Skip to content

Built-in indexing doesn't ensure bounds checks stay valid #65909

New issue
New issue
Closed
#65608
Closed
Built-in indexing doesn't ensure bounds checks stay valid#65909
#65608
Assignees
matthewjasper
Labels
A-MIRArea: Mid-level IR (MIR) - https://blog.rust-lang.org/2016/04/19/MIR.htmlC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.
@matthewjasper

Description

@matthewjasper
matthewjasper
opened on Oct 28, 2019

For example, the bounds check for x[1] in the following code is invalidated by the assignment in the next indexer.

fn modify_after_assert_slice_array(x: &[&[i32; 3]]) -> i32 {
    let mut x = x;
    let z = [1, 2, 3];
    let y = &[&z];
    // 1. checks `x[1]` is not out of bounds - OK `x.len() = 2`.
    // 2. modifies `x` so that `x == y`. Now `x.len() == 1`
    // 3. tries to read `x[1][2]` which is now out of bounds.
    x[1][{ x = y; 2}]
}
fn main() {
    println!("{}", modify_after_assert_slice_array(&[&[4, 5, 6], &[9, 10, 11]]));
}

Metadata

Metadata

Assignees

Labels

A-MIRArea: Mid-level IR (MIR) - https://blog.rust-lang.org/2016/04/19/MIR.htmlC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-compilerRelevant to the compiler team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions