UB in `PagedVec::read_range_generic`

## Summary

The following tests both trigger undefined behavior in `openvm_circuit::system::memory::PagedVec::read_range_generic`.

```rust
#[test]
fn test_ub_clone_from() {
    let v = PagedVec::<Vec<u8>, 4>::new(2);
    let _ = v.range_vec(0..2);
}

#[test]
fn test_ub_drop() {
    #[derive(Default, Clone)]
    struct Byte(u8);

    impl Drop for Byte {
        fn drop(&mut self) {
            let _uninit = self.0;
        }
    }

    let v = PagedVec::<Byte, 4>::new(2);
    let _ = v.range_vec(0..2);
}
```

This can be seen by running with [Miri](https://github.com/rust-lang/miri).

```
cargo +nightly miri test -p openvm-circuit --no-default-features system::memory::paged_vec::tests::test_ub_drop
```

## Discussion

When called from `PagedVec::range_vec`, `read_range_generic` attempts to fill an uninitialized `Vec` with data from the `PagedVec` via a raw pointer. If the requested page is not initialized, the method instead fills the `Vec` with the result of `T::default()`. The first instance of this occurs [here](https://github.com/openvm-org/openvm/blob/51f07d50d20174b23091f48e25d9ea421b4e2787/crates/vm/src/system/memory/paged_vec.rs#L33).

```rust
std::slice::from_raw_parts_mut(dst, len).fill(T::default());
```

The safety docs for `std::slice::from_raw_parts_mut` state that `dst: *mut T` must point to `len` consecutive properly initialized values of type `T`. It is not clear from the docs whether this is a validity invariant or a safety [invariant](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html#validity-and-safety-invariant).

While it is *technically* UB to construct a reference to uninitialized data (see, e.g., the `std::ptr::addr_of` [docs](https://doc.rust-lang.org/std/ptr/macro.addr_of.html)), the rules here are not yet finalized ([unsafe-code-guidelines#412](https://github.com/rust-lang/unsafe-code-guidelines/issues/412)). Therefore, creating a reference to uninitialized data using `std::slice::from_raw_parts_mut` is unlikely to result in miscompilation on its own, and I would assume the same for the typed copy needed to pass this reference to `<[T]>::fill`.

However, any "use" of this uninitialized data is clearly UB. As shown in the tests above, there are two cases that result in a use of the data in the destination slice within [`<[T]>::fill`](https://github.com/rust-lang/rust/blob/b8ff7b682e0544de40a90bb9cbd2d21f479b4987/library/core/src/slice/specialize.rs#L6-L13):
* `T` implements `Drop`.
* `<T as Clone>::clone_from` reads from `self` (e.g. [`Vec::clone_from`](https://github.com/rust-lang/rust/blob/b8ff7b682e0544de40a90bb9cbd2d21f479b4987/library/alloc/src/slice.rs#L830)).

Assuming that the generic parameter `T` in `PagedVec<T, PAGE_SIZE>` is typically a field element, and considering that `p3_field::Field: Copy`, both of these cases seem unlikely to occur in practice.

## Fix

I believe the best fix here is to use [`MaybeUninit::fill`](https://doc.rust-lang.org/std/mem/union.MaybeUninit.html#method.fill). Unfortunately, this method is unstable, so it may be necessary to reimplement it using the approach shown [here](https://github.com/rust-lang/rust/blob/b8ff7b682e0544de40a90bb9cbd2d21f479b4987/library/core/src/mem/maybe_uninit.rs#L1603-L1617).

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Uh oh!

UB in `PagedVec::read_range_generic` #1557

Summary

Discussion

Fix

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

UB in PagedVec::read_range_generic #1557

Description

Summary

Discussion

Fix

Metadata

Metadata

Assignees

Labels

Type

Projects

Milestone

Relationships

Development

Issue actions

UB in `PagedVec::read_range_generic` #1557