Bug 1894830 - Upgrade fallible_collections to 0.4.9 for soundness fix…

…es. r=supply-chain-reviewers

Because fallible_collections pulls hashbrown 0.13, we also upgrade
hashlink to 0.8.2, which updates to that version as well. Those were the
last two uses of hashbrown 0.12, so we can update the fake hashbrown
0.12 to 0.13.

We could skip the upgrade of hashlink, but that would leave us with two
fake hashbrowns, and we'd hit rust-lang/cargo#13405

Differential Revision: https://phabricator.services.mozilla.com/D209317

build/rust/hashbrown/Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "hashbrown"
-version = "0.12.999"
+version = "0.13.999"
 edition = "2021"
 
 [lib]

build/workspace-hack/Cargo.toml

@@ -28,7 +28,7 @@ futures-sink = { version = "0.3", optional = true }
 futures-core = { version = "0.3", optional = true }
 futures-util = { version = "0.3", features = ["channel", "io", "sink"], optional = true }
 getrandom = { version = "0.2", default-features = false, features = ["std"], optional = true }
-hashbrown = { version = "0.12", optional = true }
+hashbrown = { version = "0.13", optional = true }
 hyper = { version = "0.14", features = ["full"], optional = true }
 indexmap = { version = "1", default-features = false, features = ["serde-1", "std"], optional = true }
 libc = { version = "0.2", features = ["extra_traits"] }

supply-chain/audits.toml

@@ -1688,6 +1688,12 @@ criteria = "safe-to-deploy"
 delta = "0.4.5 -> 0.4.6"
 notes = "The changes in this version are mine."
 
+[[audits.fallible_collections]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.4.6 -> 0.4.9"
+notes = "Mostly soundness fixes."
+
 [[audits.fastrand]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
@@ -2169,6 +2175,12 @@ who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-deploy"
 delta = "0.7.0 -> 0.8.1"
 
+[[audits.hashlink]]
+who = "Mike Hommey <mh+mozilla@glandium.org>"
+criteria = "safe-to-deploy"
+delta = "0.8.1 -> 0.8.2"
+notes = "Only dependency changes."
+
 [[audits.headers]]
 who = "Mike Hommey <mh+mozilla@glandium.org>"
 criteria = "safe-to-run"

