Skip to content

bucket_mask_to_capacity() integer overflow when bucket_mask == usize::MAX #734

Description

@yanfenghu

Hi,

I found a potential integer overflow issue through Kani formal verification.

Location: src/raw.rs:189

Current Code:

fn bucket_mask_to_capacity(bucket_mask: usize) -> usize {
if bucket_mask < 8 {
bucket_mask
} else {
((bucket_mask + 1) / 8) * 7 // Overflow when bucket_mask == usize::MAX!
}
}
Problem:

When bucket_mask = usize::MAX:

bucket_mask + 1 wraps to 0

Returns 0 instead of correct capacity

Suggested Fix:

fn bucket_mask_to_capacity(bucket_mask: usize) -> usize {
if bucket_mask < 8 {
bucket_mask
} else {
bucket_mask.checked_add(1)
.map(|bm| (bm / 8) * 7)
.unwrap_or(usize::MAX)
}
}
Could you please confirm if this is a valid concern?

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type
    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions