Fix unsoundness in insert_score_depth, insert_score, and Stack::offset

Copilot · chase-manning · Copilot · commit c1d0ca3d8945 · 2026-02-22T12:30:37.000Z
- Replace unsafe get_unchecked_mut with safe indexing in insert_score_depth
  and insert_score, which provides automatic bounds checking via the
  existing IndexMut trait implementation
- Add debug_assert bounds check and safety documentation to Stack::offset
- Add tests verifying out-of-bounds panics for insert_score_depth and
  insert_score

Co-authored-by: chase-manning &lt;53957795+chase-manning@users.noreply.github.com&gt;
diff --git a/pleco_engine/src/root_moves/root_moves_list.rs b/pleco_engine/src/root_moves/root_moves_list.rs
@@ -93,19 +93,15 @@ impl RootMoveList {
 
     #[inline]
     pub fn insert_score_depth(&mut self, index: usize, score: i32, depth: i16) {
-        unsafe {
-            let rm: &mut RootMove = self.get_unchecked_mut(index);
-            rm.score = score;
-            rm.depth_reached = depth;
-        }
+        let rm: &mut RootMove = &mut self[index];
+        rm.score = score;
+        rm.depth_reached = depth;
     }
 
     #[inline]
     pub fn insert_score(&mut self, index: usize, score: i32) {
-        unsafe {
-            let rm: &mut RootMove = self.get_unchecked_mut(index);
-            rm.score = score;
-        }
+        let rm: &mut RootMove = &mut self[index];
+        rm.score = score;
     }
 
     pub fn find(&mut self, mov: BitMove) -> Option<&mut RootMove> {
@@ -196,3 +192,22 @@ impl<'a> IntoIterator for &'a RootMoveList {
 impl<'a> ExactSizeIterator for MoveIter<'a> {}
 
 impl<'a> FusedIterator for MoveIter<'a> {}
+
+#[cfg(test)]
+mod tests {
+    use super::*;
+
+    #[test]
+    #[should_panic]
+    fn insert_score_depth_out_of_bounds() {
+        let mut list = RootMoveList::new();
+        list.insert_score_depth(1000, 100, 10);
+    }
+
+    #[test]
+    #[should_panic]
+    fn insert_score_out_of_bounds() {
+        let mut list = RootMoveList::new();
+        list.insert_score(1000, 100);
+    }
+}
diff --git a/pleco_engine/src/search/mod.rs b/pleco_engine/src/search/mod.rs
@@ -97,9 +97,15 @@ pub struct Stack {
 
 impl Stack {
     /// Get the next ply at an offset.
+    ///
+    /// # Safety
+    ///
+    /// The caller must ensure that the resulting pointer after applying `count`
+    /// remains within the bounds of the containing `ThreadStack` array.
     pub fn offset(&mut self, count: isize) -> &mut Stack {
         unsafe {
             let ptr: *mut Stack = self as *mut Stack;
+            debug_assert!((count.unsigned_abs()) < THREAD_STACK_SIZE);
             &mut *ptr.offset(count)
         }
     }
