Padding considered uninitialized data when type is transmuted in const fn

[jean-airoldie]

For some reason the compiler treats some value cast to bytes via mem::transmute as uninitialized memory in a const function context.

use static_assertions::assert_eq_size;

struct Buf<const N: usize> {
    bytes: [u8; N],
    cursor: usize,
}

impl<const N: usize> Buf<N> {
    const fn new() -> Self {
        Self {
            bytes: [0u8; N],
            cursor: 0,
        }
    }

    const fn push_u32_slice(&mut self, slice: &[u32]) {
        if self.bytes.len() - self.cursor < slice.len() {
            panic!("exceeded capacity");
        }

        let mut i = 0;
        while i < slice.len() {
            let array = slice[i].to_le_bytes();
            let mut j = 0;
            while j < slice.len() {
                self.bytes[self.cursor + i] = array[j];
                j += 1;
            }
            i += 1;
        }
        self.cursor += slice.len();
    }
}

#[repr(u8)]
enum Frame {
    First(u16),
    Second,
}

assert_eq_size!(Frame, u32);

impl Frame {
    const fn cast_slice(slice: &[Frame]) -> &[u32] {
        // SAFETY We know the slice is valid and casting to bytes should
        // always be valid, even if repr(rust) isn't stable yet.
        unsafe { std::mem::transmute(slice) }
    }
}

const FRAMES: &[Frame] = &[Frame::First(8), Frame::Second];
const NB_BYTES: usize = FRAMES.len() * std::mem::size_of::<Frame>();
const SERIALIZED_FRAMES: [u8; NB_BYTES] = {
    let mut buf = Buf::<NB_BYTES>::new();
    let bytes = Frame::cast_slice(FRAMES);
    buf.push_u32_slice(&bytes);
    buf.bytes
};

Here's a link to the repo with this code.

Meta

rustc --version --verbose:

rustc 1.83.0-nightly (52fd99839 2024-10-10)
binary: rustc
commit-hash: 52fd9983996d9fcfb719749838336be66dee68f9
commit-date: 2024-10-10
host: x86_64-unknown-linux-gnu
release: 1.83.0-nightly
LLVM version: 19.1.1

Error output

error[E0080]: evaluation of constant value failed
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^ accessing memory based on pointer with alignment 2, but alignment 4 is required
   |
note: inside `Buf::<8>::push_u32_slice`
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^
note: inside `SERIALIZED_FRAMES`
  --> src/lib.rs:56:5
   |
56 |     buf.push_u32_slice(&bytes);
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0080`.
error: could not compile `const_uninit_bug` (lib) due to 1 previous error

Edit1: Updated example to cast to u32 before casting to bytes for clarity

[jean-airoldie]

Interestingly, if i replace the slice cast & slice access by a ptr cast and ptr write i get this error instead:

#![feature(const_ptr_write)]

struct Buf<const N: usize> {
    bytes: [u8; N],
    cursor: usize,
}

impl<const N: usize> Buf<N> {
    const fn new() -> Self {
        Self {
            bytes: [0u8; N],
            cursor: 0,
        }
    }

    const fn push_frame_slice(&mut self, slice: &[Frame]) {
        if self.bytes.len() - self.cursor < slice.len() {
            panic!("exceeded capacity");
        }

        let mut i = 0;
        while i < slice.len() {
            let frame = slice[i];

            let ptr = unsafe { self.bytes.as_mut_ptr().add(self.cursor) as *mut Frame };
            unsafe { ptr.write(frame) };
            self.cursor += std::mem::size_of::<Frame>();

            i += 1;
        }
    }
}

#[derive(Copy, Clone)]
#[repr(u8)]
enum Frame {
    First(u16),
    Second,
}

const FRAMES: &[Frame] = &[Frame::First(8), Frame::Second];
const NB_BYTES: usize = FRAMES.len() * std::mem::size_of::<Frame>();
const SERIALIZED_FRAMES: [u8; NB_BYTES] = {
    let mut buf = Buf::<NB_BYTES>::new();
    buf.push_frame_slice(FRAMES);
    buf.bytes
};

Output

error[E0080]: it is undefined behavior to use this value
  --> src/lib.rs:43:1
   |
43 | const SERIALIZED_FRAMES: [u8; NB_BYTES] = {
   | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ constructing invalid value at [1]: encountered uninitialized memory, but expected an integer
   |
   = note: The rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
   = note: the raw bytes of the constant (size: 8, align: 1) {
               00 __ 08 00 01 __ __ __                         │ .░...░░░
           }

For more information about this error, try `rustc --explain E0080`.

