Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Grid::insert_{row, col}() can create invalid states after panicking #19

Closed
LegionMammal978 opened this issue Aug 18, 2022 · 3 comments
Closed

Grid::insert_{row, col}() can create invalid states after panicking #19

LegionMammal978 opened this issue Aug 18, 2022 · 3 comments
Labels
bug Something isn't working

Comments

@LegionMammal978
Copy link

LegionMammal978 commented Aug 18, 2022
edited
Loading

The Grid type has the effective safety invariants that rows.checked_mul(cols) == Some(data.len()) and that rows == 0 if and only if cols == 0. In some panicking paths, Grid::insert_row() can violate these invariants:

  • grid.insert_row(i, row) in release mode, where row.len() == grid.cols and grid.rows == usize::MAX. This sets grid.rows to 0, making the other methods' results inconsistent with one another. This is only possible when size_of::<T>() == 0, and I'm not sure if it can cause any UB by itself.
  • grid.insert_row(i, row), where i <= grid.rows, row.len() == grid.cols, grid.rows < usize::MAX, and grid.rows * grid.cols > usize::MAX - grid.cols: This increments grid.rows without pushing the new row, allowing invalid get_unchecked() calls. Since this is only possible when size_of::<T>() == 0, it causes library UB but not language UB with the current standard library.
  • grid.insert_row(i, row), where i <= grid.rows, row.len() == grid.cols, size_of::<T>() > 0, and (grid.rows + 1) * grid.cols * size_of::<T>() > isize::MAX as usize. This increments grid.rows without pushing the new row, which can cause UB on 32-bit targets: 
    /*
[dependencies]
grid = "=0.8.1"

cargo run --target i686-unknown-linux-gnu
*/

use grid::Grid;
use std::panic::{self, AssertUnwindSafe};

fn main() {
    let catch = |f| panic::catch_unwind(AssertUnwindSafe(f)).unwrap_err();
    // 1076 * 1994889 == isize::MAX as usize - 983083
    // 1077 * 1994889 == isize::MAX as usize + 1011806
    let mut grid = Grid::init(1076, 1994889, 0u8);
    catch(|| grid.insert_row(1076, vec![0; 1994889]));
    println!("{}", grid.get(1076, 1994888).unwrap()); // segfault
}
@becheran
Copy link
Owner

Interesting. Thanks! I guess the solution to this is to panic earlier so the UB is not possible.

@becheran becheran added the bug Something isn't working label Aug 19, 2022
@LegionMammal978
Copy link
Author

LegionMammal978 commented Aug 19, 2022
edited
Loading

Also, it appears that insert_row() cannot be used to add a row to an empty grid, which might be useful to support. And a similar issue occurs with insert_col(): the insert() loop can panic partway through, leaving data.len() as a non-multiple of rows. It would probably be best to reserve() the needed capacity before modifying anything.

@LegionMammal978 LegionMammal978 changed the title Grid::insert_row() can create invalid states after panicking Grid::insert_{row, col}() can create invalid states after panicking Aug 19, 2022
becheran added a commit that referenced this issue Oct 7, 2022
@becheran
Fix insert row early panic and insert to empty grid #19
64b4b8a
@becheran
Copy link
Owner

becheran commented Oct 7, 2022

Fixed with by updating index after altering vector and also added possibility to insert into empty grids

@becheran becheran closed this as completed Oct 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@LegionMammal978 @becheran