Possible unsound unsafe code

geebee22 · January 23, 2026, 11:42pm

I haven't worked on Rust for some time, I got a issue raised with a crate, and would like an opinion, see

github.com/georgebarwood/btree_experiment

Potential unsoundness

opened 04:07PM - 17 Jan 26 UTC

Hello, thank you for your crate. I discovered a potential unsoundness using a st…atic analysis tool. However, I noticed that this doesn't seem to be exposed as a pub function, so I'm not sure. The `get` method of `ShortVec` copies the ownership of the object pointed to by `p`, which is dangerous for non-Copy types. This `next` method calls `ShortVec::get`, causing elements in `v` to have two owners—the element itself and the returned value. This violates Rust's safety constraints. If `v`'s elements are non-Copy, it may lead to issues in safe code like double drops and use-after-free. Similarly, `ShortVec::drop` appears to have a comparable problem. ``` impl<T> Iterator for IntoIterShortVec<T> { type Item = T; #[inline] fn next(&mut self) -> Option<Self::Item> { if self.start == self.v.len() { None } else { let ix = self.start; self.start += 1; Some(unsafe { self.v.v.get(ix) }) } } } ``` ``` impl<T> Drop for ShortVec<T> { fn drop(&mut self) { let mut len = self.len as usize; while len > 0 { len -= 1; unsafe { self.v.get(len); } } self.len = 0; self.set_alloc(0); } } ```

jonh · January 24, 2026, 12:15am

~~It looks without great study to be probably OK.~~
The iterator consumes so the only other access is drop. The drop on the Iterator (not shown in issue) appears to ~~take care of clearing out content.~~

steffahn · January 24, 2026, 12:46am

I can see a potential soundness issue but nothing like the issue opener described.

The issue I can see is that the drop implementation of the IntoIterShortVec type does first consume all items in a loop and then sets the internal length to 0 so they aren't dropped again by destructor of the the ShortVec inside. But if one of the items' destructors panics, I think the inner ShortVec would still get dropped normally during unwinding and hence you could get some double-free.

nerditation · January 24, 2026, 12:53am

IMO, BasicVec::get() is "technically unsound", since the documented safety condition is not enough to ensure UB free for the use of ptr::read(), quote from the documentation:

Ownership of the Returned Value

read creates a bitwise copy of T, regardless of whether T is Copy. If T is not Copy, using both the returned value and the value at *src can violate memory safety.

at least, there should be something like this statement in the safety documentation:

/// # Safety
/// [...]
/// `BasicVec::get(ix)` can only be called at most once for each valid `ix`

but as the type BasicVec is private, it's not a big deal, we only need to check the use of BasicVec::get() within the same module.

from a quick glance, I think the IntoIterShortVec type indeed has a double drop problem, ~~because IntoIterShortVec<T> contains a ShortVec<T>, which also implements Drop~~. you should at least wrap it in a ManuallyDrop.

EDIT:

whoops, I missed the line of setting the internal length to 0, but still, there's a possibility of double drop in the case of panic, as pointed out by @steffahn

geebee22 · January 24, 2026, 6:18am

Thanks. I do have a memory of fixing issues related to panics in destructors when working on the supported crate ( pstd ). Hopefully the supported crate does not have such issues.

github.com/georgebarwood/pstd

src/collections/btree_map/vecs.rs

main

use std::{
    alloc::Layout,
    borrow::Borrow,
    cmp::Ordering,
    fmt,
    fmt::Debug,
    marker::PhantomData,
    mem,
    ops::{Bound, Deref, DerefMut, RangeBounds},
    ptr,
    ptr::NonNull,
};

use crate::collections::btree_map::Tuning;

/// In debug mode or feature unsafe-optim not enabled, same as assert! otherwise unsafe unreachable hint.
#[cfg(any(debug_assertions, not(feature = "unsafe-optim")))]
macro_rules! safe_assert {
    ( $cond: expr ) => {
        assert!($cond)

This file has been truncated. show original

jonh · January 24, 2026, 10:10am

It does not have Drop so will leak memory if not manually emptied.

geebee22 · January 24, 2026, 10:39am

That is correct, set_alloc has to be called to free the memory. I think I designed it this way to minimise memory usage, that is it avoids having to store a reference to the Tuning (Allocator) in every ShortVec instance. I was trying quite hard to minimise memory usage in this BTreeMap.

Of course it would be simplest to use a plain Vec, but that has extra overhead.

Topic		Replies	Views
Unsafe Rust is... tough? help	11	2815	December 27, 2020
Is My Highly Unsafe Code Correct? In Place Mapping a Vector code review	23	1908	October 19, 2023
How to cache a vector's capacity? help	60	2492	August 29, 2023
Safe to transmute lifetimes inside Vec?	21	619	May 8, 2025
Rustnomincon `Drain` and double dropping help	14	392	March 14, 2025

Possible unsound unsafe code

Ownership of the Returned Value

Related topics