So in other words, the zeroed bytes that are not explicitely part of the enum as considered uninitialized, even if I use repr(C).

[saethlin]

The diagnostic in your second comment is about the padding between the u8 discriminant and the u16 field in the enum. The diagram

00 __ 08 00 01 __ __ __ 

Is byte 0, for the Frame::First discriminant, an uninitialized byte because there is padding between the discriminant and the field, 08 00 for the u16 field, then 01 for the discriminant of the Frame::Second.

Your cast_slice returns a slice with a length that is too short. Transmute only does a typed copy of the source operand as the destination type. The length field in that slice is 2, so your push_u8_slice never even gets to the bytes that are uninitialized because of the layout of Frame::Second.

Is there official documentation that led you to conclude that repr(C) enums don't have padding? I'm asking in case we have some misleading language around, if we do we need to fix it.

[saethlin]

There are two major crates for doing these kinds of reinterpreting reference transmutes, bytemuck and zerocopy. They are both designed to avoid problems like you're running into.

[jean-airoldie]

Not that's not what i'm saying, I'm saying the padding is interpreted as uninitialized, as you can see in the second example. I don't understand why padding would be considered uninitialized. Moreover this only occurs at compile time. I'll update my example for clarity.

[jean-airoldie]

I have updated the example.

[jean-airoldie]

There are two major crates for doing these kinds of reinterpreting reference transmutes, bytemuck and zerocopy. They are both designed to avoid problems like you're running into.

@saethlin Using bytemuck or zerocopy won't do anything because they also use mem:transmute. My initial example was misleading, I updated it, please have another look. My constraint is also compile time serialization, which is why the code i provided is shitty, because you can't simply copy_from_slice in compile time fns.

For instance bytemuck uses internal::cast, which is this method:

/// Cast `A` into `B`
///
/// ## Panics
///
/// * This is like [`try_cast`](try_cast), but will panic on a size mismatch.
#[inline]
pub(crate) unsafe fn cast<A: Copy, B: Copy>(a: A) -> B {
  if size_of::<A>() == size_of::<B>() {
    unsafe { transmute!(a) }
  } else {
    something_went_wrong("cast", PodCastError::SizeMismatch)
  }
}

Aka transmute, so there's no way around it.

[jean-airoldie]

The diagnostic in your second comment is about the padding between the u8 discriminant and the u16 field in the enum. The diagram

00 __ 08 00 01 __ __ __ 

Is byte 0, for the Frame::First discriminant, an uninitialized byte because there is padding between the discriminant and the field, 08 00 for the u16 field, then 01 for the discriminant of the Frame::Second.

Your cast_slice returns a slice with a length that is too short. Transmute only does a typed copy of the source operand as the destination type. The length field in that slice is 2, so your push_u8_slice never even gets to the bytes that are uninitialized because of the layout of Frame::Second.

Is there official documentation that led you to conclude that repr(C) enums don't have padding? I'm asking in case we have some misleading language around, if we do we need to fix it.

Padding should be zeroes, not uninitialized.

[jean-airoldie]

The issue isn't that there is padding, its that the padding is considered uninitialized in constant functions for some reason.

[jean-airoldie]

Here's the same example with an union instead of an enum:

Code

use static_assertions::assert_eq_size;

struct Buf<const N: usize> {
    bytes: [u8; N],
    cursor: usize,
}

impl<const N: usize> Buf<N> {
    const fn new() -> Self {
        Self {
            bytes: [0u8; N],
            cursor: 0,
        }
    }

    const fn push_u32_slice(&mut self, slice: &[u32]) {
        if self.bytes.len() - self.cursor < slice.len() {
            panic!("exceeded capacity");
        }

        let mut i = 0;
        while i < slice.len() {
            let array = slice[i].to_le_bytes();
            let mut j = 0;
            while j < slice.len() {
                self.bytes[self.cursor + i] = array[j];
                j += 1;
            }
            i += 1;
        }
        self.cursor += slice.len();
    }
}

