Cryptographically verifiable, distributed dependency reviews
Add the last reviewed version to Cargo.toml / [dependencies]:
map_in_place = "0.1.0"Please, use mobile in landscape.
Filter reviews clicking on the numbers in the summary.
Full column names in tooltip hints: rating Negative, rating Neutral, rating Positive, rating Strong, thoroughness, understanding, reviews count.
Has unsoundness in a major, safe interface.
The main utility for Vec can reuse an allocation of differing element size
thus violating the explicit requirements of Vec::from_raw_parts and in
particular the allocator contract, potentially leading to memory corruption
on drop of the resulting Vec.
The interface affected are (maybe not complete):
MapVecInPlace::mapMapVecInPlace::map_in_placeMapVecInPlace::filter_mapMapVecInPlace::filter_map_in_placeAn analysis of the code to show the issue:
In a macro, this code checks for various size and alignment constraints on
deciding whether to execute an in-place branch or a fallback (that may panic
in some variants).
unsafe {
if size!($a) == 0 || size!($b) == 0 {
$zero
} else if align!($a) != align!($b) {
$alignment
} else if $f(size!($a),size!($b)) {
$incompatible
} else {
$ok
}
}
Already a naming issue appears, as the
$incompatiblebranch is actuallytaken when
freturnstrueand some instantiation has|a,b| a==bas thisargument. Consequently, the
incompatibleparameter is filled with thein-place branch in the
fallbackbranch where the parameter is$ok:exprNote that the check for
mapis|a,b| a%b==0and it invokes$fallbackwith the
$ok:exprargument set tomap_vec(self, f)(note: thefhere isfrom the parameters of
map). Themap_vecfunction is anunsafefunctioneventually doing the equivalent of
let (ptr, len, cap) = /* The obvious */;
// Some transformation code on
raw.Vec::from_raw_parts(ptr, len, cap)
This violates very clearly the contract which states: