Skip to content

Fix unsoundess arising with deserialize then get_unchecked #149

Merged
pczarn merged 12 commits into
masterfrom
fix-unsoundness
Jul 4, 2026
Merged

Fix unsoundess arising with deserialize then get_unchecked #149
pczarn merged 12 commits into
masterfrom
fix-unsoundness

Conversation

@pczarn

@pczarn pczarn commented Jun 24, 2026

Copy link
Copy Markdown
Contributor

Fixes #148

pczarn added 4 commits June 24, 2026 20:33
* we can easily develop the fuzzer in VS Code and other
  editors
* the fuzzer now does some serialization/deserialization
@pczarn pczarn force-pushed the fix-unsoundness branch from b9146cc to 92655fa Compare June 24, 2026 19:07
@theroguevigilante

theroguevigilante commented Jul 3, 2026

Copy link
Copy Markdown
Contributor

@pczarn wouldnt is_nbits_in_bounds() miss the case where storage.len(), we should be using blocks_for_bits()

@theroguevigilante

Copy link
Copy Markdown
Contributor

Look at this #150

Comment thread vec/src/lib.rs
Comment on lines 2049 to +2054
self.nbits += 1;

self.storage[block_at] |= flag; // set the bit

self.ensure_invariant();

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@pczarn

pczarn commented Jul 4, 2026

Copy link
Copy Markdown
Contributor Author

@theroguevigilante this is what I did:

$ ../target/debug/bit-fuzz in/serde2

thread 'main' (3044843) panicked at vec/src/lib.rs:820:35:
unsafe precondition(s) violated: slice::get_unchecked requires that the index is within the slice

This indicates a bug in the program. This Undefined Behavior check is optional, and cannot be relied on for safety.
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace
thread caused non-unwinding panic. aborting.
Aborted                    (core dumped) ../target/debug/bit-fuzz in/serde2
$ xxd in/serde2
00000000: 780a 1a7b 2273 746f 7261 6765 223a 5b5d  x..{"storage":[]
00000010: 2c22 6e62 6974 7322 3a33 3230 3030 3030  ,"nbits":3200000
00000020: 3030 7d00 1d11 1111 307d                 00}.....0}

@pczarn pczarn merged commit 8d5ffcf into master Jul 4, 2026
7 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Soundness: Derived deserialization traits allow safe construction of invalid BitVec instances

2 participants