yilin0518 opened a new issue, #9286:
URL: https://github.com/apache/arrow-rs/issues/9286
Hi!
We are a team of researchers studying the memory safety problem in Rust. As
part of our ongoing research, we performed random testing on
arrow-buffer(version: 57.2.0) and found that the following code snippet is
reported as undefined behavior by Miri:
**Describe the bug**
<!--
```rust
#![feature(allocator_api)]
use arrow_buffer::*;
fn main() {
let v13 = [40, -63, 90];
let v14 = Vec::from(v13);
let mut v15 = <builder::BufferBuilder::<i64> as
std::convert::From<std::vec::Vec::<i64, std::alloc::Global>>>::from(v14);
let v19: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v20 = 151;
builder::BufferBuilder::<i64>::truncate(v19, v20);
let v27: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v28 = 219;
builder::BufferBuilder::<i64>::advance(v27, v28);
let v33: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v34 = builder::BufferBuilder::<i64>::as_slice_mut(v33);
```
}
The error message miri report is as follows:
```rust
error: Undefined Behavior: pointer not dereferenceable: pointer must be
dereferenceable for 2960 bytes, but got alloc319 which is only 1792 bytes from
the end of the allocation
-->
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:299:18
|
299 | unsafe {
std::slice::from_raw_parts_mut(self.buffer.as_mut_ptr() as _, self.len) }
|
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid
operation, and caused Undefined Behavior
= help: see
https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html
for further information
help: alloc319 was allocated here:
--> src/main.rs:12:5
|
12 | builder::BufferBuilder::<i64>::advance(v27, v28);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
= note: BACKTRACE (of the first span):
= note: inside `arrow_buffer::BufferBuilder::<i64>::as_slice_mut` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:299:18:
299:89
note: inside `main`
--> src/main.rs:14:15
|
14 | let v34 = builder::BufferBuilder::<i64>::as_slice_mut(v33);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full`
for a verbose backtrace
error: aborting due to 1 previous error; 1 warning emitted
```
-->
**To Reproduce**
<!--
Steps to reproduce the behavior:
1. Copy this code snippet.
2. Select the rustc version: nightly-2025-12-06-x86_64-unknown-linux-gnu
3. Install the miri, run `cargo miri run`
-->
**Expected behavior**
<!--
There should not be any undefined behavior.
-->
**Additional context**
<!--
The OS I use is Linux Ubuntu.
-->
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
