Destructor of packed structs can move dangling references.

[theemathas]

The below code causes Miri to report UB

#![allow(dead_code)]

#[repr(C, packed)]
struct Foo<'a> {
    val: Bar<'a>,
}

struct Bar<'a>(&'a mut i32, Box<()>);

fn main() {
    let _v;
    {
        let mut b = Box::new(1);
        _v = Foo {
            val: Bar(&mut b, Box::new(())),
        };
    }
}

Miri output:

    Running `/playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/bin/cargo-miri runner target/miri/x86_64-unknown-linux-gnu/debug/playground`
error: Undefined Behavior: constructing invalid value at .0: encountered a dangling reference (use-after-free)
   --> /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:799:1
    |
799 | pub unsafe fn drop_in_place<T: PointeeSized>(to_drop: *mut T) {
    | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
    |
    = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
    = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
    = note: BACKTRACE:
    = note: inside `std::ptr::drop_in_place::<Foo<'_>> - shim(Some(Foo<'_>))` at /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:799:1: 799:62
note: inside `main`
   --> src/main.rs:18:1
    |
18  | }
    | ^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to 1 previous error

This occurs because, as documented in the docs for drop_in_place, the destructor of Foo will move the field val to a new place, in order for the value to be aligned before calling the destructor of Bar. This causes a move of a dangling reference as the destructor of the _v value is ran, which is undefined behavior.

Meta

Reproducible on the playground with 1.90.0-nightly (2025-07-03 da58c051315268a197ce)

@rustbot labels +I-unsound +A-destructors +A-repr-packed

[zachs18]

I have a patch for the mir transform that fixes up drops of packed structs that makes Miri stop complaining on the example in the OP, but I'm not sure if it's really semantically correct, or the best way to implement it: zachs18@f302889

Basically, instead of using an StatementKind::Assign to copy from the field to the to-be-dropped local, it uses NonDivergingIntrinsic::CopyNonOverlapping (at type u8 for 1-align, for SizeOf(field_ty) bytes/u8s) (I'm not even sure if NonDivergingIntrinsic::CopyNonOverlapping is valid to have in MIR at this point in the transformations? (

rust/compiler/rustc_borrowck/src/lib.rs

Line 731 in 837c5dd

"Unexpected CopyNonOverlapping, should only appear after lower_intrinsics",

) Also, not sure if it's a typed copy which would be invalid for u8 since the field may have padding)

[theemathas]

Does this interact poorly with Pin? I'm not sure. There's probably nothing of note with Pin. Pin projection already requires creating a reference to the field, so potentially unaligned references would already be prohibited as such in macro-generated code.

[RalfJung]

Cc @rust-lang/opsem

[RalfJung]

That move should probably not be typed... or at least, it should be as-if under MaybeDangling.