third_party/rust/fallible_collections/.cargo-checksum.json

@@ -1 +1 @@
-{"files":{"Cargo.toml":"8ecacb7ad2f59391ae3247157c01c6d6508095f53ba466c3e3b554891b3e941f","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"0621878e61f0d0fda054bcbe02df75192c28bde1ecc8289cbd86aeba2dd72720","README.md":"5b817b980bb39f4bee82913daf9d1ef39d1cb9e790b85ab000f735a962ce596d","src/arc.rs":"3cf237ae0acb5b058a57b633170f079024455271e9420e5a9244bafbdeb90b1c","src/boxed.rs":"1f19ad48ab3a1f41cca3756f3fdbc22e97f50a9121511222afcfe1859faf50fa","src/btree.rs":"b83820fc2a00e2e34127b3037abde8b945f0ca2785f3def725787e6813c3d3e0","src/btree/map.rs":"557ce3ff2d02c425adcb2b4ac53b6b6607c25c535aee8ffa4f12bf773fbcd763","src/btree/node.rs":"d943949b8938b5888245d6560efd386c6ae78d23fc3a7a0cc5b06f4da8f4c1c1","src/btree/search.rs":"ae78f73f3e56ea277b0a02cc39454447b75e12a6c817ecfee00065b3ddbfff67","src/btree/set.rs":"607f0db0b189c39b41824fbbf6fd8d9c5fdf85cc40f4437b13152e7b86d2979f","src/format.rs":"5142970f6ac1fe66f667ee2565af786802e93e6728ec3a1b82ffaa9f6a6b5bce","src/hashmap.rs":"1b9bf03fd2f2d9412ea2dad6963e1d37d51662e7091424bfcdc44a502f4e64bc","src/lib.rs":"652532126fdc2a81a927d23e4e4ad810911ee5d398f35f82650b5b4ec9fc5576","src/rc.rs":"f327a0adcfd2b1e225913ae716deb96777ca562985ac64e3b83550111f809864","src/try_clone.rs":"725130e0ddacde1ff7c976de62fbe45d01c67412af395aa41cac4bcfb85f6a5f","src/vec.rs":"27369a12a66deff0fe3fc57eae0f3a639e98b968d92e10eff9d4b7af8354a9d4"},"package":"3f57ccc32870366ae684be48b32a1a2e196f98a42a9b4361fe77e13fd4a34755"}
+{"files":{"Cargo.toml":"050bb460a70e6ddd572fdf118e5d52ae8dc1c7801af6475ef2ab9dfd34d963ab","LICENSE-APACHE":"a60eea817514531668d7e00765731449fe14d059d3249e0bc93b36de45f759f2","LICENSE-MIT":"0621878e61f0d0fda054bcbe02df75192c28bde1ecc8289cbd86aeba2dd72720","README.md":"63b0c7dac05e6dfba32dcd4cb8e671bb8b72525f67a6b17fa5b8f10fd2cab047","src/arc.rs":"fda02f28d359193cbc0ec988b7c8149e9212c1951dff9cba6041a9ebd7fa3f17","src/boxed.rs":"8d7b3afc19e27ca51a843490d346319807cfdcc268355272c3164756fd63c242","src/btree.rs":"b83820fc2a00e2e34127b3037abde8b945f0ca2785f3def725787e6813c3d3e0","src/btree/map.rs":"557ce3ff2d02c425adcb2b4ac53b6b6607c25c535aee8ffa4f12bf773fbcd763","src/btree/node.rs":"49feca8742513b1c29d2f949c1eb1b178b538097ae94ba9dc31b8323a6423ea6","src/btree/search.rs":"ae78f73f3e56ea277b0a02cc39454447b75e12a6c817ecfee00065b3ddbfff67","src/btree/set.rs":"607f0db0b189c39b41824fbbf6fd8d9c5fdf85cc40f4437b13152e7b86d2979f","src/format.rs":"5142970f6ac1fe66f667ee2565af786802e93e6728ec3a1b82ffaa9f6a6b5bce","src/hashmap.rs":"1b9bf03fd2f2d9412ea2dad6963e1d37d51662e7091424bfcdc44a502f4e64bc","src/lib.rs":"71c5dc986ad58a4515604a73a4b7f4d8b6f43d2831993ee8612c99978ff2bb42","src/rc.rs":"f327a0adcfd2b1e225913ae716deb96777ca562985ac64e3b83550111f809864","src/try_clone.rs":"725130e0ddacde1ff7c976de62fbe45d01c67412af395aa41cac4bcfb85f6a5f","src/try_reserve_error.rs":"5e8db6a538225e66fec5d9d3a4314939b5b0428180676eb55ab928875e4feefd","src/vec.rs":"4268ae1de90750c21503fc84bdbf46cd6ccf76e33ae7f7daf8050fb29b839db1"},"package":"a88c69768c0a15262df21899142bc6df9b9b823546d4b4b9a7bc2d6c448ec6fd"}

third_party/rust/fallible_collections/Cargo.toml

@@ -12,7 +12,7 @@
 [package]
 edition = "2018"
 name = "fallible_collections"
-version = "0.4.6"
+version = "0.4.9"
 authors = ["vcombey <vcombey@student.42.fr>"]
 description = "a crate which adds fallible allocation api to std collections"
 readme = "README.md"
@@ -24,9 +24,12 @@ license = "MIT/Apache-2.0"
 repository = "https://github.com/vcombey/fallible_collections.git"
 
 [dependencies.hashbrown]
-version = "0.12.1"
+version = "0.13"
+optional = true
 
 [features]
+default = ["hashmap"]
+hashmap = ["hashbrown"]
 rust_1_57 = []
 std = []
 std_io = ["std"]

third_party/rust/fallible_collections/README.md

@@ -17,7 +17,8 @@ It is recommended to look there for the newest released version, as well as link
 At the point of the last update of this README, the latest published version could be used like this:
 
