Fixed length array type with negative count is accepted

[lilyball]

A fixed length array type is allowed to be declared with a negative count. This is interpreted as the uint that would result from coercion, so on a 64-bit machine, [uint, ..-1] is considered the same as [uint, ..18446744073709551615].

This should probably be a compiler error, as negative counts don't make sense. Negative repeat counts in array expressions are already disallowed (as of #6985).

[Gankra]

Possibly another face of #5477?

[lilyball]

@gankro Nope. Fixed length array types actually explicitly allow for the length to be an int literal. The bug is just that it doesn't bother ensuring it's non-negative. Unlike #5477, this really is something that should be a hard compiler error.

[hirschenberger]

Can be easily fixed after #15709 landed

[lilyball]

@hirschenberger I don't think #15709 is related. The issue here isn't an undetected overflow. The issue is it blindly accepts int expressions without testing if the value is non-negative.

[hirschenberger]

@kballard The size of the Array is parsed here as an int because there's no suffix:

https://github.com/rust-lang/rust/blob/master/src/libsyntax/parse/parser.rs#L2038

So the overflow already happened. With #15709 we get the chance, to check for negative literals and also got the full u64 range for the size although it is an int.

[lilyball]

@hirschenberger It's parsed as an int, yes. An int with the value -1. The problem lies in https://github.com/rust-lang/rust/blob/master/src/librustc/middle/typeck/astconv.rs#L883-L885 where it doesn't bother checking if the int is non-negative before casting it to a uint.

[hirschenberger]

I think this can be closed now.

[lilyball]

Nope, still reproduces. Your test actually tests constructing a value. But the type expression [uint, ..-1] itself is still accepted and behaves incredibly badly. On latest master (which includes your test and the fix from #15709), the following program sucks up 100% CPU and gobbles up memory like candy (I had to kill rustc when it crossed 14GB RSIZE in 20 seconds):

fn main() {
    let x: [uint, ..-1];
}

[hirschenberger]

@kballard sorry, I totally oversaw that this issue is about a type declaration, not a value.

[thestinger]

Rust doesn't actually have - in the grammar for literals. The expression -1 is a generic integer and is inferred as uint in this context. The uint type does provide an - operator and it behaves as expected. It's the same issue as #15918.