Skip to content

Pin is unsound due to transitive effects of CoerceUnsized #68015

New issue
New issue
Open
Open
Pin is unsound due to transitive effects of CoerceUnsized#68015
Labels
C-bugCategory: This is a bug.E-needs-mcveCall for participation: This issue has a repro, but needs a Minimal Complete and Verifiable ExampleF-coerce_unsizedThe `CoerceUnsized` traitI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-mediumMedium priorityT-langRelevant to the language teamrequires-nightlyThis issue requires a nightly compiler in some way.
@nikomatsakis

Description

@nikomatsakis
nikomatsakis
opened on Jan 9, 2020
Contributor

Split out from #66544. It is possible to exploit Pin on nightly Rust (but not stable) by creating smart pointers that implement CoerceUnsized but have strange behavior. See the dedicated internals thread for more details -- also, please keep conversation on the thread, and not on the Github issue. ❤️

Activity

nikomatsakis
added
T-langRelevant to the language team
I-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
F-coerce_unsizedThe `CoerceUnsized` trait
I-nominated
on Jan 9, 2020
nikomatsakis
mentioned this on Jan 9, 2020
nikomatsakis
added
P-highHigh priority
on Jan 9, 2020
nikomatsakis
removed
I-nominated
on Feb 14, 2020
Dylan-DPC-zz
added a commit that references this issue on Mar 21, 2020

Rollup merge of rust-lang#68004 - nikomatsakis:negative-impls, r=varkor

16338b1
Centril
added a commit that references this issue on Mar 26, 2020

Rollup merge of rust-lang#68004 - nikomatsakis:negative-impls, r=varkor

b0a63cb
JohnTitor
added
C-bugCategory: This is a bug.
on Apr 20, 2020
jonas-schievink
added
requires-nightlyThis issue requires a nightly compiler in some way.
on May 10, 2020
Elinvynia
added
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jun 10, 2020
LeSeulArtichaut
removed
I-prioritizeIssue: Indicates that prioritization has been requested for this issue.
on Jun 10, 2020
nikomatsakis
removed
P-highHigh priority
on Jun 23, 2020
aturon
mentioned this on Jun 23, 2020
nikomatsakis

nikomatsakis commented on Jun 23, 2020

@nikomatsakis
nikomatsakis
on Jun 23, 2020
ContributorAuthor

Lowering the priority of this to medium, adding as a blocker to #27732 (coerce unsized stabilization).

mzji

mzji commented on Jul 4, 2020

@mzji
mzji
on Jul 4, 2020 · Hidden as resolved
nikomatsakis
added
P-mediumMedium priority
on Jul 9, 2020
steffahn

steffahn commented on May 9, 2021

@steffahn
steffahn
on May 9, 2021
Member

Update: It is possible to abuse existing CoerceUnsized implementations on stable. See #85099 (although I created that issue before reading any of this issue and its IRLO thread, so don’t expect any syntactic similarity to the unsoundness examples of this issue).

The type Pin<&LocalType> implements Deref<Target = LocalType> but it doesn’t implement DerefMut. The types Pin and & are #[fundamental] so that an impl DerefMut for Pin<&LocalType>> is possible. You can use LocalType == SomeLocalStruct or LocalType == dyn LocalTrait and you can coerce Pin<Pin<&SomeLocalStruct>> into Pin<Pin<&dyn LocalTrait>>. (Indeed, two layers of Pin!!) This allows creating a pair of “smart pointers that implement CoerceUnsized but have strange behavior” on stable (Pin<&SomeLocalStruct> and Pin<&dyn LocalTrait> become the smart pointers with “strange behavior” and they already implement CoerceUnsized).

More concretely: Since Pin<&dyn LocalTrait>: Deref<dyn LocalTrait>, a “strange behavior” DerefMut implementation of Pin<&dyn LocalTrait> can be used to dereference an underlying Pin<&SomeLocalStruct> into, effectively, a target type (wrapped in the trait object) that’s different from SomeLocalStruct. The struct SomeLocalStruct might always be Unpin while the different type behind the &mut dyn LocalTrait returned by DerefMut can be !Unpin. Having SomeLocalStruct: Unpin allows for easy creation of the Pin<Pin<&SomeLocalStruct>> which coerces into Pin<Pin<&dyn LocalTrait>> even though Pin<&dyn LocalTrait>::Target: !Unpin (and even the actual Target type inside of the trait object being returned by the DerefMut can be !Unpin).

Methods on LocalTrait can be used both to make the DerefMut implementation possible and to convert the Pin<&mut dyn LocalTrait> (from a Pin::as_mut call on &mut Pin<Pin<&dyn LocalTrait>>) back into a pinned mutable referene to the concrete “type behind the &mut dyn LocalTrait returned by DerefMut.

steffahn
mentioned this on May 9, 2021
nikomatsakis
mentioned this on Nov 30, 2022
ojeda
mentioned this on Jan 27, 2023
gburgessiv
mentioned this on Feb 25, 2023
jackh726
added
E-needs-mcveCall for participation: This issue has a repro, but needs a Minimal Complete and Verifiable Example
on Oct 11, 2023
brody4hire
mentioned this on Nov 6, 2024
Darksonn

Darksonn commented on Aug 4, 2025

@Darksonn
Darksonn
on Aug 4, 2025
Contributor

I just came across this. I believe this was solved by the addition of PinCoerceUnsized. See also this section of the derive(SmartPointer) RFC.

Darksonn
mentioned this on Aug 4, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-bugCategory: This is a bug.E-needs-mcveCall for participation: This issue has a repro, but needs a Minimal Complete and Verifiable ExampleF-coerce_unsizedThe `CoerceUnsized` traitI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/SoundnessP-mediumMedium priorityT-langRelevant to the language teamrequires-nightlyThis issue requires a nightly compiler in some way.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

      Development

      No branches or pull requests

        Participants

        @nikomatsakis@Darksonn@jonas-schievink@steffahn@mzji

        Issue actions