I recently found this blog post, published about two months before the 1.0 release:
A Type Safety Hole in Unsafe Rust, by Florian Weimer.
The claim is, essentially, that unsafe
blocks can be abused to permit arbitrary conversions between types (a la C-style casts). I don’t know whether this is true or not, or whether it would be considered a “soundness” hole or not (my impression was that undefined behavior, and hence type-safety holes, are possible in poorly written unsafe
code).
However, the code in the blog post does not actually behave in the way the blog post claims. Instead, the “magic” conversion function triggers the assert
; without the assert
, it simply returns a null pointer.
What I’d like to know is:
- When did the behavior change? Did the 1.0 release have this type safety hole? (I was unable to install the 1.0 toolchain using
rustup toolchain install 1.0.0
.) - Is there some way to annotate the lifetimes and runtime behavior to clarify what was going on when this did work, versus what happens with the current compiler?
- Is there a variant of this code that does expose an arbitrary cast-like conversion with the current compiler?
Here’s the blog post code copied to the Rust playground, with a typo in the first line of fn magic
corrected.