Length mismatch in array init causes buffer overflow

[PatrickNorton]

When initializing an array, the value put in the length field is equal to the total number of allocated bytes, not the number of elements the array can hold.

Example:

use std::mem::MaybeUninit;
use crossbeam::epoch::*;

pub fn main() {
	let owned = Owned::<[MaybeUninit<usize>]>::init(10);
	let arr: &[MaybeUninit<usize>] = &*owned;
	println!("{}", arr.len());
}

This should print 10, but prints 88. In particular, it has only allocated space for 10 elements of data, so creation of arr in the example is UB.

[PatrickNorton]

I think the issue is in <[MaybeUninit<T>] as Pointable>::init(): (*ptr).size = size sets the length to the allocated size (in bytes) instead of the actual size (in elements).

[taiki-e]

Thanks! I filed #694 to fix this.

[PatrickNorton]

Beat me to it by a few seconds! I also filed #695.

[taiki-e]

Sorry, I didn't notice you were writing a patch to fix this...

[PatrickNorton]

No worries, I like your patch better than mine anyways :).