Rollup merge of rust-lang#98839 - 5225225:assert_transmute_copy_size, r=thomcc

Dylan-DPC · web-flow · commit 8f686292173b · 2022-07-18T15:33:20.000+05:30
Add assertion that `transmute_copy`'s U is not larger than T This is called out as a safety requirement in the docs, but because knowing this can be done at compile time and constant folded (just like the `align_of` branch is removed), we can just panic here. I've looked at the asm (using `cargo-asm`) of a function that both is correct and incorrect, and the panic is completely removed, or is unconditional, without needing build-std. I don't expect this to cause much breakage in the wild. I scanned through https://miri.saethlin.dev/ub for issues that would look like this (error: Undefined Behavior: memory access failed: alloc1768 has size 1, so pointer to 8 bytes starting at offset 0 is out-of-bounds), but couldn't find any. That doesn't rule out it happening in crates tested that fail earlier for some other reason, though, but it indicates that doing this is rare, if it happens at all. A crater run for this would need to be build and test, since this is a runtime thing. Also added a few more transmute_copy tests.
diff --git a/library/core/src/mem/mod.rs b/library/core/src/mem/mod.rs
@@ -1040,6 +1040,8 @@ pub fn copy<T: Copy>(x: &T) -> T {
 #[stable(feature = "rust1", since = "1.0.0")]
 #[rustc_const_unstable(feature = "const_transmute_copy", issue = "83165")]
 pub const unsafe fn transmute_copy<T, U>(src: &T) -> U {
+    assert!(size_of::<T>() >= size_of::<U>(), "cannot transmute_copy if U is larger than T");
+
     // If U has a higher alignment requirement, src might not be suitably aligned.
     if align_of::<U>() > align_of::<T>() {
         // SAFETY: `src` is a reference which is guaranteed to be valid for reads.
diff --git a/library/core/tests/mem.rs b/library/core/tests/mem.rs
@@ -97,6 +97,46 @@ fn test_transmute_copy() {
     assert_eq!(1, unsafe { transmute_copy(&1) });
 }
 
+#[test]
+fn test_transmute_copy_shrink() {
+    assert_eq!(0_u8, unsafe { transmute_copy(&0_u64) });
+}
+
+#[test]
+fn test_transmute_copy_unaligned() {
+    #[repr(C)]
+    #[derive(Default)]
+    struct Unaligned {
+        a: u8,
+        b: [u8; 8],
+    }
+
+    let u = Unaligned::default();
+    assert_eq!(0_u64, unsafe { transmute_copy(&u.b) });
+}
+
+#[test]
+#[cfg(panic = "unwind")]
+fn test_transmute_copy_grow_panics() {
+    use std::panic;
+
+    let err = panic::catch_unwind(panic::AssertUnwindSafe(|| unsafe {
+        let _unused: u64 = transmute_copy(&1_u8);
+    }));
+
+    match err {
+        Ok(_) => unreachable!(),
+        Err(payload) => {
+            payload
+                .downcast::<&'static str>()
+                .and_then(|s| {
+                    if *s == "cannot transmute_copy if U is larger than T" { Ok(s) } else { Err(s) }
+                })
+                .unwrap_or_else(|p| panic::resume_unwind(p));
+        }
+    }
+}
+
 #[test]
 #[allow(dead_code)]
 fn test_discriminant_send_sync() {
