Skip to content

Panic safety issue in Zip::next_back() TrustedRandomAccess specialization #86443

New issue
New issue
Closed
#86452
Closed
Panic safety issue in Zip::next_back() TrustedRandomAccess specialization#86443
#86452
Assignees
the8472
Labels
A-iteratorsArea: IteratorsC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libsRelevant to the library team, which will review and decide on the PR/issue.
@Qwaz

Description

@Qwaz
Qwaz
opened on Jun 18, 2021 · edited by rustbot
Contributor

rust/library/core/src/iter/adapters/zip.rs

Lines 296 to 301 in 312b894

if A::MAY_HAVE_SIDE_EFFECT && sz_a > self.len {
for _ in 0..sz_a - self.len {
self.a.next_back();
}
self.a_len = self.len;
}

rust/library/core/src/iter/adapters/zip.rs

Lines 235 to 244 in 312b894

} else if A::MAY_HAVE_SIDE_EFFECT && self.index < self.a_len {
let i = self.index;
self.index += 1;
self.len += 1;
// match the base implementation's potential side effects
// SAFETY: we just checked that `i` < `self.a.len()`
unsafe {
self.a.__iterator_get_unchecked(i);
}
None

Yet another soundness bug in Zip's TRA specialization. Line 300 is not called when line 298 panics. This leaves self.a_len outdated, which results in calling __iterator_get_unchecked() with an invalid index in line 242.

Here is a playground link that demonstrates creating two mutable references to the same memory location without unsafe code.

Activity

Qwaz
added
C-bugCategory: This is a bug.
on Jun 18, 2021
jonas-schievink
added
A-iteratorsArea: Iterators
I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
T-libsRelevant to the library team, which will review and decide on the PR/issue.
on Jun 18, 2021
rustbot
added
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jun 18, 2021
apiraino

apiraino commented on Jun 18, 2021

@apiraino
apiraino
on Jun 18, 2021
Contributor

How close is this to #85873?

the8472

the8472 commented on Jun 18, 2021

@the8472
the8472
on Jun 18, 2021
Member

The same functions are involved but the aspects that interact to cause unsafety are quite different.

@rustbot claim

rustbot
assigned
the8472
on Jun 18, 2021
Qwaz

Qwaz commented on Jun 18, 2021

@Qwaz
Qwaz
on Jun 18, 2021
ContributorAuthor

I agree, this is much closer to #81740.

the8472
mentioned this on Jun 19, 2021
JohnTitor
added 2 commits that reference this issue on Jun 21, 2021

Rollup merge of rust-lang#86452 - the8472:fix-zip-drop-safety, r=m-ou-se

29a1040

Rollup merge of rust-lang#86452 - the8472:fix-zip-drop-safety, r=m-ou-se

504c378
bors
closed this as completedin 504c378on Jun 21, 2021
JohnTitor
removed
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jun 21, 2021
the8472
mentioned this on Jan 29, 2022
the8472
mentioned this on Feb 22, 2022
the8472
added a commit that references this issue on May 16, 2025

fix Zip unsoundness (again)

1f7a9f5
the8472
mentioned this on May 16, 2025
the8472
added a commit that references this issue on May 16, 2025

fix Zip unsoundness (again)

41aca57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

Labels

A-iteratorsArea: IteratorsC-bugCategory: This is a bug.I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessT-libsRelevant to the library team, which will review and decide on the PR/issue.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

    Development

    Participants

    @the8472@jonas-schievink@Qwaz@apiraino@JohnTitor

    Issue actions
      Panic safety issue in `Zip::next_back()` TrustedRandomAccess specialization · Issue #86443 · rust-lang/rust