I recently found this blog post, published about two months before the 1.0 release:
A Type Safety Hole in Unsafe Rust, by Florian Weimer.
The claim is, essentially, that
unsafe blocks can be abused to permit arbitrary conversions between types (a la C-style casts). I don’t know whether this is true or not, or whether it would be considered a “soundness” hole or not (my impression was that undefined behavior, and hence type-safety holes, are possible in poorly written
However, the code in the blog post does not actually behave in the way the blog post claims. Instead, the “magic” conversion function triggers the
assert; without the
assert, it simply returns a null pointer.
What I’d like to know is:
- When did the behavior change? Did the 1.0 release have this type safety hole? (I was unable to install the 1.0 toolchain using
rustup toolchain install 1.0.0.)
- Is there some way to annotate the lifetimes and runtime behavior to clarify what was going on when this did work, versus what happens with the current compiler?
- Is there a variant of this code that does expose an arbitrary cast-like conversion with the current compiler?
Here’s the blog post code copied to the Rust playground, with a typo in the first line of
fn magic corrected.