Should there be informational advisories against old versions of crates that construct uninitialized integers?

[saethlin]

The standard library has a stern warning against use of mem::uninitialized that it sort of walks back at the end:

Worse, truly uninitialized memory like what gets returned here is special in that the compiler knows that it does not have a fixed value. This makes it undefined behavior to have uninitialized data in a variable even if that variable has an integer type. (Notice that the rules around uninitialized integers are not finalized yet, but until they are, it is advisable to avoid them.)

There has been a slow but very broad ecosystem move away from this function. For example, itoa published a 1.0 release 2 months ago which removes use of this function. bytes used to use it too, as well as crossbeam. I've run cargo audit on crates that depend on versions of these crates which call mem::uninitialized and I don't come up with anything for itoa, bytes, or crossbeam. I've selected these crates specifically to call out, because I know they construct uninit instances of u8 or usize and I know that pre-patch versions of them are in use.

I think it would be fair to indicate to users that they should upgrade, given how long it's been since a patch and that itoa changed basically not at all with 1.0. But does "constructs uninit integers" meet the bar for a RustSec advisory in light of the fact that it's definitely a bad idea, but unclear if it's UB? It's unclear to my mind if this is the same kind of thing as assuming the layout of SocketAddr.

---

I made the mistake of mentioning mem::uninitialized too much above. There are also instances where MaybeUninit::assume_init is called on uninitialized integers, and I think those should be considered in the same category.

[saethlin]

Oh this should definitely be a Discussion sigh

[tarcieri]

@saethlin went ahead and converted it to a "Discussion".

My personal take is I think it would be good to file informational advisories about usages of mem::uninitialized, especially in the latest releases of crates but potentially also if there are older versions which are still being widely used.

Curious what others think cc @Shnatsel @alex

[saethlin]

Oops, I tried to clarify above just now, but I didn't mean to focus too much of mem::uninitialized. There are instances like this, where MaybeUninit::assume_init is incorrectly called on integer data: crossbeam-rs/crossbeam#779

[pinkforest]

So update on itoa - thanks @saethlin too - I wanted to clarify with the maintainer & contributors around the issue on that crate to see and whether we should have an advisory - e.g. informational or not - on it and it became obvious that in itoa case that it would be highly controversial - I cited unicase as precedent: #1176 to close the issue.

I think it would be important in the case of informational advisories if we get the maintainer to agree that it would be the best idea to flag something then we can go with it -

But unless we have concrete issue I would veer towards caution to flag anything downstream.

[pinkforest]

I raised about itoa here - #1404

We could perhaps use the informational = notice here

I would love to be able to flag std functions as unsound ..