Add debug assertions related to safety conditions

xiph · Mar 19, 2023 · 8eeb175 · 8eeb175
1 parent 92ed4e8
commit 8eeb175
Show file tree

Hide file tree

Showing 4 changed files with 20 additions and 1 deletion.
diff --git a/src/context/cdf_context.rs b/src/context/cdf_context.rs
@@ -601,6 +601,10 @@ trait CDFContextLogOps: CDFContextLogSize {
       let capacity = log.data.capacity();
       debug_assert!(new_len <= capacity);
       let dst = log.data.as_mut_ptr().add(len);
+      // This reads beyond the end of `cdf`.
+      // Since it's part of a larger data structure, the out-of-bounds data is valid.
+      // However this violates the stacked-borrows memory model and is technically undefined behavior.
+      // See https://github.com/xiph/rav1e/issues/3166
       dst.copy_from_nonoverlapping(cdf.as_ptr(), Self::CDF_LEN_MAX);
       *dst.add(Self::CDF_LEN_MAX) = offset as u16;
       log.data.set_len(new_len);
@@ -615,14 +619,20 @@ trait CDFContextLogOps: CDFContextLogSize {
   ) {
     let base = fc as *mut _ as *mut u8;
     let mut len = log.data.len();
+    debug_assert!(len % (Self::CDF_LEN_MAX + 1) == 0);
     // SAFETY: We use unchecked pointers here for performance.
     // Since we know the length, we can ensure not to go OOB.
     unsafe {
       let mut src = log.data.as_mut_ptr().add(len);
       while len > checkpoint {
+        debug_assert!(len >= Self::CDF_LEN_MAX + 1);
         len -= Self::CDF_LEN_MAX + 1;
         src = src.sub(Self::CDF_LEN_MAX + 1);
         let offset = *src.add(Self::CDF_LEN_MAX) as usize;
+        debug_assert!(
+          offset + Self::CDF_LEN_MAX * mem::size_of::<u16>()
+            <= mem::size_of::<CDFContext>()
+        );
         let dst = base.add(offset) as *mut u16;
         dst.copy_from_nonoverlapping(src, Self::CDF_LEN_MAX);
       }

diff --git a/src/dist.rs b/src/dist.rs
@@ -142,11 +142,13 @@ pub(crate) mod rust {
 
   // SAFETY: The length of data must be 16.
   unsafe fn hadamard4x4(data: &mut [i32]) {
+    debug_assert_eq!(data.len(), 16);
     hadamard2d::<{ 4 * 4 }, 4, 4>(&mut *(data.as_mut_ptr() as *mut [i32; 16]));
   }
 
   // SAFETY: The length of data must be 64.
   unsafe fn hadamard8x8(data: &mut [i32]) {
+    debug_assert_eq!(data.len(), 64);
     hadamard2d::<{ 8 * 8 }, 8, 8>(&mut *(data.as_mut_ptr() as *mut [i32; 64]));
   }
 
@@ -166,6 +168,7 @@ pub(crate) mod rust {
     // Size of hadamard transform should be 4x4 or 8x8
     // 4x* and *x4 use 4x4 and all other use 8x8
     let size: usize = w.min(h).min(8);
+    debug_assert!(size == 4 || size == 8);
     let tx2d = if size == 4 { hadamard4x4 } else { hadamard8x8 };
 
     let mut sum: u64 = 0;

diff --git a/src/lrf.rs b/src/lrf.rs
@@ -194,7 +194,9 @@ pub(crate) mod rust {
         let ssq = get_integral_square(iimg_sq, iimg_stride, x, y, d);
         let (reta, retb) =
           sgrproj_sum_finish::<BD>(ssq, sum, n as u32, one_over_n, s);
+        debug_assert!(x < af.len());
         *af.get_unchecked_mut(x) = reta;
+        debug_assert!(x < bf.len());
         *bf.get_unchecked_mut(x) = retb;
       }
     }
@@ -369,9 +371,13 @@ unsafe fn get_integral_square(
   iimg: &[u32], stride: usize, x: usize, y: usize, size: usize,
 ) -> u32 {
   // Cancel out overflow in iimg by using wrapping arithmetic
+  debug_assert!(y * stride + x < iimg.len());
   let top_left = *iimg.get_unchecked(y * stride + x);
+  debug_assert!(y * stride + x + size < iimg.len());
   let top_right = *iimg.get_unchecked(y * stride + x + size);
+  debug_assert!((y + size) * stride + x < iimg.len());
   let bottom_left = *iimg.get_unchecked((y + size) * stride + x);
+  debug_assert!((y + size) * stride + x + size < iimg.len());
   let bottom_right = *iimg.get_unchecked((y + size) * stride + x + size);
   top_left
     .wrapping_add(bottom_right)

diff --git a/src/util/align.rs b/src/util/align.rs
@@ -61,7 +61,7 @@ impl<T> AlignedBoxedSlice<T> {
   }
 
   const fn layout(len: usize) -> Layout {
-    // SAFETY: We are ensuring that `align` is non-zero and is a multiple of 2.
+    // SAFETY: We are ensuring that `align` is non-zero and is a power of 2.
     unsafe {
       Layout::from_size_align_unchecked(
         len * mem::size_of::<T>(),