Respect alignment for zero-sized types stored in the world (#6618)

joseph-gio · joseph-gio · commit 3ac06b57e904 · 2022-11-14T21:16:53.000Z
# Objective Fixes #6615. `BlobVec` does not respect alignment for zero-sized types, which results in UB whenever a ZST with alignment other than 1 is used in the world. ## Solution Add the fn `bevy_ptr::dangling_with_align`. --- ## Changelog + Added the function `dangling_with_align` to `bevy_ptr`, which creates a well-aligned dangling pointer to a type whose alignment is not known at compile time.
diff --git a/crates/bevy_ecs/src/storage/blob_vec.rs b/crates/bevy_ecs/src/storage/blob_vec.rs
@@ -50,9 +50,10 @@ impl BlobVec {
         capacity: usize,
     ) -> BlobVec {
         if item_layout.size() == 0 {
+            let align = NonZeroUsize::new(item_layout.align()).expect("alignment must be > 0");
             BlobVec {
                 swap_scratch: NonNull::dangling(),
-                data: NonNull::dangling(),
+                data: bevy_ptr::dangling_with_align(align),
                 capacity: usize::MAX,
                 len: 0,
                 item_layout,
@@ -405,7 +406,8 @@ const fn padding_needed_for(layout: &Layout, align: usize) -> usize {
 
 #[cfg(test)]
 mod tests {
-    use crate::ptr::OwningPtr;
+    use crate as bevy_ecs; // required for derive macros
+    use crate::{component::Component, ptr::OwningPtr, world::World};
 
     use super::BlobVec;
     use std::{alloc::Layout, cell::RefCell, rc::Rc};
@@ -544,4 +546,28 @@ mod tests {
         // SAFETY: drop is able to drop a value of its `item_layout`
         let _ = unsafe { BlobVec::new(item_layout, Some(drop), 0) };
     }
+
+    #[test]
+    fn aligned_zst() {
+        // NOTE: This test is explicitly for uncovering potential UB with miri.
+
+        #[derive(Component)]
+        #[repr(align(32))]
+        struct Zst;
+
+        let mut world = World::default();
+        world.spawn(Zst);
+        world.spawn(Zst);
+        world.spawn(Zst);
+        world.spawn_empty();
+
+        let mut count = 0;
+
+        let mut q = world.query::<&Zst>();
+        for &Zst in q.iter(&world) {
+            count += 1;
+        }
+
+        assert_eq!(count, 3);
+    }
 }
diff --git a/crates/bevy_ptr/src/lib.rs b/crates/bevy_ptr/src/lib.rs
@@ -2,7 +2,9 @@
 #![no_std]
 #![warn(missing_docs)]
 
-use core::{cell::UnsafeCell, marker::PhantomData, mem::MaybeUninit, ptr::NonNull};
+use core::{
+    cell::UnsafeCell, marker::PhantomData, mem::MaybeUninit, num::NonZeroUsize, ptr::NonNull,
+};
 
 /// Type-erased borrow of some unknown type chosen when constructing this type.
 ///
@@ -243,6 +245,14 @@ impl<'a, T> From<&'a [T]> for ThinSlicePtr<'a, T> {
     }
 }
 
+/// Creates a dangling pointer with specified alignment.
+/// See [`NonNull::dangling`].
+pub fn dangling_with_align(align: NonZeroUsize) -> NonNull<u8> {
+    // SAFETY: The pointer will not be null, since it was created
+    // from the address of a `NonZeroUsize`.
+    unsafe { NonNull::new_unchecked(align.get() as *mut u8) }
+}
+
 mod private {
     use core::cell::UnsafeCell;
 
