derive(CoercePointee) is unsound with user-defined attribute macros. #148899
Description
This issue has the same cause as #148423, but applied to a different derive macro.
This issue uses a similar mechanism to #134407 to cause unsoundness, but this issue uses unsize-coercion instead of higher ranked function pointer subtyping.
The following code causes a use-after-free, crashing in my testing. (The explanation is below the code.)
(Here's the equivalent code on the playground, using the macro_attr feature to define an attribute macro without needing to use a separate crate.)
dep/src/lib.rs:
use proc_macro::TokenStream;
#[proc_macro_attribute]
pub fn discard(_: TokenStream, _: TokenStream) -> TokenStream {
TokenStream::new()
}src/main.rs:
#![feature(derive_coerce_pointee)]
use std::marker::CoercePointee;
use std::ops::{Deref, DerefMut};
use std::pin::{Pin, pin};
use std::task::{Context, Poll, Waker};
use dep::discard;
#[derive(CoercePointee)]
#[discard]
#[repr(transparent)]
struct Thing<T: ?Sized>(Box<T>);
#[derive(CoercePointee)]
#[repr(transparent)]
struct Wrap<T: ?Sized>(Box<T>);
type Thing<T> = Pin<Wrap<T>>;
trait IsType<T> {
fn as_mut_type(&mut self) -> &mut T;
fn into_type(self: Box<Self>) -> T;
}
impl<T> IsType<T> for T {
fn as_mut_type(&mut self) -> &mut T {
self
}
fn into_type(self: Box<Self>) -> T {
*self
}
}
trait SubIsType<T>: IsType<T> {}
impl<T> SubIsType<T> for T {}
impl<T: Sized> Deref for Wrap<T> {
type Target = u8;
fn deref(&self) -> &u8 {
unreachable!()
}
}
impl<T: Sized> Deref for Wrap<dyn IsType<T> + '_> {
type Target = u8;
fn deref(&self) -> &u8 {
unreachable!()
}
}
impl<T> Deref for Wrap<dyn SubIsType<T> + '_> {
type Target = T;
fn deref(&self) -> &T {
unreachable!()
}
}
impl<T> DerefMut for Wrap<dyn SubIsType<T> + '_> {
fn deref_mut(&mut self) -> &mut T {
(*self.0).as_mut_type()
}
}
fn wrong_pin<T>(value: T, callback: impl FnOnce(Pin<&mut T>)) -> T {
let pin_sized: Pin<Wrap<T>> = Pin::new(Wrap(Box::new(value)));
let mut pin_sub: Pin<Wrap<dyn SubIsType<T>>> = pin_sized;
let pin_direct: Pin<&mut T> = pin_sub.as_mut();
callback(pin_direct);
let pin_super: Pin<Wrap<dyn IsType<T>>> = pin_sub;
Pin::into_inner(pin_super).0.into_type()
}
struct Delay(bool);
impl Future for Delay {
type Output = ();
fn poll(mut self: Pin<&mut Self>, _cx: &mut Context<'_>) -> Poll<()> {
if self.0 {
Poll::Ready(())
} else {
self.as_mut().0 = true;
Poll::Pending
}
}
}
fn main() {
let future = async {
let x = String::from("abc");
let y = &x;
Delay(false).await;
println!("{y}");
};
let mut cx = Context::from_waker(Waker::noop());
let future = wrong_pin(future, |pinned| {
let _ = pinned.poll(&mut cx);
});
let _ = pin!(future).poll(&mut cx);
}The derive(CoercePointee) macro tries to implement the Unsize trait on a struct named Thing. Due to the #[discard] macro, the Unsize trait instead gets implemented on the type alias type Thing<T> = Pin<Wrap<T>>; (which doesn't violate orphan rules, since Pin is a fundamental type). As a result, Pin<Wrap<T>> can unsize-coerce the T type, as though Wrap<T> implemented the PinCoerceUnsized trait.
I implement Deref on Wrap<impl Sized> and Wrap<dyn IsType<T>> so that no pin guarantee exists on those types (since they deref to u8, which is Unpin). However, I implement Wrap<dyn SubIsType<T>> so that there is actually a pin guarantee.
In the wrong_pin function, I create a Wrap<impl Sized> (without any pin guarantees). I unsize-coerce it to Wrap<dyn SubIsType<T>> (which does have a pin guarantee), and then trait-upcast it to Wrap<dyn IsType<T>> (without any pin guarantees). I then extract the T out and return it. During the time where the pin guarantee exists, I call a callback which makes use of the pin guarantee. This pin guarantee is, of course, violated when the T value is extracted.
The main function then uses this violation of Pin guarantees to cause UB.
Meta
rustc --version --verbose:
rustc 1.93.0-nightly (01867557c 2025-11-12)
binary: rustc
commit-hash: 01867557cd7dbe256a031a7b8e28d05daecd75ab
commit-date: 2025-11-12
host: aarch64-apple-darwin
release: 1.93.0-nightly
LLVM version: 21.1.5