#[repr(C)]
struct Frame {
    kind: FrameKind,
    data: FrameData,
}

#[repr(u8)]
enum FrameKind {
    First,
    Second,
}

#[repr(C)]
union FrameData {
    a: u16,
    b: (),
}

assert_eq_size!(Frame, u32);

impl Frame {
    const fn cast_slice(slice: &[Frame]) -> &[u32] {
        // SAFETY We know the slice is valid and casting to bytes should
        // always be valid, even if repr(rust) isn't stable yet.
        unsafe { std::mem::transmute(slice) }
    }
}

const FRAMES: &[Frame] = &[
    Frame {
        kind: FrameKind::First,
        data: FrameData {
            a: 8,
        },
    },
    Frame {
        kind: FrameKind::Second,
        data: FrameData {
            b: (),
        },
    },
];
const NB_BYTES: usize = FRAMES.len() * std::mem::size_of::<Frame>();
const SERIALIZED_FRAMES: [u8; NB_BYTES] = {
    let mut buf = Buf::<NB_BYTES>::new();
    let bytes = Frame::cast_slice(FRAMES);
    buf.push_u32_slice(&bytes);
    buf.bytes
};

Output

error[E0080]: evaluation of constant value failed
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^ accessing memory based on pointer with alignment 2, but alignment 4 is required
   |
note: inside `Buf::<8>::push_u32_slice`
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^
note: inside `SERIALIZED_FRAMES`
  --> src/lib.rs:81:5
   |
81 |     buf.push_u32_slice(&bytes);
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0080`.
error: could not compile `const_uninit_bug` (lib) due to 1 previous error

Same issue, where the padding in the union is considered uninitialized.

Edit1: Added collapsible code to reduce clutter

[jean-airoldie]

And here's the same example using a struct with padding:

Code

use static_assertions::assert_eq_size;

struct Buf<const N: usize> {
    bytes: [u8; N],
    cursor: usize,
}

impl<const N: usize> Buf<N> {
    const fn new() -> Self {
        Self {
            bytes: [0u8; N],
            cursor: 0,
        }
    }

    const fn push_u32_slice(&mut self, slice: &[u32]) {
        if self.bytes.len() - self.cursor < slice.len() {
            panic!("exceeded capacity");
        }

        let mut i = 0;
        while i < slice.len() {
            let array = slice[i].to_le_bytes();
            let mut j = 0;
            while j < slice.len() {
                self.bytes[self.cursor + i] = array[j];
                j += 1;
            }
            i += 1;
        }
        self.cursor += slice.len();
    }
}

#[repr(C)]
struct Frame {
    a: u16,
    b: u8,
}

assert_eq_size!(Frame, u32);

impl Frame {
    const fn cast_slice(slice: &[Frame]) -> &[u32] {
        // SAFETY We know the slice is valid and casting to bytes should
        // always be valid, even if repr(rust) isn't stable yet.
        unsafe { std::mem::transmute(slice) }
    }
}

const FRAMES: &[Frame] = &[
    Frame {
        a: 8,
        b: 1,
    },
    Frame {
        a: 0,
        b: 0,
    },
];
const NB_BYTES: usize = FRAMES.len() * std::mem::size_of::<Frame>();
const SERIALIZED_FRAMES: [u8; NB_BYTES] = {
    let mut buf = Buf::<NB_BYTES>::new();
    let bytes = Frame::cast_slice(FRAMES);
    buf.push_u32_slice(&bytes);
    buf.bytes
};

Output

error[E0080]: evaluation of constant value failed
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^ accessing memory based on pointer with alignment 2, but alignment 4 is required
   |
note: inside `Buf::<8>::push_u32_slice`
  --> src/lib.rs:23:25
   |
23 |             let array = slice[i].to_le_bytes();
   |                         ^^^^^^^^
note: inside `SERIALIZED_FRAMES`
  --> src/lib.rs:65:5
   |
65 |     buf.push_u32_slice(&bytes);
   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^

For more information about this error, try `rustc --explain E0080`.
error: could not compile `const_uninit_bug` (lib) due to 1 previous error