safety-dance icon indicating copy to clipboard operation
safety-dance copied to clipboard
verified publisher icon rust-secure-code

Audit crossbeam

Open yoshuawuyts opened this issue 6 years ago • 3 comments

https://crates.io/crates/crossbeam has about 6000 downloads a day*, has 162 inverse dependencies (of which a non-zero amount operates on untrusted input) and is generally considered a core piece of infrastructure.

A cursory search points to 67 references of unsafe, in addition to 106 references to atomics which probably makes it a suitable candidate for an audit.

*Probably more since crossbeam is a defacto repackage of several smaller crossbeam-* modules.

yoshuawuyts avatar Jul 27 '19 22:07 yoshuawuyts

WOW THEY'RE USING AN offset_of! MACRO

THAT'S A GOOD PLAN.

(it's never a good plan)

Lokathor avatar Jul 27 '19 23:07 Lokathor

See also rust-lang/unsafe-code-guidelines#158

64 avatar Jul 28 '19 09:07 64

Not directly relevant to auditing crossbeam itself, but I've noticed they're pulling in a dependency with 170 unsafe expressions just to write a few lines with it, so I've replaced it with ad-hoc safe code: https://github.com/crossbeam-rs/crossbeam/pull/414

Shnatsel avatar Sep 08 '19 13:09 Shnatsel