yilin0518 opened a new issue, #9289:
URL: https://github.com/apache/arrow-rs/issues/9289
Hi!
We are a team of researchers studying the memory safety problem in Rust. As
part of our ongoing research, we performed random testing on
arrow-buffer(version: 57.2.0) and found that the following code snippet is
reported as undefined behavior by Miri:
**Describe the bug**
<!--
A clear and concise description of what the bug is.
-->
```rust
#![feature(allocator_api)]
use arrow_buffer::*;
fn main() {
let v11 = 18446744073709551508;
let mut v12 = builder::NullBufferBuilder::new_with_len(v11);
let v19 = [false, true, false];
builder::NullBufferBuilder::append_slice(&mut v12, &v19);
}
```
The error message miri report is as follows:
```bash
error: resource exhaustion: tried to allocate more memory than available to
compiler
-->
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/buffer/mutable.rs:135:40
|
135 | let raw_ptr = unsafe { std::alloc::alloc(layout) };
| ^^^^^^^^^^^^^^^^^^^^^^^^^
resource exhaustion occurred here
|
= note: BACKTRACE:
= note: inside `arrow_buffer::MutableBuffer::with_capacity` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/buffer/mutable.rs:135:40:
135:65
= note: inside `arrow_buffer::MutableBuffer::new` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/buffer/mutable.rs:117:9:
117:38
= note: inside `arrow_buffer::BooleanBufferBuilder::new` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/boolean.rs:44:22:
44:55
= note: inside `arrow_buffer::NullBufferBuilder::materialize` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/null.rs:223:25:
223:79
= note: inside `arrow_buffer::NullBufferBuilder::materialize_if_needed`
at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/null.rs:216:13:
216:31
= note: inside `arrow_buffer::NullBufferBuilder::append_slice` at
/home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/null.rs:173:13:
173:41
note: inside `main`
--> src/main.rs:7:5
|
7 | builder::NullBufferBuilder::append_slice(&mut v12, &v19);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full`
for a verbose backtrace
error: aborting due to 1 previous error
```
It seems that the NullBufferBuilder::materialize will create a
BooleanBufferBuilder with the given length and capacity, but without a capacity
limitation, thus user can specify a vey large capacity and exceed the size that
compiler can allocate.
**To Reproduce**
<!--
Steps to reproduce the behavior:
-->
1. Copy this code snippet.
2. Select the rustc version: nightly-2025-12-06-x86_64-unknown-linux-gnu.
3. Install the miri, run `cargo miri run`.
**Expected behavior**
<!--
A clear and concise description of what you expected to happen.
-->
There should not be any undefined behavior.
**Additional context**
<!--
Add any other context about the problem here.
-->
The OS I use is Linux Ubuntu.
We’d appreciate it if you could take a look and confirm whether this
behavior indicates a real issue, or if it’s a false positive or an expected
limitation of Miri.
Thank you very much for your time and for maintaining this great project!
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
