zipora 2.1.5

High-performance Rust implementation providing advanced data structures and compression algorithms with memory safety guarantees. Features LRU page cache, sophisticated caching layer, fiber-based concurrency, real-time compression, secure memory pools, SIMD optimizations, and complete C FFI for migration from C++.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320

//! Security tests for MemoryPool thread safety vulnerabilities
//!
//! WARNING: These tests demonstrate actual vulnerabilities in the current implementation.
//! They may cause crashes, data corruption, or undefined behavior.

use std::sync::{Arc, Barrier};
use std::thread;
use std::time::Duration;
use zipora::memory::{MemoryPool, PoolConfig};

#[test]
#[ignore] // Ignore by default as it may crash
fn test_use_after_free_vulnerability() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 10, 8)).unwrap());
    let barrier = Arc::new(Barrier::new(2));

    let pool1 = pool.clone();
    let barrier1 = barrier.clone();

    let handle1 = thread::spawn(move || {
        let ptr = pool1.allocate().unwrap();
        let raw_ptr = ptr.as_ptr(); // Extract raw pointer
        let raw_addr = raw_ptr as usize; // Convert to address for sending between threads

        // Write identifiable pattern
        unsafe {
            for i in 0..8 {
                raw_ptr.add(i).write(0xAA);
            }
        }

        // Deallocate
        pool1.deallocate(ptr).unwrap();

        // Signal that we've deallocated
        barrier1.wait();

        // VULNERABILITY: We can still access the pointer after deallocation
        unsafe {
            // This is use-after-free!
            for i in 0..8 {
                raw_ptr.add(i).write(0xDD);
            }
        }

        raw_addr // Return address instead of raw pointer
    });

    let pool2 = pool.clone();
    let barrier2 = barrier.clone();

    let handle2 = thread::spawn(move || {
        // Wait for thread 1 to deallocate
        barrier2.wait();

        // We might get the same pointer that thread 1 just freed
        let ptr = pool2.allocate().unwrap();

        // Read potentially corrupted data
        let mut corrupted = false;
        unsafe {
            for i in 0..8 {
                let value = ptr.as_ptr().add(i).read();
                if value == 0xDD {
                    corrupted = true;
                    break;
                }
            }
        }

        pool2.deallocate(ptr).unwrap();
        corrupted
    });

    let _raw_addr1 = handle1.join().unwrap();
    let corrupted = handle2.join().unwrap();

    // This assertion might fail, demonstrating the vulnerability
    if corrupted {
        println!("VULNERABILITY CONFIRMED: Use-after-free detected!");
        println!("Thread 2 read data written by Thread 1 AFTER deallocation");
    }
}

#[test]
fn test_lost_deallocations_under_contention() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 100, 8)).unwrap());
    let initial_stats = pool.stats();

    // Create high contention scenario
    let handles: Vec<_> = (0..10)
        .map(|_| {
            let pool = pool.clone();
            thread::spawn(move || {
                let mut allocations = Vec::new();

                // Allocate multiple chunks
                for _ in 0..10 {
                    if let Ok(ptr) = pool.allocate() {
                        allocations.push(ptr);
                    }
                }

                // Try to deallocate under contention
                // Some of these might fail silently due to try_lock
                for ptr in allocations {
                    let _ = pool.deallocate(ptr);
                }
            })
        })
        .collect();

    for handle in handles {
        handle.join().unwrap();
    }

    // Give some time for any pending operations
    thread::sleep(Duration::from_millis(100));

    let final_stats = pool.stats();

    // Check if deallocations were lost
    if final_stats.dealloc_count < 100 {
        println!(
            "WARNING: Only {} deallocations recorded out of 100",
            final_stats.dealloc_count
        );
        println!("Lost deallocations: {}", 100 - final_stats.dealloc_count);
    }

    // Check for memory leaks
    if final_stats.allocated > initial_stats.allocated {
        println!(
            "MEMORY LEAK DETECTED: {} bytes leaked",
            final_stats.allocated - initial_stats.allocated
        );
    }
}

#[test]
fn test_stats_race_condition() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 50, 8)).unwrap());
    let barrier = Arc::new(Barrier::new(5));

    let handles: Vec<_> = (0..5)
        .map(|_| {
            let pool = pool.clone();
            let barrier = barrier.clone();

            thread::spawn(move || {
                barrier.wait(); // Ensure all threads start simultaneously

                // Rapid allocate/deallocate to cause stats races
                for _ in 0..100 {
                    if let Ok(ptr) = pool.allocate() {
                        // Immediate deallocation
                        let _ = pool.deallocate(ptr);
                    }
                }
            })
        })
        .collect();

    for handle in handles {
        handle.join().unwrap();
    }

    let stats = pool.stats();

