Use checked arithmetic in LocalsPlus and DataStack allocators

youknowone · youknowone · commit 09a5a5e5cd0b · 2026-03-04T16:25:35.000+09:00
diff --git a/crates/common/src/lock.rs b/crates/common/src/lock.rs
@@ -29,7 +29,10 @@ cfg_if::cfg_if! {
         pub use std::sync::LazyLock;
     } else {
         pub struct LazyLock<T, F = fn() -> T>(core::cell::LazyCell<T, F>);
-        // SAFETY: Without std, there can be no threads.
+        // SAFETY: This branch is only active when both "std" and "threading"
+        // features are absent — i.e., truly single-threaded no_std environments
+        // (e.g., embedded or bare-metal WASM). Without std, the Rust runtime
+        // cannot spawn threads, so Sync is trivially satisfied.
         unsafe impl<T, F> Sync for LazyLock<T, F> {}
 
         impl<T, F: FnOnce() -> T> LazyLock<T, F> {
diff --git a/crates/vm/src/datastack.rs b/crates/vm/src/datastack.rs
@@ -102,10 +102,15 @@ impl DataStack {
     #[inline(never)]
     fn push_slow(&mut self, aligned_size: usize) -> *mut u8 {
         let mut chunk_size = MIN_CHUNK_SIZE;
-        let needed =
-            aligned_size + MINIMUM_OVERHEAD + core::mem::size_of::<DataStackChunk>() + ALIGN;
+        let needed = aligned_size
+            .checked_add(MINIMUM_OVERHEAD)
+            .and_then(|v| v.checked_add(core::mem::size_of::<DataStackChunk>()))
+            .and_then(|v| v.checked_add(ALIGN))
+            .expect("DataStack chunk size overflow");
         while chunk_size < needed {
-            chunk_size *= 2;
+            chunk_size = chunk_size
+                .checked_mul(2)
+                .expect("DataStack chunk size overflow");
         }
         // Save current position in old chunk.
         unsafe {
diff --git a/crates/vm/src/frame.rs b/crates/vm/src/frame.rs
@@ -163,10 +163,13 @@ const _: () = {
 impl LocalsPlus {
     /// Create a new heap-backed LocalsPlus.  All slots start as None (0).
     fn new(nlocalsplus: usize, stacksize: usize) -> Self {
-        let capacity = nlocalsplus + stacksize;
+        let capacity = nlocalsplus
+            .checked_add(stacksize)
+            .expect("LocalsPlus capacity overflow");
+        let nlocalsplus_u32 = u32::try_from(nlocalsplus).expect("nlocalsplus exceeds u32");
         Self {
             data: LocalsPlusData::Heap(vec![0usize; capacity].into_boxed_slice()),
-            nlocalsplus: nlocalsplus as u32,
+            nlocalsplus: nlocalsplus_u32,
             stack_top: 0,
         }
     }
@@ -177,14 +180,19 @@ impl LocalsPlus {
     /// The caller must call `materialize_localsplus()` when the frame finishes
     /// to migrate data to the heap, then `datastack_pop()` to free the memory.
     fn new_on_datastack(nlocalsplus: usize, stacksize: usize, vm: &VirtualMachine) -> Self {
-        let capacity = nlocalsplus + stacksize;
-        let byte_size = capacity * core::mem::size_of::<usize>();
+        let capacity = nlocalsplus
+            .checked_add(stacksize)
+            .expect("LocalsPlus capacity overflow");
+        let byte_size = capacity
+            .checked_mul(core::mem::size_of::<usize>())
+            .expect("LocalsPlus byte size overflow");
+        let nlocalsplus_u32 = u32::try_from(nlocalsplus).expect("nlocalsplus exceeds u32");
         let ptr = vm.datastack_push(byte_size) as *mut usize;
         // Zero-initialize all slots (0 = None for both PyObjectRef and PyStackRef).
         unsafe { core::ptr::write_bytes(ptr, 0, capacity) };
         Self {
             data: LocalsPlusData::DataStack { ptr, capacity },
-            nlocalsplus: nlocalsplus as u32,
+            nlocalsplus: nlocalsplus_u32,
             stack_top: 0,
         }
     }
@@ -2362,18 +2370,16 @@ impl ExecutingFrame<'_> {
                 // Same as LoadFast but explicitly checks for unbound locals
                 // (LoadFast in RustPython already does this check)
                 let idx = idx.get(arg) as usize;
-                let x = self.localsplus.fastlocals()[idx]
-                    .clone()
-                    .ok_or_else(|| {
-                        vm.new_exception_msg(
-                            vm.ctx.exceptions.unbound_local_error.to_owned(),
-                            format!(
-                                "local variable '{}' referenced before assignment",
-                                self.code.varnames[idx]
