Merge pull request #19374 from ziglang/slice-by-len-safety

add OOB safety check for by-length slice of array
2025-12-16 03:03:09 +00:00 · 2024-03-21 01:47:54 -07:00 · 2024-03-21 01:47:54 -07:00 · b5cef9e8b4
commit b5cef9e8b4
parent e831313b10 4d5e0a0434
2 changed files with 30 additions and 6 deletions
--- a/src/Sema.zig
+++ b/src/Sema.zig
@ -33284,12 +33284,16 @@ fn analyzeSlice(
                    try sema.addSafetyCheck(block, src, is_non_null, .unwrap_null);
                }

-                if (slice_ty.isSlice(mod)) {
-                    const slice_len_inst = try block.addTyOp(.slice_len, Type.usize, ptr_or_slice);
-                    const actual_len = if (slice_ty.sentinel(mod) == null)
-                        slice_len_inst
-                    else
-                        try sema.analyzeArithmetic(block, .add, slice_len_inst, .one, src, end_src, end_src, true);
+                bounds_check: {
+                    const actual_len = if (array_ty.zigTypeTag(mod) == .Array)
+                        try mod.intRef(Type.usize, array_ty.arrayLenIncludingSentinel(mod))
+                    else if (slice_ty.isSlice(mod)) l: {
+                        const slice_len_inst = try block.addTyOp(.slice_len, Type.usize, ptr_or_slice);
+                        break :l if (slice_ty.sentinel(mod) == null)
+                            slice_len_inst
+                        else
+                            try sema.analyzeArithmetic(block, .add, slice_len_inst, .one, src, end_src, end_src, true);
+                    } else break :bounds_check;

                    const actual_end = if (slice_sentinel != null)
                        try sema.analyzeArithmetic(block, .add, end, .one, src, end_src, end_src, true)
--- a/test/cases/safety/out
+++ b/test/cases/safety/out
@ -0,0 +1,20 @@
+const std = @import("std");
+
+pub fn panic(message: []const u8, stack_trace: ?*std.builtin.StackTrace, _: ?usize) noreturn {
+    _ = stack_trace;
+    if (std.mem.eql(u8, message, "index out of bounds: index 16, len 5")) {
+        std.process.exit(0);
+    }
+    std.process.exit(1);
+}
+pub fn main() !void {
+    var buf: [5]u8 = undefined;
+    _ = buf[foo(6)..][0..10];
+    return error.TestFailed;
+}
+fn foo(a: u32) u32 {
+    return a;
+}
+// run
+// backend=llvm
+// target=native