-
Notifications
You must be signed in to change notification settings - Fork 10
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Audit qbsdiff #55
Comments
I've already requested a lint for this, but perhaps my request was too broad. You can follow up on it here: rust-lang/rust-clippy#4483 |
I see the maintainer has already replied and is supportive of your PR. They have left some comments that I fully support; specifically, it might be possible to get the zero-initialization for free. Other than that, looks very good to me and hopefully will be merged as soon as the comments are addressed. Thanks for doing this! |
Just a nitpick: such code is not UB per se, since the following code is sound: let mut v = Vec::with_capacity(s);
unsafe {
v.set_length(s);
} // <- Safety invariant broken but never witnessed
unsafe {
v.set_length(0);
} UB happens as soon as you interact with like 90% of |
@danielhenrymantilla You are entirely correct; I guess that's what I get for writing issues in the middle of the night :) |
Thanks! I think I read it and missed that it covered my case already :) |
Fixes merged upstream, no |
qbsdiff
is a binary diff/patch library and tool that are compatible withbsdiff
4.0.Its use of
unsafe
is for creating (or extending)Vec<u8>
s with uninitialized content; this turns out to likely be undefined behaviour.Sent fixes as hucsmn/qbsdiff#3 :
In one case (
qbsdiff
), the unsafe vector was only used locally, and could be easily replaced with safe code without extra overhead (no extra allocations or writes); there were 2 extra benefits:In the second case (
qbspatch
), the unsafe vectors were shared across many functions (through aContext
struct), and it was easier to replace theunsafe
code with safe versions that initialize the allocated space to 0, though I will try to remove that overhead.I believe this is a generalisable pattern: it isn't the first time I run into uses of
unsafe
to create known-length byte arrays whose contents are uninitialized. They can usually be replaced with:Vec::with_capacity
;Vec::extend
rather than using mutable slices;Vec::clear
to ensure data doesn't leak when reusing that buffer.Would it be good idea to request a
clippy
lint for such code, given that many (wrongly) believe it to be UB-free:The text was updated successfully, but these errors were encountered: