Reading dropped object's memory succeeds

[lineaar]

Consider the following (https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=3937a5d7f026fb9905f3a2ba3f7e2faf)

#[repr(C, packed)]
struct S {
    f1: u16,
    f2: u8,
}

impl Drop for S {
    fn drop(&mut self) {
        let p = self as *const S as *const u8;
        println!("Invalid p = {:?}", p);
    }
}

impl S {
    fn new() -> Self {
        S { f1: 6, f2: 6 }
    }
}

fn main() {
    let size = std::mem::size_of::<S>();
    let mut buf = [0; 8];
    let s = S::new();
    let p = &s as *const S as *const u8;

    println!("  Valid p = {:?}", p);

    assert_eq!(3, size);

    drop(s);

    for i in 0..size {
        buf[i] = unsafe { *p.add(i) };
    }

    for e in &buf {
        print!("|{}|", e);
    }
}

When reading from p, the original contents of the structure are read. Running this snippet in miri results in an error. What is interesting is the cause of the error:

println!("  Valid p = {:?}", p);

Another curious bit is that changing the attributes of the structure S to the following produces a warning.

#[repr(packed)]

[jonas-schievink]

This just looks like UB, what did you expect to happen here?

[lineaar]

• In regards to reading from p, I expected it to not compile since s moved out and p points to s.
• In the case where you would remove the two for loops, I expected the code to run successfully under miri.
• Using #[repr(packed)] or #[repr(C,packed)], I expected to have warnings regarding unused fields in both cases.

[jonas-schievink]

In regards to reading from p, I expected it to not compile since s moved out and p points to s.

p is a raw pointer, which aren't checked like references are. Check the book for more info: https://doc.rust-lang.org/book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer

Using #[repr(packed)] or #[repr(C,packed)], I expected to have warnings regarding unused fields in both cases.

This might be intentional since the struct will likely be used for FFI, but could also be a bug.

[lineaar]

raw pointers aren’t guaranteed to point to valid memory

Thank you for pointing that out.

This might be intentional since the struct will likely be used for FFI, but could also be a bug.

Would you recommend to keep the issue open if that is the case?

[RalfJung]

(Please Cc me for Miri bugs.)

The reason it does not work in Miri is that arithmetic on integers obtained from pointers is not fully supported yet. Hence you cannot print pointer values with Miri. However, we are very close to getting there! This is tracked at rust-lang/miri#224.

[RalfJung]

I don't think there is a Mri bug to track here. These days Miri can run the example, and it works and no UB is found. Whether use-after-drop should be UB is being discussed at rust-lang/unsafe-code-guidelines#188.

What remains is the fact that unused fields do not produce a warning with repr(C). I do not know if that is deliberate. @lineaar if you think that is a bug, could you open a new bug for that? Reusing the one here would be just confusing, too much discussion is about other issues. (In general, please always open separate issues for separate bugs. Mixing multiple bugs in one GH issue just ends up in a mess.)