Undetected unsound usage of packed field by unsize coercion

[197g]

The following code was tried:

use core::mem::ManuallyDrop;
use core::fmt::Debug;

#[repr(packed)]
struct Unaligned<T: ? Sized>(ManuallyDrop<T>);


fn main(){
    let ref local = Unaligned(ManuallyDrop::new([3, 5, 8u64]));
    let foo: &Unaligned<dyn Debug> = &*local;
    println!("{:?}", &*foo.0);
}

I expected to see this happen: An error (or at least lint) which tells me the reference created in &*foo.0 is unsound. This is correctly issued if no intermediate coercion statement is added.

error[[E0793]](https://doc.rust-lang.org/stable/error_codes/E0793.html): reference to packed field is unaligned
  --> src/main.rs:10:24
   |
10 |     println!("{:?}", &*local.0);
   |                        ^^^^^^^
   |
   = note: packed structs are only aligned by one byte, and many modern architectures penalize unaligned field accesses
   = note: creating a misaligned reference is undefined behavior (even if that reference is never dereferenced)
   = help: copy the field contents to a local variable, or replace the reference with a raw pointer and use `read_unaligned`/`write_unaligned` (loads and stores via `*p` must be properly aligned even when using raw pointers)

For more information about this error, try `rustc --explain E0793`.
warning: `playground` (bin "playground") generated 1 warning

Instead, this happened: The code compiles and appears to run.

Miri can diagnose the UB.

error: Undefined Behavior: constructing invalid value: encountered an unaligned reference (required 8 byte alignment but found 4)
  --> src/main.rs:10:24
   |
10 |     println!("{:?}", &*foo.0);
   |                        ^^^^^ constructing invalid value: encountered an unaligned reference (required 8 byte alignment but found 4)
   |
   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
   = note: BACKTRACE:
   = note: inside `main` at src/main.rs:10:24: 10:29

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

Meta

rustc --version --verbose:

rustc 1.68.0 (2c8cc3432 2023-03-06)
binary: rustc
commit-hash: 2c8cc343237b8f7d5a3c3703e3a87f2eb2c54a74
commit-date: 2023-03-06
host: x86_64-unknown-linux-gnu
release: 1.68.0
LLVM version: 15.0.6

Also affects 1.72, nightly, and prior versions.

[apiraino]

WG-prioritization assigning priority (Zulip discussion).

@rustbot label -I-prioritize +P-high

[RalfJung]

Wow, nice catch!

I think what's happening is that here

rust/compiler/rustc_const_eval/src/util/alignment.rs

Line 25 in 781253b

Ok(layout) if layout.align.abi <= pack => {

we are relying on layout.align, but for dynamically sized (and dynamically aligned) types that is just an underapproximation and so the check is insufficient.

[mu001999]

I'm confused. Why can we construct the value of type Unaligned<T: ?Sized>(ManuallyDrop<T>)? I've tried RefCell and other types, but all failed. Does the compiler treat ManuallyDrop in any special way in this case?

Thanks if anyone could tell me what happened!

[197g]

Credit for that specific example should go to a discord user on the community discord, matt1992 (ooh, I see, the introduction from the issue template is saying I. Sorry.) I've been mostly messenger and was just as confused over being allowed to write, and much more coerce, that type. During solicitation of feedback on the soundness of the type, this was found.

To summarize the remainder of the discussion: we were questioning whether the coercion itself was sound. What invariants does the unsized type have, and can the coercion assume that the new value will fulfill them? It does not seem at all trivial for properties other than representational validity. The unsize-equivalent of T is as oblivious to the fields' alignment as the underlying sized type, but unsizing discards the possibility to silently fix this by copying the field on every dubious operation. It is obvious that Drop was considered as well, which requires its recursive descent to stay valid over unsizing. The explicit ManuallyDrop clarifies that we explicitly discharge the compiler of this obligation (although I'm nowhere near certain how intentional this design is).

That is however not comprehensive. The unconditional soundness of core::mem::size_of_val on the new value, for instance, hinges on size information being part of the metadata. A custom unsized PascalString (that is length-prefixed, reading said length information from a preceeding u16 field stored inline before the data) would be at risk of an unaligned read. The compiler would have to either forbid coercions for user-defined dynamically sized types, avoiding the safety question, or define forms of (safety) invariants for custom DSTs which require them to behave soundly even when the referent is unaligned. Since custom DSTs are not stable, that one is a separate topic though which I'd hoped to prepare a better write-up for UCG. Incidentally, all stable unsizing coercions do lift their layouts into the metadata and are thus seemingly completely sound. Unless we overlooked other fundamental operations that must be available for all values (and types).