Use wrapping arithmetic in ProbeSeq::move_next to avoid overflow#736
Open
amitmishra11 wants to merge 1 commit into
Open
Use wrapping arithmetic in ProbeSeq::move_next to avoid overflow#736amitmishra11 wants to merge 1 commit into
amitmishra11 wants to merge 1 commit into
Conversation
In long probe sequences with a nearly-full table, the stride and pos fields can overflow using plain += before being masked back. Replacing the additions with wrapping_add makes the arithmetic well-defined under all inputs and matches the intent of the subsequent mask (& bucket_mask). Fixes rust-lang#735 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Contributor
|
It appears that the test failures are due to some unrelated lint changes; I can work on those in a separate PR, or someone else can get to that first. Otherwise, this PR looks fine and can be merged after that is fixed. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bug
In
ProbeSeq::move_next(src/raw.rs),strideandposare updated with plain+=:In a debug build this panics; in a release build it produces undefined behavior (integer overflow). Although the existing
debug_assert!verifies thatstride <= bucket_maskbefore the addition, it fires before the increment, so the assert itself does not rule out overflow onceGroup::WIDTHis added.This was identified via Kani formal verification and confirmed as a bug by @Amanieu in #735.
Fix
Replace the plain additions with
wrapping_add, which is what the subsequent& bucket_maskmask assumes:The logic is otherwise identical;
wrapping_addonly differs from+when overflow would occur, and the final mask ensuresposstays in range regardless.Verification
cargo checkpasses cleanly.cargo testcannot run on this machine due to an absent MSVC linker, but the type-level correctness of the change is confirmed bycargo check.Closes #735