Broken validity invariants in TaggedHandle::<T>::from_float/from_tag

[shinmao]

The source of unsoundness

zub-vm/src/vm/gc/tag.rs

Lines 42 to 48 in c82244e

	pub fn from_float(float: f64) -> Self {
	TaggedHandle {
	handle: Handle {
	gen: 0,
	ptr: unsafe { ::std::mem::transmute(float) },
	},
	}

Hi, we consider that the api has an unsound implementation. In this function, f64 can be transmuted to arbitrary types specified as T in TaggedHandle. However, this could break the validity invariants by producing invalid values for types. Broken validity invariant is considered undefined behavior in Rust. Even though decode api is provided to return Float again, but validity invariant is required to be hold anywhere in the program! Similar unsound implementation in from_tag.

To reproduce the bug

use zub::vm::gc::tag::TaggedHandle;

fn main() {
    let bool_tag = TaggedHandle::<bool>::from_float(3.7_f64);
    println!("{:?}", bool_tag);
}

Here, we first specified the handle in TaggedHandle to be Handle<bool>. When from_float is called, it will transmute the provided float to bool. With Handle<bool>,

pub struct Handle<bool> {
    gen: Generation,
    ptr: *mut bool,
}

and take a look at the printed results,

TaggedHandle { handle: Handle { gen: 0, ptr: 0x400d99999999999a } }

ptr as bool type has the value other than 0 or 1.

[zesterer]

I believe this crate has been unmaintained for quite a while. I would not recommend using it without first forking it and performing heavy maintenance on it.