Different behavior when changing opt-level

[tgeng]

I tried this code:

use std::ops::Deref;

struct TaggedPointer<T>(T);

impl<'a, T> Deref for TaggedPointer<&'a T> {
    type Target = T;

    fn deref(&self) -> &Self::Target {
        unsafe {
            let ptr = self.0 as *const T as usize;
            let ptr = ptr & !0b11;
            &*(ptr as *const T)
        }
    }
}

fn tag_pointer<T>(ptr: &T) -> &T {
    unsafe {
        let ptr = ptr as *const T as usize;
        &*((ptr | 0b01) as *const T)
    }
}


fn main() {
    let i = 123;
    let tagged_pointer = TaggedPointer(tag_pointer(&i));
    assert_eq!(*tagged_pointer, 123);
}

I expected to see this happen:
Regardless of opt-level in Cargo.toml, the assertion should succeed since the deref impl would undo the pointer tag.

Instead, this happened:
With opt-level = 0, I see the expected behavior: assertion succeeds. But with opt-level = 1 or above, the assertion fails.

Meta

> rustc --version --verbose
rustc 1.81.0-nightly (3cb521a43 2024-06-22)
binary: rustc
commit-hash: 3cb521a4344f0b556b81c55eec8facddeb1ead83
commit-date: 2024-06-22
host: aarch64-apple-darwin
release: 1.81.0-nightly
LLVM version: 18.1.7

Backtrace

> RUST_BACKTRACE=1 cargo build
    Finished `dev` profile [optimized + debuginfo] target(s) in 0.17s

[asquared31415]

The tag_pointer operation is undefined behavior. When you &* on the pointer you've created, there's a rule that the pointer must be in bounds of an allocation, but in your case there isn't. When in opt-level 1, the optimizer is likely using its knowledge of the rules around pointers and causing your code to behave differently than you expected.

@rustbot label -needs-triage -C-bug +C-discussion

[asquared31415]

As a fix, I would suggest having TaggedPointer store a *const T or some other raw pointer, and only doing the * operation after masking it back to the correct value. This means you lose the lifetime checks, but it may be possible to have a PhantomData<&'a T> to keep the lifetime around.

[CraftSpider]

If writing unsafe code, you may want to use miri, the UB checker. For this code it emits the following error:

Miri Output

error: Undefined Behavior: out-of-bounds pointer use: alloc1225 has size 4, so pointer to 4 bytes starting at offset 1 is out-of-bounds
  --> src/main.rs:20:9
   |
20 |         &*((ptr | 0b01) as *const T)
   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ out-of-bounds pointer use: alloc1225 has size 4, so pointer to 4 bytes starting at offset 1 is out-of-bounds
   |
   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
help: alloc1225 was allocated here:
  --> src/main.rs:26:9
   |
26 |     let i = 123;
   |         ^
   = note: BACKTRACE (of the first span):
   = note: inside `tag_pointer::<i32>` at src/main.rs:20:9: 20:37
note: inside `main`
  --> src/main.rs:27:40
   |
27 |     let tagged_pointer = TaggedPointer(tag_pointer(&i));
   |                                        ^^^^^^^^^^^^^^^

[tgeng]

Ah thanks for the explanation and tips! I will check out miri!