Skip to content

Missing Safety Guarantee in merge_down Function Documentation (smallsort Module) #135984

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
BusyBeaver-42 opened this issue Jan 24, 2025 · 0 comments
Open

Missing Safety Guarantee in merge_down Function Documentation (smallsort Module) #135984

BusyBeaver-42 opened this issue Jan 24, 2025 · 0 comments
Labels
A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools T-libs Relevant to the library team, which will review and decide on the PR/issue.

Comments

@BusyBeaver-42
Copy link

Location

The SAFETY comment in question is located in the merge_down function in the smallsort module in shared in sort in the slice module of the core crate.

Summary

While working on the Rust std-lib verification, I identified a missing requirement in the SAFETY comment in the merge_down function in the smallsort module.

Description of the problem

In the following code, the SAFETY comment does not guarantee that dst.sub(1) remains within the same allocated object as dst. This violates one of the safety requirements for pointer.sub.

unsafe fn merge_down<T, F: FnMut(&T, &T) -> bool>(
    mut left_src: *const T,
    mut right_src: *const T,
    mut dst: *mut T,
    is_less: &mut F,
) -> (*const T, *const T, *mut T) {
    // snip

    // SAFETY: The caller must guarantee that `left_src`, `right_src` are valid
    // to read and `dst` is valid to write, while not aliasing.
    unsafe {
        // snip
        dst = dst.sub(1);  // <- issue here
    }

    (left_src, right_src, dst)
}

Proposed fix

Update the SAFETY comment as follows.

    // SAFETY: The caller must guarantee that `left_src`, `right_src` are valid
-   // to read and `dst` is valid to write, while not aliasing.
+   // to read, `dst` is valid to write, while not aliasing, and `dst.sub(1)`
+   // is within the same allocated object as `dst`.

merge_up does not have the same problem

Although the SAFETY comment in the merge_up function may appear to have a similar issue, I believe this is not the case. Since dst must already be valid for a write, dst.add(1) will remain within the bounds of the same allocated object.
@BusyBeaver-42 BusyBeaver-42 added the A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools label Jan 24, 2025
@rustbot rustbot added the needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. label Jan 24, 2025
@BusyBeaver-42 BusyBeaver-42 mentioned this issue Jan 24, 2025
Open
@jieyouxu jieyouxu added T-libs Relevant to the library team, which will review and decide on the PR/issue. and removed needs-triage This issue may need triage. Remove it if it has been sufficiently triaged. labels Jan 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@jieyouxu @rustbot @BusyBeaver-42