Potential soundness issue in `peroxide` 0.41.0

[varies-rust]

Hello, and thank you for maintaining this crate.

I found a sanitizer/Miri failure reachable through public crate APIs using safe Rust code. I may be missing crate-specific preconditions, but the behavior looks worth checking because safe callers should not be able to trigger undefined behavior.

Summary

• Crate: peroxide
• Version tested: 0.41.0
• API paths with similar failures observed:
  • MatrixTrait::subs_col
  • MatrixTrait::subs_row
  • Matrix multiplication: Matrix * Matrix, &Matrix * &Matrix
  • Matrix indexing/mutation paths
  • Linear algebra operations over public Matrix state

Observed diagnostics

Miri undefined behavior: error: Undefined Behavior: overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize`
Unsafe precondition violation: unsafe precondition(s) violated: ptr::add requires that the address calculation does not overflow

Reproduction

The snippets below are minimal readable reproducers. Each PoC also includes the source location most relevant to the reported failure.

PoC 1: test_peroxide11::generated_test_11

Relevant source location:

• src/structure/matrix.rs:701-705: Matrix exposes data, row, col, and shape as public fields.
• src/structure/matrix.rs:1148: subs_col operates on those unchecked shape/storage invariants.

Readable equivalent PoC:

use peroxide::fuga::{Matrix, MatrixTrait, Shape};

#[test]
fn poc() {
    let mut rhs = Matrix {
        data: Vec::new(),
        row: usize::MAX,
        col: usize::MAX,
        shape: Shape::Row,
    };

    rhs.subs_col(usize::MAX, &[]);

    let lhs = Matrix {
        data: Vec::new(),
        row: usize::MAX,
        col: 0,
        shape: Shape::Col,
    };

    let _ = lhs * rhs;
}

Observed diagnostic:

error: Undefined Behavior: overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize`

PoC 2: test_peroxide12::generated_test_12

Relevant source location:

• src/structure/matrix.rs:701-705: Matrix exposes data, row, col, and shape as public fields.
• src/structure/matrix.rs:1156: subs_row operates on those unchecked shape/storage invariants.

Readable equivalent PoC:

use peroxide::fuga::{Matrix, MatrixTrait, Shape};

#[test]
fn poc() {
    let mut rhs = Matrix {
        data: Vec::new(),
        row: 0,
        col: usize::MAX,
        shape: Shape::Col,
    };

    rhs.subs_row(usize::MAX, &[]);

    let lhs = Matrix {
        data: Vec::new(),
        row: usize::MAX,
        col: usize::MAX,
        shape: Shape::Row,
    };

    let _ = &lhs * &rhs;
}

Observed diagnostic:

unsafe precondition(s) violated: ptr::add requires that the address calculation does not overflow

Source review and suggested fix

Brief reasoning:

• Matrix exposes public fields, so safe code can construct states that do not satisfy the library invariants.
• The later indexing and arithmetic code assumes those invariants without rechecking them.

Suggested fix:

• Hide the raw fields or validate shape and storage invariants before any unsafe indexing or pointer arithmetic.

Thanks again for taking a look.