 Add the following dependency to your Cargo manifest...
-Add feature std and rust_1_57 to use the stabilized try_reserve api and the std HashMap type.
+Add feature std and rust_1_57 to use the stabilized try_reserve api and the std HashMap type. Obviously, you cannot combine it with the 'unstable' feature.
+Add integration tests that can be run with the tiny_integration_tester command.
 
 ```toml
 [dependencies]

third_party/rust/fallible_collections/src/arc.rs

@@ -1,15 +1,20 @@
 //! Implement a Fallible Arc
+#[cfg(any(not(feature = "unstable"), feature = "rust_1_57"))]
 use super::FallibleBox;
 use super::TryClone;
-
 use crate::TryReserveError;
+
+#[cfg(any(not(feature = "unstable"), feature = "rust_1_57"))]
 use alloc::boxed::Box;
 use alloc::sync::Arc;
 
 /// trait to implement Fallible Arc
-#[deprecated(
-	since = "0.3.1",
-	note = "⚠️️️this function is not completely fallible, it can panic !, see [issue](https://github.com/vcombey/fallible_collections/issues/13). help wanted"
+#[cfg_attr(
+    any(not(feature = "unstable"), feature = "rust_1_57"),
+    deprecated(
+        since = "0.3.1",
+        note = "⚠️️️this function is not completely fallible, it can panic !, see [issue](https://github.com/vcombey/fallible_collections/issues/13). help wanted"
+    )
 )]
 pub trait FallibleArc<T> {
     /// try creating a new Arc, returning a Result<Box<T>,
@@ -22,10 +27,24 @@ pub trait FallibleArc<T> {
 #[allow(deprecated)]
 impl<T> FallibleArc<T> for Arc<T> {
     fn try_new(t: T) -> Result<Self, TryReserveError> {
-        // doesn't work as the inner variable of arc are also stocked in the box
-
-        let b = <Box<T> as FallibleBox<T>>::try_new(t)?;
-        Ok(Arc::from(b))
+        #[cfg(any(not(feature = "unstable"), feature = "rust_1_57"))]
+        {
+            // doesn't work as the inner variable of arc are also stocked in the box
+            let b = <Box<T> as FallibleBox<T>>::try_new(t)?;
+            Ok(Arc::from(b))
+        }
+        #[cfg(all(feature = "unstable", not(feature = "rust_1_57")))]
+        {
+            use alloc::alloc::Layout;
+            use alloc::collections::TryReserveErrorKind;
+            Arc::try_new(t).map_err(|_e| {
+                TryReserveErrorKind::AllocError {
+                    layout: Layout::new::<Arc<T>>(), // This is bullshit
+                    non_exhaustive: (),
+                }
+                .into()
+            })
+        }
     }
 }
 

third_party/rust/fallible_collections/src/boxed.rs

@@ -64,19 +64,22 @@ impl<T> Deref for TryBox<T> {
 }
 
 fn alloc(layout: Layout) -> Result<NonNull<u8>, TryReserveError> {
-    #[cfg(feature = "unstable")] // requires allocator_api
+    #[cfg(all(feature = "unstable", not(feature = "rust_1_57")))] // requires allocator_api
     {
+        use alloc::collections::TryReserveErrorKind;
         use core::alloc::Allocator;
         alloc::alloc::Global
             .allocate(layout)
-            .map_err(|_e| TryReserveError::AllocError {
-                layout,
-                #[cfg(not(feature = "rust_1_57"))]
-                non_exhaustive: (),
+            .map_err(|_e| {
+                TryReserveErrorKind::AllocError {
+                    layout,
+                    non_exhaustive: (),
+                }
+                .into()
             })
             .map(|v| v.cast())
     }
-    #[cfg(not(feature = "unstable"))]
+    #[cfg(any(not(feature = "unstable"), feature = "rust_1_57"))]
     {
         match layout.size() {
             0 => {

third_party/rust/fallible_collections/src/btree/node.rs

@@ -670,8 +670,8 @@ impl<'a, K, V> NodeRef<marker::Mut<'a>, K, V, marker::Leaf> {
         let idx = self.len();
 
         unsafe {
-            ptr::write(self.keys_mut().get_unchecked_mut(idx), key);
