-
Notifications
You must be signed in to change notification settings - Fork 13.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
IsZero
for raw pointers is unsound
#135338
Comments
I removed the strict-provenance label because this can be reproduced without using the strict provenance APIs: fn main() {
let ptr = std::ptr::from_ref(&42u8);
let zero = ptr.wrapping_sub(ptr as usize);
let roundtripped = vec![zero; 1].pop().unwrap();
let new = roundtripped.wrapping_add(ptr as usize);
unsafe { new.read() };
} |
Pondering: We have I guess those are fine because the |
One difference is that 0 may actually be a meaningful address for a raw pointer, as is the case with interrupt vectors on some platforms. |
Rust does not support that: a null pointer is never valid and the null pointer has address zero. If there’s something at address zero on the platform you target, you have to access it with inline assembly. See previous discussion at rust-lang/unsafe-code-guidelines#29 |
alloc: remove unsound `IsZero` for raw pointers Fixes rust-lang#135338
The
IsZero
trait is used to specializevec![val; n]
to useallocate_zeroed
when theval
being duplicated is zero. But in the case of raw pointers, this is not correct as the bytes returned byallocate_zeroed
do not have the same provenance asval
. Thus, the following code triggers undefined behaviour (playground) when it shouldn'tThe text was updated successfully, but these errors were encountered: