Allow borrowing array elements from packed structs with ABI align <= packed align #145419
Conversation
- Add fallback mechanism in is_disaligned() when layout computation fails - Handle TooGeneric errors by computing element alignment from type structure - Fix packed-array-const-generic.rs test to pass compilation - Resolves issue where const generic parameters couldn't be resolved during alignment checks
|
r? @SparrowLii rustbot has assigned @SparrowLii. Use |
rustbot
added
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
| Ok(normalized) => normalized, | ||
| Err(_) => { | ||
| // If normalization fails, fall back to the original type | ||
| ty |
There was a problem hiding this comment.
why? it feels a lot safer to conservatively return true here, same as when layout_of fails
| // For const generic arrays like [u8; CAP], we can make a reasonable assumption | ||
| // about their alignment based on the element type. |
There was a problem hiding this comment.
we're not making a reasonable assumption. Their layout literally only depend son the layout of their element type, doesn't it?
Getting this right is soundness critical, so we need to be confident about that we don#t introduce false negatives.
Also, please rename this function to is_potentially_disaligned, to clarify that it's allowed to return false positives, but not false nnegatives
There was a problem hiding this comment.
We use "misaligned" elsewhere in the compiler, maybe let's go with that instead of "disaligned" (which I never saw/heard before).
There was a problem hiding this comment.
Thanks for the detailed feedback!
I agree with the soundness concern and with using the term “misaligned”.
I will:
- rename the function to
is_potentially_misalignedand update call sites/docs to clarify that it may return false positives but must not return false negatives (soundness-critical), - avoid relaxing the check when
layout_of(ty)fails in general.
To still address the motivating case without introducing false negatives, I’ll only add a very small, layout-free special-case:
when ty.kind() is Array(elem, _) and elem is u8 or i8 (which have ABI alignment 1 by definition, independent of the array length), we treat the borrow as not potentially misaligned. All other cases remain conservative and return true when layout_of(ty) fails.
This fixes the [u8; CAP] packed-struct case while keeping the function strictly conservative for any type whose ABI alignment could exceed the packed alignment.
If you’d prefer the even stricter variant (no special-casing at all), I can drop the exception and keep returning true on layout_of failure across the board.
There was a problem hiding this comment.
I think ignoring the length and only checking the argument is fine. My issue was with the comment, not the behavior. We already guarantee that the alignment constraints are equal:
you can get a &T out of an &[T], so [T] must have stronger requirements than &T
you can get a &[T] from a &T via std::array::from_ref , so T must have stronger requirements than &[T]
There was a problem hiding this comment.
Thanks! I’ve updated the comment to formally justify that align([T]) == align(T),
using the two directions you mentioned (&[T] -> &T and std::array::from_ref(&T)).
Behavior remains unchanged: we only consider the element type’s ABI alignment and
ignore the array length.
… clarity; Unified to ty::Array(element_ty, _) | ty::Slice(element_ty) => …; Modify Chinese comments to English comments
|
Some changes occurred to MIR optimizations cc @rust-lang/wg-mir-opt |
|
Fixed:
Thanks |
|
I've updated the PR as requested (renamed function, updated comment, removed special-casing). Just let me know if further adjustments are needed. |
| // Only allow u8 and i8 arrays when layout computation fails | ||
| // Other types are conservatively assumed to be misaligned | ||
| match element_ty.kind() { |
There was a problem hiding this comment.
properly compute the of the element_ty here, limiting it to only u8 and i8 feels unnecessary 🤔
This comment has been minimized.
This comment has been minimized.
|
Thanks for the detailed feedback! I’ve updated the PR with the following:
I’ve also drafted the exact rules in the PR description and opened a Reference PR |
|
Does this PR create a new semver hazard? For example.. // In a remote crate
struct Remote(u8);
// In local crate
#[repr(packed)]
struct Local {
remote: Remote,
}
let remote = &Local::default().remote;Then @rfcbot concern semver hazard Otherwise, +1 for the overall idea. @rfcbot reviewed |
|
That semver hazard already exists outside of arrays. This PR just makes the logic that figures out the alignment of a type smarter: we can know the alignment of |
| // Soundness: For any `T`, the ABI alignment requirement of `[T]` equals that of `T`. | ||
| // Proof sketch: | ||
| // (1) From `&[T]` we can obtain `&T`, hence align([T]) >= align(T). | ||
| // (2) Using `std::array::from_ref(&T)` we can obtain `&[T; 1]` (and thus `&[T]`), | ||
| // hence align(T) >= align([T]). | ||
| // Therefore align([T]) == align(T). Length does not affect alignment. |
There was a problem hiding this comment.
| // Soundness: For any `T`, the ABI alignment requirement of `[T]` equals that of `T`. | |
| // Proof sketch: | |
| // (1) From `&[T]` we can obtain `&T`, hence align([T]) >= align(T). | |
| // (2) Using `std::array::from_ref(&T)` we can obtain `&[T; 1]` (and thus `&[T]`), | |
| // hence align(T) >= align([T]). | |
| // Therefore align([T]) == align(T). Length does not affect alignment. | |
| // We can't compute the layout of `T`. But maybe we can still compute the alignment: | |
| // For any `T`, the ABI alignment requirement of `[T]` and `[T; N]` equals that of `T`. | |
| // Length does not affect alignment. |
I don't think referencing standard library operations here makes much sense. Maybe we can reference the Reference wherever it defines the alignment of arrays, but TBH that doesn't seem necessary. What's relevant is to explicitly invoke the fact o that arrays are aligned like their element type, that's the one key reasoning step needed here. Let's not drown that in noise.
| match ty.kind() { | ||
| ty::Array(elem_ty, _) | ty::Slice(elem_ty) => { | ||
| // Try to obtain the element's layout; if we can, use its ABI align. | ||
| match tcx.layout_of(typing_env.as_query_input(*elem_ty)) { |
There was a problem hiding this comment.