    // With Relaxed ordering, these might not match
    let expected_allocs = 500; // 5 threads * 100 allocations
    let expected_deallocs = 500;

    if stats.alloc_count != expected_allocs {
        println!(
            "Stats race detected: Expected {} allocations, got {}",
            expected_allocs, stats.alloc_count
        );
    }

    if stats.dealloc_count != expected_deallocs {
        println!(
            "Stats race detected: Expected {} deallocations, got {}",
            expected_deallocs, stats.dealloc_count
        );
    }

    // Pool hits + misses should equal total allocations
    let total_pool_ops = stats.pool_hits + stats.pool_misses;
    if total_pool_ops != stats.alloc_count {
        println!(
            "Stats inconsistency: pool_hits({}) + pool_misses({}) != alloc_count({})",
            stats.pool_hits, stats.pool_misses, stats.alloc_count
        );
    }
}

#[test]
fn test_double_free_attempt() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 10, 8)).unwrap());

    let ptr = pool.allocate().unwrap();

    // First deallocation - should succeed
    assert!(pool.deallocate(ptr).is_ok());

    // Second deallocation of same pointer - VULNERABILITY!
    // This should fail but currently might succeed and corrupt the pool
    let result = pool.deallocate(ptr);

    if result.is_ok() {
        println!("VULNERABILITY: Double-free succeeded! Pool is now corrupted.");

        // Try to allocate - might get the same pointer twice
        let ptr1 = pool.allocate().unwrap();
        let ptr2 = pool.allocate().unwrap();

        if ptr1.as_ptr() == ptr.as_ptr() || ptr2.as_ptr() == ptr.as_ptr() {
            println!("CRITICAL: Same memory allocated multiple times!");
        }
    }
}

#[test]
#[should_panic]
#[ignore] // May cause undefined behavior
fn test_clear_during_active_use() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 10, 8)).unwrap());

    let pool1 = pool.clone();
    let handle = thread::spawn(move || {
        let mut ptrs = Vec::new();
        for _ in 0..5 {
            if let Ok(ptr) = pool1.allocate() {
                ptrs.push(ptr);
                unsafe {
                    // Write to allocated memory
                    ptr.as_ptr().write(42);
                }
            }
        }

        thread::sleep(Duration::from_millis(50));

        // Try to use the pointers after clear
        for ptr in ptrs {
            unsafe {
                // This might segfault if clear() was called
                let _value = ptr.as_ptr().read();
            }
        }
    });

    thread::sleep(Duration::from_millis(25));

    // Clear the pool while another thread is using it
    pool.clear().unwrap();

    handle.join().unwrap();
}

#[test]
fn test_send_sync_safety() {
    // This test verifies that the unsafe Send/Sync implementation
    // allows potentially dangerous cross-thread pointer sharing

    fn is_send<T: Send>() {}
    fn is_sync<T: Sync>() {}

    // These should NOT compile for a type containing raw pointers
    // but they do due to unsafe impl Send/Sync
    is_send::<MemoryPool>();
    is_sync::<MemoryPool>();

    println!("WARNING: MemoryPool implements Send/Sync despite containing raw pointers!");
    println!("This violates Rust's memory safety guarantees.");
}

#[test]
fn demonstrate_toctou_vulnerability() {
    let pool = Arc::new(MemoryPool::new(PoolConfig::new(64, 1, 8)).unwrap());
    let barrier = Arc::new(Barrier::new(2));

    let pool1 = pool.clone();
    let barrier1 = barrier.clone();

    let handle1 = thread::spawn(move || {
        barrier1.wait();
        // Try to allocate when pool has exactly 1 chunk
        match pool1.allocate() {
            Ok(ptr) => Ok(ptr.as_ptr() as usize), // Convert to address
            Err(e) => Err(e),
        }
    });

    let pool2 = pool.clone();
    let barrier2 = barrier.clone();

    let handle2 = thread::spawn(move || {
        barrier2.wait();
        // Race with thread 1
        match pool2.allocate() {
            Ok(ptr) => Ok(ptr.as_ptr() as usize), // Convert to address
            Err(e) => Err(e),
        }
    });

    let result1 = handle1.join().unwrap();
    let result2 = handle2.join().unwrap();

    // Both might succeed if there's a TOCTOU bug
    if result1.is_ok() && result2.is_ok() {
        println!("Potential TOCTOU: Both threads got allocation from single-chunk pool");

        let stats = pool.stats();
        if stats.pool_hits > 0 && stats.pool_misses > 0 {
            println!("Confirmed: Stats show both pool hit and miss for concurrent access");
        }
    }
}