UB and usage of deprecated function

[Dylan-DPC-zz]

Found this crate via a a crater run (crater is a tool that runs a specific branch of rustc against locked dependencies of specific crates to figure out regressions in the compiler or in potential usages in applications).

This crate uses the std::mem:uninitliazed method which is not only deprecated but also could be unsound as per a similar advisory for another crate.

If you wish to continue maintaining it, it will be adisable to fix this issue and publish a new release. Else you could possibly hand it over to a new set of maintainers (can help you with that) or publish a note that it is abandoned/deprecated/won't be maintained in the future since it has around 10 open source crates that depend on it.

If you need any help in going about this, you can let us know

Thanks :)

[RalfJung]

Specifically, the bug is here:

decimal/src/dec128.rs

Line 492 in 972c854

let mut res: Context = uninitialized();

The Context struct contains a field of type Rounding which is an enum; leaving an enum uninitialized is Undefined Behavior. rust-lang/rust#71274 will detect this and turn it into a panic.

[alkis]

I think #47 fixes this. I asked @jonathanstrong to make it apply without conflicts and I will merge it.

[probablykasper]

2.0.4 now panics in Rust 1.48.0. The uninit-fix branch seems to work, though. Any plans on merging it and releasing a new version, @alkis / @jonathanstrong?

[CastilloDel]

The master version still panics when running the tests. The uninit-fix branch seems to pass all of them as @probablykasper said. Are there any plans to address this? @alkis

[jonathanstrong]

earlier this week I spoke to @alkis about this and plan to be taking a bigger role on the project. I have some time slotted to work on this next week and merging uninit-fix is first on the list. thanks for your patience.

[CastilloDel]

Those are great news! and thanks for the quick reply

[probablykasper]

@jonathanstrong Is anything missing from uninit-fix? I went and just published that branch as it's own crate so I could use it in cpc, and that seems to be working perfectly.

[jonathanstrong]

@probablykasper I don't think so - I've also been using in production for months. just wanted to give it a good once-over before merging it here.

[jonathanstrong]

@probablykasper @CastilloDel quick update on this: I merged uninit-fix and released a new version on github earlier this week. however, at that time I realized I do not have permissions to publish a new crate version on crates.io. I emailed @alkis about this and am awaiting his reply.

[jonathanstrong]

@probablykasper @CastilloDel just published version 2.1.0 of the crate, which fixes the uninitialized issue.