-            ptr::write(self.vals_mut().get_unchecked_mut(idx), val);
+            ptr::write(self.keys_mut().as_mut_ptr().add(idx), key);
+            ptr::write(self.vals_mut().as_mut_ptr().add(idx), val);
 
             (*self.as_leaf_mut()).len += 1;
         }
@@ -703,11 +703,14 @@ impl<'a, K, V> NodeRef<marker::Mut<'a>, K, V, marker::Internal> {
         let idx = self.len();
 
         unsafe {
-            ptr::write(self.keys_mut().get_unchecked_mut(idx), key);
-            ptr::write(self.vals_mut().get_unchecked_mut(idx), val);
+            ptr::write(self.keys_mut().as_mut_ptr().add(idx), key);
+            ptr::write(self.vals_mut().as_mut_ptr().add(idx), val);
             self.as_internal_mut()
                 .edges
-                .get_unchecked_mut(idx + 1)
+                .as_mut_ptr()
+                .add(idx + 1)
+                .as_mut()
+                .unwrap()
                 .write(edge.node);
 
             (*self.as_leaf_mut()).len += 1;
@@ -1002,7 +1005,7 @@ impl<'a, K, V> Handle<NodeRef<marker::Mut<'a>, K, V, marker::Leaf>, marker::Edge
 
             (*self.node.as_leaf_mut()).len += 1;
 
-            self.node.vals_mut().get_unchecked_mut(self.idx)
+            self.node.vals_mut().as_mut_ptr().add(self.idx)
         }
     }
 
@@ -1156,8 +1159,8 @@ impl<'a, K: 'a, V: 'a, NodeType> Handle<NodeRef<marker::Mut<'a>, K, V, NodeType>
         let (keys, vals) = self.node.into_slices_mut();
         unsafe {
             (
-                keys.get_unchecked_mut(self.idx),
-                vals.get_unchecked_mut(self.idx),
+                keys.as_mut_ptr().add(self.idx).as_mut().unwrap(),
+                vals.as_mut_ptr().add(self.idx).as_mut().unwrap(),
             )
         }
     }
@@ -1168,8 +1171,8 @@ impl<'a, K, V, NodeType> Handle<NodeRef<marker::Mut<'a>, K, V, NodeType>, marker
         unsafe {
             let (keys, vals) = self.node.reborrow_mut().into_slices_mut();
             (
-                keys.get_unchecked_mut(self.idx),
-                vals.get_unchecked_mut(self.idx),
+                keys.as_mut_ptr().add(self.idx).as_mut().unwrap(),
+                vals.as_mut_ptr().add(self.idx).as_mut().unwrap(),
             )
         }
     }
@@ -1338,7 +1341,7 @@ impl<'a, K, V> Handle<NodeRef<marker::Mut<'a>, K, V, marker::Internal>, marker::
 
         unsafe {
             ptr::write(
-                left_node.keys_mut().get_unchecked_mut(left_len),
+                left_node.keys_mut().as_mut_ptr().add(left_len),
                 slice_remove(self.node.keys_mut(), self.idx),
             );
             ptr::copy_nonoverlapping(
@@ -1347,7 +1350,7 @@ impl<'a, K, V> Handle<NodeRef<marker::Mut<'a>, K, V, marker::Internal>, marker::
                 right_len,
             );
             ptr::write(
-                left_node.vals_mut().get_unchecked_mut(left_len),
+                left_node.vals_mut().as_mut_ptr().add(left_len),
                 slice_remove(self.node.vals_mut(), self.idx),
             );
             ptr::copy_nonoverlapping(
@@ -1662,7 +1665,7 @@ unsafe fn slice_insert<T>(slice: &mut [T], idx: usize, val: T) {
         slice.as_mut_ptr().add(idx + 1),
         slice.len() - idx,
     );
-    ptr::write(slice.get_unchecked_mut(idx), val);
+    ptr::write(slice.as_mut_ptr().add(idx), val);
 }
 
 unsafe fn slice_remove<T>(slice: &mut [T], idx: usize) -> T {

third_party/rust/fallible_collections/src/lib.rs

@@ -22,16 +22,22 @@
 //! can't return a Result to indicate allocation failure.
 
 #![cfg_attr(not(test), no_std)]
-#![cfg_attr(all(feature = "unstable", not(feature = "rust_1_57")), feature(try_reserve))]
+#![cfg_attr(feature = "unstable", feature(try_reserve_kind))]
 #![cfg_attr(feature = "unstable", feature(min_specialization))]
 #![cfg_attr(feature = "unstable", feature(allocator_api))]
