[derive] Support IntoBytes on repr(Rust) structs (#1796)

joshlf · web-flow · commit cc6597a5a250 · 2024-10-03T15:37:57.000Z
The Reference guarantees that, even in `repr(Rust)` structs, fields cannot overlap. This is sufficient to guarantee the soundness of implementing `IntoBytes` on some `repr(Rust)` structs. Closes #1794
diff --git a/zerocopy-derive/src/lib.rs b/zerocopy-derive/src/lib.rs
@@ -853,27 +853,42 @@ fn derive_into_bytes_struct(ast: &DeriveInput, strct: &DataStruct) -> Result<Tok
     let is_packed_1 = repr.is_packed_1();
     let num_fields = strct.fields().len();
 
-    let (padding_check, require_unaligned_fields) = if is_transparent || (is_c && is_packed_1) {
+    let (padding_check, require_unaligned_fields) = if is_transparent || is_packed_1 {
         // No padding check needed.
         // - repr(transparent): The layout and ABI of the whole struct is the
         //   same as its only non-ZST field (meaning there's no padding outside
         //   of that field) and we require that field to be `IntoBytes` (meaning
         //   there's no padding in that field).
-        // - repr(C, packed): Any inter-field padding bytes are removed, meaning
+        // - repr(packed): Any inter-field padding bytes are removed, meaning
         //   that any padding bytes would need to come from the fields, all of
         //   which we require to be `IntoBytes` (meaning they don't have any
-        //   padding).
+        //   padding). Note that this holds regardless of other `repr`
+        //   attributes, including `repr(Rust)`. [1]
+        //
+        // [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#the-alignment-modifiers:
+        //
+        //   An important consequence of these rules is that a type with
+        //   `#[repr(packed(1))]`` (or `#[repr(packed)]``) will have no
+        //   inter-field padding.
         (None, false)
     } else if is_c && !repr.is_align_gt_1() && num_fields <= 1 {
         // No padding check needed. A repr(C) struct with zero or one field has
         // no padding unless #[repr(align)] explicitly adds padding, which we
         // check for in this branch's condition.
         (None, false)
-    } else if is_c && ast.generics.params.is_empty() {
-        // Since there are no generics, we can emit a padding check. `repr(C)`
-        // guarantees that fields won't overlap, so the padding check is sound.
-        // This is more permissive than the next case, which requires that all
-        // field types implement `Unaligned`.
+    } else if ast.generics.params.is_empty() {
+        // Since there are no generics, we can emit a padding check. All reprs
+        // guarantee that fields won't overlap [1], so the padding check is
+        // sound. This is more permissive than the next case, which requires
+        // that all field types implement `Unaligned`.
+        //
+        // [1] Per https://doc.rust-lang.org/1.81.0/reference/type-layout.html#the-rust-representation:
+        //
+        //   The only data layout guarantees made by [`repr(Rust)`] are those
+        //   required for soundness. They are:
+        //   ...
+        //   2. The fields do not overlap.
+        //   ...
         (Some(PaddingCheck::Struct), false)
     } else if is_c && !repr.is_align_gt_1() {
         // We can't use a padding check since there are generic type arguments.
diff --git a/zerocopy-derive/tests/struct_to_bytes.rs b/zerocopy-derive/tests/struct_to_bytes.rs
@@ -102,6 +102,31 @@ struct CPackedGeneric<T, U: ?imp::Sized> {
 util_assert_impl_all!(CPackedGeneric<u8, util::AU16>: imp::IntoBytes);
 util_assert_impl_all!(CPackedGeneric<u8, [util::AU16]>: imp::IntoBytes);
 
+#[derive(imp::IntoBytes)]
+#[repr(packed)]
+struct PackedGeneric<T, U: ?imp::Sized> {
+    t: T,
+    // Unsized types stored in `repr(packed)` structs must not be dropped
+    // because dropping them in-place might be unsound depending on the
+    // alignment of the outer struct. Sized types can be dropped by first being
+    // moved to an aligned stack variable, but this isn't possible with unsized
+    // types.
+    u: imp::ManuallyDrop<U>,
+}
+
+util_assert_impl_all!(PackedGeneric<u8, util::AU16>: imp::IntoBytes);
+util_assert_impl_all!(PackedGeneric<u8, [util::AU16]>: imp::IntoBytes);
+
+// This test is non-portable, but works so long as Rust happens to lay this
+// struct out with no padding.
+#[derive(imp::IntoBytes)]
+struct Unpacked {
+    a: u8,
+    b: u8,
+}
+
+util_assert_impl_all!(Unpacked: imp::IntoBytes);
+
 #[derive(imp::IntoBytes)]
 #[repr(C)]
 struct ReprCGenericOneField<T: ?imp::Sized> {
diff --git a/zerocopy-derive/tests/ui-msrv/struct.stderr b/zerocopy-derive/tests/ui-msrv/struct.stderr
@@ -5,109 +5,85 @@ error: this conflicts with another representation hint
     |           ^
 
 error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:140:10
+   --> tests/ui-msrv/struct.rs:138:10
     |
-140 | #[derive(IntoBytes)]
+138 | #[derive(IntoBytes)]
     |          ^^^^^^^^^
     |
     = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
 
 error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:150:10
+   --> tests/ui-msrv/struct.rs:143:10
     |
-150 | #[derive(IntoBytes)]
+143 | #[derive(IntoBytes)]
     |          ^^^^^^^^^
     |
     = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
 
