repr(Rust) unions (including MaybeUninit) do not preserve padding bytes
#99604
Comments
|
This also comes up as an issue for functions that happen to use MaybeUninit internally, see fn main() {
const MARKER: u32 = 0x11223344;
let mut x = MARKER;
let mut y = 0_u32;
unsafe {
std::ptr::swap_nonoverlapping(
&mut x as *mut u32 as *mut (u16, u8),
&mut y as *mut u32 as *mut (u16, u8),
1
);
}
if y != MARKER {
println!("{y:x} != {MARKER:x}");
}
}swap_nonoverlapping is explicitly mentioned as being untyped, so this failing is wrong, IMO. |
|
My understanding was that at some point it had been decided that we didn't have to promise anything regarding the padding byte in exactly these cases. |
In the models where memory accesses are typed, this too does have a type! It's just suggesting the type of "a blob of bytes". But this would not be the first time we wrote a check that (our lowering to) LLVM can't cash. |
Ah, yeah, good point. :(
I agree, the implementation of
The docs have recently been adjusted to say "The operation is untyped in the sense that data may be uninitialized or otherwise violate the requirements of T. The initialization state is preserved exactly". So what you say is not the intention of the implementation. See #97712. Some other functions ( |
|
We also claim that |
|
Yeah, the only reason I used swap_nonoverlapping here instead of any other one is that swap and copy don't actually move a MaybeUninit, they just use one as storage space on the stack, and use the However, So it seems to be purely by accident that swap_nonoverlapping does this, and other functions don't. Honestly I think we might need two MaybeUninit's. One that promises ABI transparency, and one that promises that it's just an untyped bag of bytes that happens to have the size and align of T, and as such can be trusted to store bytes that are padding in T reliably. |
Well, we say it's like memcpy "under the hood", which is not wrong, but then the inputs and outputs are fundamentally "clamped" by this being a by-value operation. memcpy does not act on values. The type-changing memcpy is not what makes the padding disappear here, it's the passing-args-to-transmute and passing-ret-from-transmute (and it'd be the same with any safe function as well). But probably we should just remove that mention of memcpy if it confuses people more than it helped...
I have no idea how we could possibly teach this. :( |
Yep. I think that's a Terrible idea, come to think of it. So.... Well, we don't promise what MaybeUninit actually is, so it could be Compiler Magic that knows if it needs to be the ABI of an untyped blob, or if it needs to be the ABI of T.... based on the calling convention of the function it's passed to? that seems extremely strange (and would mean passing a MaybeUninit through a |
|
That breaks down if it's passed to multiple functions though. Also, @chorman0773 would probably have some choice words about making a fundamentally "normal" type be magic. |
|
A relevant recent Zulip discussion. We guarantee that |
The following program isn't detected to have any UB in miri, and doesn't hit the panic, but does panic when ran (with or without optimizations) normally (using LLVM)
Panics with "
got bbccdd", so the padding byte, presumably ataa, got zeroed.The LLVM IR for
printsays it passes it as 2 arguments, so it makes sense that the padding is getting zeroed.define void @_ZN10playground5print17hfd0afe434a63e3b7E(i16 %x.0, i8 %x.1) unnamed_addr #0 [...]We (might?) already promise that MaybeUninit is just a bag of bytes that doesn't zero any padding, but we also promise that it has the ABI of T, and those two seem to be in conflict.
Relates to rust-lang/unsafe-code-guidelines#354 (comment)
The text was updated successfully, but these errors were encountered: