Fix soundness bug in NotNan::partial_cmp.

mbrubeck · mbrubeck · commit 02b92c79b069 · 2024-06-29T12:05:47.000-07:00
Ill-behaved FloatCore implementations for user types could have where `x.partial_cmp(&x) == None` even when `x.is_nan() == false`. This crate will now panic in those cases, rather than execute undefined behavior. Fixes #150.
diff --git a/src/lib.rs b/src/lib.rs
@@ -15,7 +15,6 @@ use core::cmp::Ordering;
 use core::convert::TryFrom;
 use core::fmt;
 use core::hash::{Hash, Hasher};
-use core::hint::unreachable_unchecked;
 use core::iter::{Product, Sum};
 use core::num::FpCategory;
 use core::ops::{
@@ -1163,9 +1162,11 @@ impl Borrow<f64> for NotNan<f64> {
 #[allow(clippy::derive_ord_xor_partial_ord)]
 impl<T: FloatCore> Ord for NotNan<T> {
     fn cmp(&self, other: &NotNan<T>) -> Ordering {
+        // Can't use unreachable_unchecked because unsafe code can't depend on FloatCore impl.
+        // https://github.com/reem/rust-ordered-float/issues/150
         match self.partial_cmp(other) {
             Some(ord) => ord,
-            None => unsafe { unreachable_unchecked() },
+            None => unreachable!(),
         }
     }
 }
