Add debug assertions related to safety conditions

xiph · Mar 27, 2023 · 0a5edd2 · 0a5edd2
1 parent 92c05bd
commit 0a5edd2
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/src/context/cdf_context.rs b/src/context/cdf_context.rs
@@ -611,6 +611,11 @@ impl<const CDF_LEN_MAX_PLUS_1: usize>
       let dst = self.data.as_mut_ptr().add(len) as *mut u16;
       let base = fc as *mut _ as *mut u8;
       let src = base.add(cdf.offset) as *const u16;
+      // When CDF_LEN + 1 < CDF_LEN_MAX_PLUS_1, this reads beyond the end of
+      // the slice described by `cdf`.
+      // Since it is part of `CDFContext`, the out-of-bounds data is valid.
+      // We conform to the stacked-borrows memory model by holding a mutable
+      // ref to the containing data structure.
       dst.copy_from_nonoverlapping(src, CDF_LEN_MAX_PLUS_1 - 1);
       *dst.add(CDF_LEN_MAX_PLUS_1 - 1) = cdf.offset as u16;
       self.data.set_len(new_len);
@@ -630,10 +635,15 @@ impl<const CDF_LEN_MAX_PLUS_1: usize>
     unsafe {
       let mut src = self.data.as_mut_ptr().add(len);
       while len > checkpoint {
+        // As checkpoint is unsigned, len > 0 is implied.
         len -= 1;
         src = src.sub(1);
         let src = src as *mut u16;
         let offset = *src.add(CDF_LEN_MAX_PLUS_1 - 1) as usize;
+        debug_assert!(
+          offset + (CDF_LEN_MAX_PLUS_1 - 1) * mem::size_of::<u16>()
+            <= mem::size_of::<CDFContext>()
+        );
         let dst = base.add(offset) as *mut u16;
         dst.copy_from_nonoverlapping(src, CDF_LEN_MAX_PLUS_1 - 1);
       }

diff --git a/src/dist.rs b/src/dist.rs
@@ -142,11 +142,13 @@ pub(crate) mod rust {
 
   // SAFETY: The length of data must be 16.
   unsafe fn hadamard4x4(data: &mut [i32]) {
+    debug_assert_eq!(data.len(), 16);
     hadamard2d::<{ 4 * 4 }, 4, 4>(&mut *(data.as_mut_ptr() as *mut [i32; 16]));
   }
 
   // SAFETY: The length of data must be 64.
   unsafe fn hadamard8x8(data: &mut [i32]) {
+    debug_assert_eq!(data.len(), 64);
     hadamard2d::<{ 8 * 8 }, 8, 8>(&mut *(data.as_mut_ptr() as *mut [i32; 64]));
   }
 
@@ -166,6 +168,7 @@ pub(crate) mod rust {
     // Size of hadamard transform should be 4x4 or 8x8
     // 4x* and *x4 use 4x4 and all other use 8x8
     let size: usize = w.min(h).min(8);
+    debug_assert!(size == 4 || size == 8);
     let tx2d = if size == 4 { hadamard4x4 } else { hadamard8x8 };
 
     let mut sum: u64 = 0;

diff --git a/src/lrf.rs b/src/lrf.rs
@@ -194,7 +194,9 @@ pub(crate) mod rust {
         let ssq = get_integral_square(iimg_sq, iimg_stride, x, y, d);
         let (reta, retb) =
           sgrproj_sum_finish::<BD>(ssq, sum, n as u32, one_over_n, s);
+        debug_assert!(x < af.len());
         *af.get_unchecked_mut(x) = reta;
+        debug_assert!(x < bf.len());
         *bf.get_unchecked_mut(x) = retb;
       }
     }
@@ -369,9 +371,13 @@ unsafe fn get_integral_square(
   iimg: &[u32], stride: usize, x: usize, y: usize, size: usize,
 ) -> u32 {
   // Cancel out overflow in iimg by using wrapping arithmetic
+  debug_assert!(y * stride + x < iimg.len());
   let top_left = *iimg.get_unchecked(y * stride + x);
+  debug_assert!(y * stride + x + size < iimg.len());
   let top_right = *iimg.get_unchecked(y * stride + x + size);
+  debug_assert!((y + size) * stride + x < iimg.len());
   let bottom_left = *iimg.get_unchecked((y + size) * stride + x);
+  debug_assert!((y + size) * stride + x + size < iimg.len());
   let bottom_right = *iimg.get_unchecked((y + size) * stride + x + size);
   top_left
     .wrapping_add(bottom_right)

diff --git a/src/util/align.rs b/src/util/align.rs
@@ -61,7 +61,7 @@ impl<T> AlignedBoxedSlice<T> {
   }
 
   const fn layout(len: usize) -> Layout {
-    // SAFETY: We are ensuring that `align` is non-zero and is a multiple of 2.
+    // SAFETY: We are ensuring that `align` is non-zero and is a power of 2.
     unsafe {
       Layout::from_size_align_unchecked(
         len * mem::size_of::<T>(),