Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is Record::from_raw_parts() actually unsafe? #6

Open
Manishearth opened this issue Mar 5, 2024 · 4 comments
Open

Is Record::from_raw_parts() actually unsafe? #6

Manishearth opened this issue Mar 5, 2024 · 4 comments

Comments

@Manishearth
Copy link

https://github.com/jltsiren/gbwt-rs/blob/cd78e7f8f529866ee1f260db6261817f840ef5cb/src/bwt.rs#L360C19-L360C33

While unsafe reviewing gbz-base I noticed that Record::from_raw_parts() has nontrivial safety invariants.

However it's not clear to me if Record actually uses those invariants for safety-critical things, or if those invariants exist to avoid logic errors.

Can you clarify what the worst case scenario of incorrect usage of from_raw_parts() is? Is it UB?

If it's not UB, could you document that on from_raw_parts()? Such unsafe functions are typically an antipattern but it's still an understandable design decision. But it helps reviewers if it's actually documented as such.
@jltsiren
Copy link
Owner

jltsiren commented Mar 5, 2024

The short answer is that I don't know.

We are dealing with large data structures with complex invariants. There are relevant situations where full validation of the invariants would take orders of magnitude longer than the data is needed. Full validation is almost never done, and the consequences of invalid data can be nontrivial. There could be situations where converting invalid data structures to other simple-sds structures may have safety consequences. I have identified a few potential places, but I'm not sure when I'll have the time to deal with them.

@Manishearth
Copy link
Author

Hm, surprised to hear you say that: there's very little unsafe code in this crate so I was imagining the answer is no.

@jltsiren
Copy link
Owner

jltsiren commented Mar 6, 2024

The fundamental issue is that some supposedly safe functions in simple-sds are not actually safe. Some assume that the input data structure is in a valid state, and use the invariants to avoid multiple redundant sanity checks in the inner loop. But if the input is invalid, the output may also be invalid, and somewhere down the line we may make an out-of-bounds access to something. I've been trying to reduce this behavior when there is no significant performance penalty, but it has not been a priority.

@Manishearth
Copy link
Author

@jltsiren ah, an out of bounds access using unchecked indexing? That would do it.

Worth filing an issue upstream, I didn't follow dependencies for safety invariants

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@Manishearth @jltsiren