 #![cfg_attr(feature = "unstable", feature(dropck_eyepatch))]
 #![cfg_attr(feature = "unstable", feature(ptr_internals))]
 #![cfg_attr(feature = "unstable", feature(core_intrinsics))]
-#![cfg_attr(all(feature = "unstable", not(feature = "rust_1_57")), feature(maybe_uninit_ref))]
 #![cfg_attr(feature = "unstable", feature(maybe_uninit_slice))]
-#![cfg_attr(feature = "unstable", feature(maybe_uninit_extra))]
 #![cfg_attr(feature = "unstable", feature(maybe_uninit_uninit_array))]
+
+#[cfg(all(feature = "unstable", feature = "rust_1_57"))]
+compile_error!(
+    "The use of the 'unstable' feature combined with the \
+'rust_1_57' feature, which is related to the partial stabilization \
+of the allocator API since rustc version 1.57, does not make sense!"
+);
+
 extern crate alloc;
 #[cfg(feature = "std")]
 extern crate std;
@@ -47,18 +53,16 @@ pub mod arc;
 pub use arc::*;
 #[cfg(feature = "unstable")]
 pub mod btree;
-#[cfg(not(feature = "unstable"))]
+#[cfg(all(feature = "hashmap", not(feature = "unstable")))]
 pub mod hashmap;
-#[cfg(not(feature = "unstable"))]
+#[cfg(all(feature = "hashmap", not(feature = "unstable")))]
 pub use hashmap::*;
 #[macro_use]
 pub mod format;
 pub mod try_clone;
 
-#[cfg(all(feature = "unstable", not(feature = "rust_1_57")))]
-pub use alloc::collections::TryReserveError;
-#[cfg(not(all(feature = "unstable", not(feature = "rust_1_57"))))]
-pub use hashbrown::TryReserveError;
+pub mod try_reserve_error;
+pub use try_reserve_error::TryReserveError;
 
 #[cfg(feature = "std_io")]
 pub use vec::std_io::*;
@@ -81,7 +85,7 @@ pub trait TryClone {
 }
 
 #[cfg(feature = "rust_1_57")]
-fn make_try_reserve_error(len: usize, additional: usize, elem_size: usize, align: usize) -> hashbrown::TryReserveError {
+fn make_try_reserve_error(len: usize, additional: usize, elem_size: usize, align: usize) -> TryReserveError {
     if let Some(size) = len.checked_add(additional).and_then(|l| l.checked_mul(elem_size)) {
         if let Ok(layout) = alloc::alloc::Layout::from_size_align(size, align) {
             return TryReserveError::AllocError { layout }

third_party/rust/fallible_collections/src/try_reserve_error.rs

@@ -0,0 +1,19 @@
+#[cfg(all(feature = "unstable", not(feature = "rust_1_57")))]
+pub use alloc::collections::TryReserveError;
+#[cfg(all(feature = "hashmap", not(all(feature = "unstable", not(feature = "rust_1_57")))))]
+pub use hashbrown::TryReserveError;
+
+/// The error type for `try_reserve` methods.
+#[cfg(all(not(feature = "hashmap"), not(all(feature = "unstable", not(feature = "rust_1_57")))))]
+#[derive(Clone, PartialEq, Eq, Debug)]
+pub enum TryReserveError {
+    /// Error due to the computed capacity exceeding the collection's maximum
+    /// (usually `isize::MAX` bytes).
+    CapacityOverflow,
+
+    /// The memory allocator returned an error
+    AllocError {
+        /// The layout of the allocation request that failed.
+        layout: alloc::alloc::Layout,
+    },
+}

third_party/rust/fallible_collections/src/vec.rs

@@ -515,7 +515,7 @@ impl<T> FallibleVec<T> for Vec<T> {
             self.try_reserve(additional)
         }
 
-        #[cfg(not(feature = "rust_1_57"))]
+        #[cfg(all(not(feature = "unstable"), not(feature = "rust_1_57")))]
         {
             vec_try_reserve(self, additional)
         }
@@ -624,7 +624,7 @@ impl<T> FallibleVec<T> for Vec<T> {
         let mut iterator = other.iter();
         while let Some(element) = iterator.next() {
             unsafe {
-                core::ptr::write(self.get_unchecked_mut(len), element.try_clone()?);
+                core::ptr::write(self.as_mut_ptr().add(len), element.try_clone()?);
                 // NB can't overflow since we would have had to alloc the address space
                 len += 1;
                 self.set_len(len);