Passing an uninitialized buffer to generic
Read implementation is one of the most common soundness bugs in the Rust ecosystem (e.g., RUSTSEC-2021-0015, RUSTSEC-2021-0029, gfx#3567). Unfortunately, initializing the buffer often leads to performance degradation, and there is currently no way to use generic
Read without initialization cost in stable Rust.
RFC 2930 provides a solution to this issue. It adds
ReadBuf type and related APIs to
Read trait, which allows safe management of uninitialized buffer. This RFC has been merged, but there is no implementation available yet.
What I would like to suggest is to prioritize, implement, and advertise RFC 2930 as part of edition 2021. Technically
ReadBuf is not a breaking change, but as noted in the RFC,
ReadBuf introduces nontrivial amount of complexity to one of the standard library's core traits. Thus, advertising it as a change introduced in a new edition will help people learn and adopt new APIs, because people are more willing to accept larger changes at the edition boundary.
Additionally, raising the awareness of
ReadBuf would help resolve longstanding misconception about uninitialized buffers in Rust. Although incorrect use of an uninitialized buffer can lead to observable memory safety errors (#1, #2), the impact of using an uninitialized buffer is often overlooked. I've seen several soundness bugs that follow the similar pattern of uninitialized
read() (e.g., RUSTSEC-2020-0123, glium#1907, claxon#26). When implemented,
ReadBuf could be a solid example that explains an uninitialized buffer cannot be passed to an API that is not expecting it, which I believe helps prevent the occurrence of similar soundness bugs in the future.