Panic safety issue in `Zip::next_back()` TrustedRandomAccess specialization
| if A::MAY_HAVE_SIDE_EFFECT && sz_a > self.len { | |
| for _ in 0..sz_a - self.len { | |
| self.a.next_back(); | |
| } | |
| self.a_len = self.len; | |
| } |
| } else if A::MAY_HAVE_SIDE_EFFECT && self.index < self.a_len { | |
| let i = self.index; | |
| self.index += 1; | |
| self.len += 1; | |
| // match the base implementation's potential side effects | |
| // SAFETY: we just checked that `i` < `self.a.len()` | |
| unsafe { | |
| self.a.__iterator_get_unchecked(i); | |
| } | |
| None |
Yet another soundness bug in Zip's TRA specialization. Line 300 is not called when line 298 panics. This leaves self.a_len outdated, which results in calling __iterator_get_unchecked() with an invalid index in line 242.
Here is a playground link that demonstrates creating two mutable references to the same memory location without unsafe code.