Soundness Bug: It is possible to publish uninitialized data without 'unsafe'

Question

Soundness Bug: It is possible to publish uninitialized data without 'unsafe'

Closed this issue 7 months ago · 0 comments

Required information

Observed result or behaviour:
It is possible to loan a sample and immediately publish it without initializing the data.

Expected result or behaviour:
With safe Rust this should not compile.

Conditions where it occurred / Performed steps:
Compile this code

let sample = publisher.loan()?;
publisher.send(sample)?;

Proposal

I think we can borrow some code from iceoryx-rs and let the API for uninitialized samples return a SampleMut<MaybeUninit<T>> instead of a SampleMut<T>. The user would have to call the unsafe assume_init method in order to get a SampleMut<T> to be able to publish the sample.

This is the iceoryx-rs API for uninitialized samples

let mut sample = publisher.loan_uninit()?;
let sample = unsafe {
    (*sample.as_mut_ptr()).counter = counter;
    sample.assume_init()
};
publisher.publish(sample);

This would lead to a compile time error

let sample = publisher.loan_uninit()?;
publisher.publish(sample);