd meant. We try to avoid merge commits in PRs and leave that to bors to handle.

Thanks for fixing this up 🙇

⌛ Testing commit b96063c with merge 7d7b22d...

☀️ Test successful - checks-actions
Approved by: KodrAus
Pushing 7d7b22d to master...

Oh, thanks, that makes sense.

I also fixed the same issue for BTreeMap::range and BTreeSet::range.

Useful and inspirational, but I feel the need to point out that you didn't entirely plug that hole, and probably nobody can. Unlike String::replace_range whose range is tied to usize, the caller of BTreeMap::range gets to choose a type and its Ord implementation. I got a little lost trying to brew a really evil example with a panic, but I still believe it can be done. Here on playground is proof that there are 12 integers from 5 to 7, with the help of an evil borrow.

@ssomers I think that's ok. If an impl used by BTreeMap misbehaves, BTreeMap is allowed to misbehave too. The only thing it can't do is something unsound. Although the playground example doesn't give the right result for the number values, it gives the right result based on the Borrow impl.

@dylni I agree, but that means there was no unsoundness in BTreeMap's use of start_bound/end_bound, is what I realized this week. How many times these functions are called or what they return doesn't matter for unsoundness. It's what the various invocations of the lookup type's Ord say that might make BTreeMap trip up.

This PR of course still includes a welcome fix to avoid BTreeMap from appearing to misbehave when the range misbehaves. If there was a possibility of unsoundness in BTreeMap, that possibility is still there. And I can't find it.

@ssomers You're right. I was looking at the unsafe code here, but it's inside a safe function, so it makes sense that this can't be exploited.

Not sure how you arrived in left_edge. But yes, disappointingly, I don't think there's anything to exploit. Essentially, BTreeMap is already prepared to withstand a malicious implementation of Ord for the key type, so the fact that range smuggles in another Ord for its search can't make things worse. When BTreeMap validates the range and panics, it doesn't do that to protect itself from unsoundness, but just to advise the caller that they messed up the range (with a message assuming they have an honest Ord implementation). Not sure if the original authors of the code realized that, but it's written in the contract that it should panic on an invalid range, so I'd better leave that to be.

@ssomers left_edge is called here.

When BTreeMap validates the range and panics, it doesn't do that to protect itself from unsoundness, but just to advise the caller that they messed up the range (with a message assuming they have an honest Ord implementation).

I agree, but this was surprising. I think I'll change the comments a little there to make it clearer for people reading it in the future.