I'd recommend inlining this function at its only call site, this seems unnecessarily verbose.
If you want to make a helper function, it'd be get_type_align containing the entire match tcx.layout_of(typing_env.as_query_input(ty)) {.
There was a problem hiding this comment.
still relevant, I would personally prefer adding a single get_type_align function which does the nested layout_of call
| } | ||
|
|
||
| fn main() { | ||
| // Run pass cases (fail cases only check diagnostics) |
There was a problem hiding this comment.
These never get run anyway since the file fails to compile, so this is quite pointless.
There was a problem hiding this comment.
I would split this test into a pass and a fail version. Having them in the same test may not actually test the pass cases as we often end up hiding errors if others have been emitted.
I don't have an opinion on whether to make that a run-pass test or not
| mod pass_i8 { | ||
| #[repr(C, packed)] | ||
| pub struct S<const N: usize> { | ||
| buf: [i8; N], | ||
| } | ||
| pub fn run() { | ||
| let s = S::<4> { buf: [1, 2, 3, 4] }; | ||
| let _ok = &s.buf[..]; // no E0793 | ||
| } | ||
| } | ||
|
|
||
| mod pass_nonzero_u8 { | ||
| use super::*; | ||
| #[repr(C, packed)] | ||
| pub struct S<const N: usize> { | ||
| buf: [NonZeroU8; N], | ||
| } | ||
| pub fn run() { | ||
| let s = S::<3> { | ||
| buf: [ | ||
| NonZeroU8::new(1).unwrap(), | ||
| NonZeroU8::new(2).unwrap(), | ||
| NonZeroU8::new(3).unwrap(), | ||
| ], | ||
| }; | ||
| let _ok = &s.buf[..]; // no E0793 | ||
| } | ||
| } | ||
|
|
||
| mod pass_maybeuninit_u8 { | ||
| use super::*; | ||
| #[repr(C, packed)] | ||
| pub struct S<const N: usize> { | ||
| buf: [MaybeUninit<u8>; N], | ||
| } | ||
| pub fn run() { | ||
| let s = S::<2> { buf: [MaybeUninit::new(1), MaybeUninit::new(2)] }; | ||
| let _ok = &s.buf[..]; // no E0793 | ||
| } | ||
| } | ||
|
|
||
| mod pass_transparent_u8 { | ||
| #[repr(transparent)] | ||
| pub struct WrapU8(u8); | ||
|
|
||
| #[repr(C, packed)] | ||
| pub struct S<const N: usize> { | ||
| buf: [WrapU8; N], | ||
| } | ||
| pub fn run() { | ||
| let s = S::<2> { buf: [WrapU8(1), WrapU8(2)] }; | ||
| let _ok = &s.buf[..]; // no E0793 | ||
| } | ||
| } |
There was a problem hiding this comment.
All of these already pass before your PR, so they don't actually test what you want them to test.
You need to make the N generic, like in pass_u8. (In the fail tests it should also be generic to ensure it hits the same codepath.)
| pub fn run() { | ||
| let p = PascalString::<10> { len: 3, buf: *b"abc\0\0\0\0\0\0\0" }; | ||
| let s = bar(&p); | ||
| assert_eq!(s, "abc"); | ||
| } |
There was a problem hiding this comment.
There's no reason I can see for this function to exist.
|
@rfcbot reviewed The intent (make the warning more precise for cases where the packed struct fields do not actually have stricter alignment requirements) makes sense to me. |
|
Hmm, I wish we could address the semver hazard with @rfcbot resolve semver hazard |
|
Thanks for the reference update. I do think that, from an implementation perspective, it's a bit icky for this particular check to do this dance of "fail to get layout, then do extra layout calculations". It feels like there ought to be a general query for "layout but I only care about alignment (or an under- or over-estimate thereof)" that everywhere that doesn't care about things like niches and field offsets, just the alignment, could use so that checks like this would always be consistent. (Like const prop of the Align UnOp in a MIR optimization arguably wants this as well.) |
rust-rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
Yeah, agreed. Seems worth at least filing a C-cleanup issue for? |
traviscross
removed
I-lang-nominated
Hi @RalfJung, Thank you for the insightful architectural suggestion. I agree that a general To keep the scope of this current PR focused and ensure it can be merged smoothly, I plan to file a follow-up issue to track this idea after this PR is merged. This will allow us to discuss and design the general query interface properly without blocking the immediate improvement here. Thanks again for the review and the valuable idea. |
|
Sounds good. :) Note that I didn't even make the architectural suggestion though. Also, no need to be so formal in your writing :) . Short and to the point beats long and verbose. |
rust-rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
|
☔ The latest upstream changes (presumably #147145) made this pull request unmergeable. Please resolve the merge conflicts. |
|
@rustbot author |
rustbot
added
S-waiting-on-author
|
Reminder, once the PR becomes ready for a review, use |
Fixes #145376
Summary
This PR fixes a false positive E0793 ("reference to packed field is unaligned")
when borrowing from a
#[repr(C, packed)]struct field whose type is a const-generic arraywith an element type that has ABI alignment <= the struct's packed alignment.
Example before this change:
Reference PR: