Rollup merge of #134583 - Enselic:maybe-uninit-transmute, r=workingjubilee

matthiaskrgr · web-flow · commit 6ade237b6c62 · 2024-12-22T21:59:24.000+01:00
docs: `transmute<&mut T, &mut MaybeUninit<T>>` is unsound when exposed to safe code Closes #66699 On my system (Edit: And also in the [playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=90529e2a9900599cb759e4bfaa5b5efe)) the example program terminates with an unpredictable exit code: ```console $ cargo +nightly build && target/debug/bin ; echo $? 255 $ cargo +nightly build && target/debug/bin ; echo $? 253 ``` And miri considers the code to have undefined behavior: ```console $ cargo +nightly miri run error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory --> src/main.rs:12:24 | 12 | std::process::exit(*code); // UB! Accessing uninitialized memory | ^^^^^ using uninitialized data, but this operation requires initialized memory | error: aborting due to 1 previous error ```
diff --git a/library/core/src/mem/maybe_uninit.rs b/library/core/src/mem/maybe_uninit.rs
@@ -232,6 +232,26 @@ use crate::{fmt, intrinsics, ptr, slice};
 /// remain `#[repr(transparent)]`. That said, `MaybeUninit<T>` will *always* guarantee that it has
 /// the same size, alignment, and ABI as `T`; it's just that the way `MaybeUninit` implements that
 /// guarantee may evolve.
+///
+/// Note that even though `T` and `MaybeUninit<T>` are ABI compatible it is still unsound to
+/// transmute `&mut T` to `&mut MaybeUninit<T>` and expose that to safe code because it would allow
+/// safe code to access uninitialized memory:
+///
+/// ```rust,no_run
+/// use core::mem::MaybeUninit;
+///
+/// fn unsound_transmute<T>(val: &mut T) -> &mut MaybeUninit<T> {
+///     unsafe { core::mem::transmute(val) }
+/// }
+///
+/// fn main() {
+///     let mut code = 0;
+///     let code = &mut code;
+///     let code2 = unsound_transmute(code);
+///     *code2 = MaybeUninit::uninit();
+///     std::process::exit(*code); // UB! Accessing uninitialized memory.
+/// }
+/// ```
 #[stable(feature = "maybe_uninit", since = "1.36.0")]
 // Lang item so we can wrap other types in it. This is useful for coroutines.
 #[lang = "maybe_uninit"]
