diff options
| author | Stuart Cook <Zalathar@users.noreply.github.com> | 2025-09-25 20:31:51 +1000 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2025-09-25 20:31:51 +1000 |
| commit | 2acd80cfa928c1371d2c60149b3febe66c9e6637 (patch) | |
| tree | 9f52346c590501841aa53422d8b4e71e43e18b8c /library/std/src/sys/random/mod.rs | |
| parent | bbcbc7818ba27c951f9fd881fd3ec4cd5123b741 (diff) | |
| parent | 96f385b20aa252629570cadeca16a9e159e6810c (diff) | |
| download | rust-2acd80cfa928c1371d2c60149b3febe66c9e6637.tar.gz rust-2acd80cfa928c1371d2c60149b3febe66c9e6637.zip | |
Rollup merge of #145067 - btj:patch-3, r=tgross35
RawVecInner: add missing `unsafe` to unsafe fns Some (module-private) functions in `library/alloc/src/raw_vec/mod.rs` are unsafe (i.e. may cause UB when called from safe code) but are not marked `unsafe`. Specifically: - `RawVecInner::grow_exact` causes UB if called with `len` and `additional` arguments such that `len + additional` is less than the current capacity. Indeed, in that case it calls [Allocator::grow](https://doc.rust-lang.org/std/alloc/trait.Allocator.html#method.grow) with a `new_layout` that is smaller than `old_layout`, which violates a safety precondition. - The RawVecInner methods for resizing the buffer cause UB if called with an `elem_layout` different from the one used to initially allocate the buffer, because in that case `Allocator::grow` or `Allocator::shrink` are called with an `old_layout` that does not *fit* the allocated block, which violates a safety precondition. - `RawVecInner::current_memory` might cause UB if called with an `elem_layout` different from the one used to initially allocate the buffer, because the `unchecked_mul` might overflow. - Furthermore, these methods cause UB if called with an `elem_layout` where the size is not a multiple of the alignment. This is because `Layout::repeat` is used (in `layout_array`) to compute the allocation's layout when allocating, which includes padding to ensure alignment of array elements, but simple multiplication is used (in `current_memory`) to compute the old allocation's layout when resizing or deallocating, which would cause the layout used to resize or deallocate to not *fit* the allocated block, which violates a safety precondition. I discovered these issues while performing formal verification of `library/alloc/src/raw_vec/mod.rs` per [Challenge 19](https://model-checking.github.io/verify-rust-std/challenges/0019-rawvec.html) of the [AWS Rust Standard Library Verification Contest](https://aws.amazon.com/blogs/opensource/verify-the-safety-of-the-rust-standard-library/).
Diffstat (limited to 'library/std/src/sys/random/mod.rs')
0 files changed, 0 insertions, 0 deletions