 error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:159:10
+   --> tests/ui-msrv/struct.rs:166:10
     |
-159 | #[derive(IntoBytes)]
-    |          ^^^^^^^^^
-    |
-    = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
-
-error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:164:10
-    |
-164 | #[derive(IntoBytes)]
-    |          ^^^^^^^^^
-    |
-    = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
-
-error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:172:10
-    |
-172 | #[derive(IntoBytes)]
-    |          ^^^^^^^^^
-    |
-    = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
-
-error: must have a non-align #[repr(...)] attribute in order to guarantee this type's memory layout
-   --> tests/ui-msrv/struct.rs:195:10
-    |
-195 | #[derive(IntoBytes)]
+166 | #[derive(IntoBytes)]
     |          ^^^^^^^^^
     |
     = note: this error originates in the derive macro `IntoBytes` (in Nightly builds, run with -Z macro-backtrace for more info)
 
 error: cannot derive `Unaligned` on type with alignment greater than 1
-   --> tests/ui-msrv/struct.rs:206:11
+   --> tests/ui-msrv/struct.rs:177:11
     |
-206 | #[repr(C, align(2))]
+177 | #[repr(C, align(2))]
     |           ^^^^^
 
 error: this conflicts with another representation hint
-   --> tests/ui-msrv/struct.rs:210:8
+   --> tests/ui-msrv/struct.rs:181:8
     |
-210 | #[repr(transparent, align(2))]
+181 | #[repr(transparent, align(2))]
     |        ^^^^^^^^^^^
 
 error: this conflicts with another representation hint
-   --> tests/ui-msrv/struct.rs:216:16
+   --> tests/ui-msrv/struct.rs:187:16
     |
-216 | #[repr(packed, align(2))]
+187 | #[repr(packed, align(2))]
     |                ^^^^^
 
 error: this conflicts with another representation hint
-   --> tests/ui-msrv/struct.rs:220:18
+   --> tests/ui-msrv/struct.rs:191:18
     |
-220 | #[repr(align(1), align(2))]
+191 | #[repr(align(1), align(2))]
     |                  ^^^^^
 
 error: this conflicts with another representation hint
-   --> tests/ui-msrv/struct.rs:224:18
+   --> tests/ui-msrv/struct.rs:195:18
     |
-224 | #[repr(align(2), align(4))]
+195 | #[repr(align(2), align(4))]
     |                  ^^^^^
 
 error: must have #[repr(C)], #[repr(transparent)], or #[repr(packed)] attribute in order to guarantee this type's alignment
-   --> tests/ui-msrv/struct.rs:227:10
+   --> tests/ui-msrv/struct.rs:198:10
     |
-227 | #[derive(Unaligned)]
+198 | #[derive(Unaligned)]
     |          ^^^^^^^^^
     |
     = note: this error originates in the derive macro `Unaligned` (in Nightly builds, run with -Z macro-backtrace for more info)
 
 error: must have #[repr(C)], #[repr(transparent)], or #[repr(packed)] attribute in order to guarantee this type's alignment
-   --> tests/ui-msrv/struct.rs:230:10
+   --> tests/ui-msrv/struct.rs:201:10
     |
-230 | #[derive(Unaligned)]
+201 | #[derive(Unaligned)]
     |          ^^^^^^^^^
     |
     = note: this error originates in the derive macro `Unaligned` (in Nightly builds, run with -Z macro-backtrace for more info)
 
 error: this conflicts with another representation hint
-   --> tests/ui-msrv/struct.rs:240:8
+   --> tests/ui-msrv/struct.rs:211:8
     |
-240 | #[repr(C, packed(2))]
+211 | #[repr(C, packed(2))]
     |        ^
 
 error[E0692]: transparent struct cannot have other repr hints
-   --> tests/ui-msrv/struct.rs:210:8
+   --> tests/ui-msrv/struct.rs:181:8
     |
-210 | #[repr(transparent, align(2))]
+181 | #[repr(transparent, align(2))]
     |        ^^^^^^^^^^^  ^^^^^^^^
 
 error[E0277]: the size for values of type `[u8]` cannot be known at compilation time
diff --git a/zerocopy-derive/tests/ui-nightly/struct.rs b/zerocopy-derive/tests/ui-nightly/struct.rs
@@ -135,27 +135,6 @@ struct IntoBytes5 {
     a: u8,
 }
 
-// We don't emit a padding check unless there's a repr that can guarantee that
-// fields don't overlap.
-#[derive(IntoBytes)]
-struct IntoBytes6 {
-    a: u8,
-    // Add a second field to avoid triggering the "repr(C) struct with one
-    // field" special case.
-    b: u8,
-}
-
-// We don't emit a padding check unless there's a repr that can guarantee that
-// fields don't overlap. `repr(packed)` on its own doesn't guarantee this.
-#[derive(IntoBytes)]
-#[repr(packed(2))]
-struct IntoBytes7 {
-    a: u8,
-    // Add a second field to avoid triggering the "repr(C) struct with one
-    // field" special case.
-    b: u8,
-}
-
 #[derive(IntoBytes)]
 struct IntoBytes8<T> {
     t: T,
@@ -167,14 +146,6 @@ struct IntoBytes9<T> {
     t: T,
 }
 
-// `repr(packed)` without `repr(C)` is not considered sufficient to guarantee
-// layout.
-#[derive(IntoBytes)]
-#[repr(packed)]
-struct IntoBytes10<T> {
-    t: T,
-}
-
 // `repr(C, packed(2))` is not equivalent to `repr(C, packed)`.
 #[derive(IntoBytes)]
 #[repr(C, packed(2))]
diff --git a/zerocopy-derive/tests/ui-nightly/struct.stderr b/zerocopy-derive/tests/ui-nightly/struct.stderr
diff --git a/zerocopy-derive/tests/ui-stable/struct.stderr b/zerocopy-derive/tests/ui-stable/struct.stderr
