Open blinxen opened 1 year ago
In the meantime I found the following out:
The main issue here lies in the try_extend_from_slice_no_copy function. After trying to clone the 133937
(I don't really know if this index number is relevant or not) element, self.get_unchecked_mut(len)
cannot return a valid reference and the program segfaults.
It appears that when trying to reserve the memory for a new Vec, the allocator should not return a valid pointer. When running the test for 64 bit architectures, it obviously does not work because no machine has that much memory and the allocator return 0x0
. But when running the test on a 32 bit architecture, allocating isize.MAX
of memory is possible because that is around 2GB and all devices these days have more than 2 GB RAM.
The new Vec
is allocated fine, but the input is garbage, so it's eventually crashing on element.try_clone()
.
That's allocating a single u8
, then pretending it has length and capacity isize::MAX
. That becomes the other
slice, which isn't actually allocated for the length that it claims, so it segfaults when it reaches an invalid memory page.
:cow:
The problem with this test when using fsanitize=address is initially because the requested allocation is too large. However, if we try to rewrite the code by making a small TryVec of 16mb first with the right layout, and then using try_clone() on it while retaining the references, and do this until there is no more memory at all, well, it takes hours to execute since try_clone() seems to make a rather slow copy...
It would be necessary to say that for this test only, TryClone should not make a copy. But I have no idea how to do that!
I am currently in the process of packaging this crate for fedora.
When trying to build the crate for the i686 architecture, I get the following error after running
cargo test
:Full build log
I could isolate the problem to the following test.
While I am trying to understand the underlying problem, I thought I would create this issue.