arrow-buffer: Potential Undefined Behavior Reported by Miri #9286
Description
Hi!
We are a team of researchers studying the memory safety problem in Rust. As part of our ongoing research, we performed random testing on arrow-buffer(version: 57.2.0) and found that the following code snippet is reported as undefined behavior by Miri:
Describe the bug
#![feature(allocator_api)]
use arrow_buffer::*;
fn main() {
let v13 = [40, -63, 90];
let v14 = Vec::from(v13);
let mut v15 = <builder::BufferBuilder::<i64> as std::convert::From<std::vec::Vec::<i64, std::alloc::Global>>>::from(v14);
let v19: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v20 = 151;
builder::BufferBuilder::<i64>::truncate(v19, v20);
let v27: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v28 = 219;
builder::BufferBuilder::<i64>::advance(v27, v28);
let v33: &'_ mut builder::BufferBuilder::<i64> = &mut v15;
let v34 = builder::BufferBuilder::<i64>::as_slice_mut(v33);}
The error message miri report is as follows:
error: Undefined Behavior: pointer not dereferenceable: pointer must be dereferenceable for 2960 bytes, but got alloc319 which is only 1792 bytes from the end of the allocation
--> /home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:299:18
|
299 | unsafe { std::slice::from_raw_parts_mut(self.buffer.as_mut_ptr() as _, self.len) }
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
|
= help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
= help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
help: alloc319 was allocated here:
--> src/main.rs:12:5
|
12 | builder::BufferBuilder::<i64>::advance(v27, v28);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
= note: BACKTRACE (of the first span):
= note: inside `arrow_buffer::BufferBuilder::<i64>::as_slice_mut` at /home/chenyl/projects/check_UB/arrow-buffer-57.2.0/src/builder/mod.rs:299:18: 299:89
note: inside `main`
--> src/main.rs:14:15
|
14 | let v34 = builder::BufferBuilder::<i64>::as_slice_mut(v33);
| ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
error: aborting due to 1 previous error; 1 warning emittedTo Reproduce
Steps to reproduce the behavior:
- Copy this code snippet.
- Select the rustc version: nightly-2025-12-06-x86_64-unknown-linux-gnu
- Install the miri, run
cargo miri run
Expected behavior
There should not be any undefined behavior.
Additional context
The OS I use is Linux Ubuntu.
We’d appreciate it if you could take a look and confirm whether this behavior indicates a real issue, or if it’s a false positive or an expected limitation of Miri.
Thank you very much for your time and for maintaining this great project!