-                            )
-                            .into(),
+                let x = self.localsplus.fastlocals()[idx].clone().ok_or_else(|| {
+                    vm.new_exception_msg(
+                        vm.ctx.exceptions.unbound_local_error.to_owned(),
+                        format!(
+                            "local variable '{}' referenced before assignment",
+                            self.code.varnames[idx]
                         )
-                    })?;
+                        .into(),
+                    )
+                })?;
                 self.push_value(x);
                 Ok(None)
             }
@@ -2413,18 +2419,16 @@ impl ExecutingFrame<'_> {
             // lifetime issues at yield/exception points are resolved.
             Instruction::LoadFastBorrow { var_num: idx } => {
                 let idx = idx.get(arg) as usize;
-                let x = self.localsplus.fastlocals()[idx]
-                    .clone()
-                    .ok_or_else(|| {
-                        vm.new_exception_msg(
-                            vm.ctx.exceptions.unbound_local_error.to_owned(),
-                            format!(
-                                "local variable '{}' referenced before assignment",
-                                self.code.varnames[idx]
-                            )
-                            .into(),
+                let x = self.localsplus.fastlocals()[idx].clone().ok_or_else(|| {
+                    vm.new_exception_msg(
+                        vm.ctx.exceptions.unbound_local_error.to_owned(),
+                        format!(
+                            "local variable '{}' referenced before assignment",
+                            self.code.varnames[idx]
                         )
-                    })?;
+                        .into(),
+                    )
+                })?;
                 self.push_value(x);
                 Ok(None)
             }
@@ -4329,7 +4333,10 @@ impl ExecutingFrame<'_> {
                 let nargs: u32 = arg.into();
                 let callable = self.nth_value(nargs + 1);
                 let stack_len = self.localsplus.stack_len();
-                let self_or_null_is_some = self.localsplus.stack_index(stack_len - nargs as usize - 1).is_some();
+                let self_or_null_is_some = self
+                    .localsplus
+                    .stack_index(stack_len - nargs as usize - 1)
+                    .is_some();
                 if !self_or_null_is_some
                     && cached_version != 0
                     && let Some(cls) = callable.downcast_ref::<PyType>()
@@ -6029,11 +6036,21 @@ impl ExecutingFrame<'_> {
             args_vec.push(self_val);
         }
         for stack_idx in args_start..stack_len {
-            let val = self.localsplus.stack_index_mut(stack_idx).take().unwrap().to_pyobj();
+            let val = self
+                .localsplus
+                .stack_index_mut(stack_idx)
+                .take()
+                .unwrap()
+                .to_pyobj();
             args_vec.push(val);
         }
 
-        let callable_obj = self.localsplus.stack_index_mut(callable_idx).take().unwrap().to_pyobj();
+        let callable_obj = self
+            .localsplus
+            .stack_index_mut(callable_idx)
+            .take()
+            .unwrap()
+            .to_pyobj();
         self.localsplus.stack_truncate(callable_idx);
 
         let result = callable_obj.vectorcall(args_vec, effective_nargs, None, vm)?;
@@ -6109,11 +6126,21 @@ impl ExecutingFrame<'_> {
             args_vec.push(self_val);
         }
         for stack_idx in args_start..stack_len {
-            let val = self.localsplus.stack_index_mut(stack_idx).take().unwrap().to_pyobj();
+            let val = self
+                .localsplus
+                .stack_index_mut(stack_idx)
+                .take()
+                .unwrap()
+                .to_pyobj();
             args_vec.push(val);
         }
 
-        let callable_obj = self.localsplus.stack_index_mut(callable_idx).take().unwrap().to_pyobj();
+        let callable_obj = self
+            .localsplus
+            .stack_index_mut(callable_idx)
+            .take()
+            .unwrap()
+            .to_pyobj();
         self.localsplus.stack_truncate(callable_idx);
 
         let kwnames = kwarg_names_tuple.as_slice();
