Skip to content

Using grow to shrink can cause corruption. #149

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
ehuss opened this issue Jun 6, 2019 · 1 comment · Fixed by #152
Closed

Using grow to shrink can cause corruption. #149

ehuss opened this issue Jun 6, 2019 · 1 comment · Fixed by #152
Labels
bug

Comments

@ehuss
Copy link
Contributor

ehuss commented Jun 6, 2019

If grow is given a size that is within the inline size after a SmallVec has been spilled, the resulting value is corrupted.

let mut v: SmallVec<[u8; 4]> = SmallVec::new();
v.push(1);
v.push(2);
v.push(3);
v.push(4);
// Cause it to spill.
v.push(5);
assert!(v.spilled());
v.clear();
// Shrink to inline.
v.grow(2);
// This should crash with 'entered unreachable code'.
println!("after grow {:?} len={} cap={}", v, v.len(), v.capacity());

This is admittedly unusual, most code would use shrink_to_fit.

I think the following should fix it.

diff --git a/lib.rs b/lib.rs
index 5af32ba..3767e3b 100644
--- a/lib.rs
+++ b/lib.rs
@@ -654,6 +654,7 @@ impl<A: Array> SmallVec<A> {
                 }
                 self.data = SmallVecData::from_inline(mem::uninitialized());
                 ptr::copy_nonoverlapping(ptr, self.data.inline_mut().ptr_mut(), len);
+                self.capacity = len;
             } else if new_cap != cap {
                 let mut vec = Vec::with_capacity(new_cap);
                 let new_alloc = vec.as_mut_ptr();
@jdm jdm added the bug label Jun 6, 2019
@jdm
Copy link
Member

jdm commented Jun 6, 2019

Would you like to make a pull request and add a unit test?

@ehuss ehuss mentioned this issue Jun 6, 2019
Merged
bors-servo pushed a commit that referenced this issue Jun 7, 2019
Auto merge of #152 - ehuss:grow-to-shrink, r=emilio
f96322b 
Fix using `grow` to shrink to inline.

Using `grow` on a spilled SmallVec to shrink to an unspilled SmallVec would result in a corrupted structure, as `capacity` was not updated.

Fixes #149

<!-- Reviewable:start -->
---
This change is [<img src="https://reviewable.io/review_button.svg" height="34" align="absmiddle" alt="Reviewable"/>](https://reviewable.io/reviews/servo/rust-smallvec/152)
<!-- Reviewable:end -->
@Shnatsel Shnatsel mentioned this issue Jun 23, 2019
Closed
Shnatsel referenced this issue Jun 29, 2019
@mbrubeck
Use a single ptr::drop_in_place call instead of a loop
b24b3d2 
This is what the standard Vec does; see rust-lang/rust#32012.
This was referenced Jun 29, 2019
Closed
Merged
@Shnatsel Shnatsel mentioned this issue Jul 19, 2019
Merged
@beta-vulnerability-notify beta-vulnerability-notify bot mentioned this issue Sep 19, 2019
Open
@Qwaz Qwaz mentioned this issue Oct 15, 2020
Closed
@tdunlap607 tdunlap607 mentioned this issue Apr 11, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix using grow to shrink to inline. ehuss/rust-smallvec
2 participants
@jdm @ehuss