Skip to content

Address new nightly unsafe precondition check panics#2841

Merged
riverar merged 2 commits intomasterfrom
rafael/slice-nightly
Feb 12, 2024
Merged

Address new nightly unsafe precondition check panics#2841
riverar merged 2 commits intomasterfrom
rafael/slice-nightly

Conversation

@riverar
Copy link
Collaborator

@riverar riverar commented Feb 11, 2024
edited
Loading

Passing size=0, ptr=0 into std::slice::from_raw_parts is undefined behavior and is no longer safe to rely upon. Also addresses an unaligned pointer used by Event.

See also:
rust-lang/rust#120902
rust-lang/rust#120594

@ChrisDenton
Copy link
Collaborator

ChrisDenton commented Feb 11, 2024
edited
Loading

Thank you for looking into this. It seems there's still one more failure:

thread 'add_remove' panicked at library\core\src\panicking.rs:155:5:
unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread caused non-unwinding panic. aborting.
error: test failed, to rerun pass `-p test_event --test tests`

Which indirectly points to

windows-rs/crates/libs/core/src/event.rs

Lines 161 to 167 in 40f671b

fn as_slice(&self) -> &[Delegate<T>] {
if self.is_empty() {
&[]
} else {
unsafe { std::slice::from_raw_parts((*self.buffer).as_ptr(), self.len) }
}
}

But that looks totally fine on its own. The empty case is checked and I very strongly doubt the size exceeds isize::MAX. Which just leaves alignment of the buffer.

So looking at Buffer::new:

windows-rs/crates/libs/core/src/event.rs

Lines 205 to 216 in 40f671b

fn new(len: usize) -> Result<*mut Self> {
if len == 0 {
Ok(std::ptr::null_mut())
} else {
let alloc_size = std::mem::size_of::<Self>() + len * std::mem::size_of::<Delegate<T>>();
let header = crate::imp::heap_alloc(alloc_size)? as *mut Self;
unsafe {
header.write(Self(crate::imp::RefCount::new(1), std::marker::PhantomData));
}
Ok(header)
}
}

It uses HeapAlloc, which aligns to 16 (or 8 on 32-bit) but then it writes a header which, is essentially an AtomicI32. Meaning the data itself is only 4 byte aligned.

Quick fix here would be to add an #[repr(align(8))] to Buffer to add padding to the header. Something a bit more involved would be to fully account for the type's alignment when determining the offset of the buffer's data.

@kennykerr
Copy link
Collaborator

kennykerr commented Feb 12, 2024

Thanks all. #[repr(align(8))] should do the trick for Event.

@riverar riverar changed the title Quick return if FormatMessage fails Address new nightly unsafe precondition check panics Feb 12, 2024
kennykerr
kennykerr approved these changes Feb 12, 2024
View reviewed changes
Copy link
Collaborator

@kennykerr kennykerr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Thanks!

@riverar riverar merged commit 71dcb5f into master Feb 12, 2024
@riverar riverar deleted the rafael/slice-nightly branch February 12, 2024 17:03
@kennykerr
Copy link
Collaborator

kennykerr commented Feb 12, 2024

I'll probably publish an update to crates.io soon to avoid dependents having issues with nightly.

@kennykerr
Copy link
Collaborator

kennykerr commented Feb 13, 2024

But we should probably get the feature doc search feature integrated before then. Let me know if there's anything else top of mind.

@tim-weis tim-weis mentioned this pull request Feb 16, 2024
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kennykerr kennykerr kennykerr approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@riverar @ChrisDenton @kennykerr