Audit crossbeam
yoshuawuyts opened this issue · comments
https://crates.io/crates/crossbeam has about 6000 downloads a day*, has 162 inverse dependencies (of which a non-zero amount operates on untrusted input) and is generally considered a core piece of infrastructure.
A cursory search points to 67 references of unsafe, in addition to 106 references to atomics which probably makes it a suitable candidate for an audit.
*Probably more since crossbeam is a defacto repackage of several smaller crossbeam-*
modules.
WOW THEY'RE USING AN offset_of!
MACRO
THAT'S A GOOD PLAN.
(it's never a good plan)
See also rust-lang/unsafe-code-guidelines#158
Not directly relevant to auditing crossbeam itself, but I've noticed they're pulling in a dependency with 170 unsafe expressions just to write a few lines with it, so I've replaced it with ad-hoc safe code: crossbeam-rs/crossbeam#414