Fix Miri symbolic alignment check failures (#2798)

google-labs-jules[bot] · web-flow · commit ddcf94c2073a · 2025-11-22T04:49:30.000Z
* Fix Miri symbolic alignment check failures This change introduces the `miri_promise_symbolic_alignment` intrinsic and uses it to resolve false positives in Miri's symbolic alignment checking. This prepares the codebase for enabling `-Zmiri-symbolic-alignment-check` in CI. * Defined `miri_promise_symbolic_alignment` in `src/util/mod.rs` (guarded by `cfg(miri)`). * Applied the intrinsic in `src/pointer/ptr.rs` (`as_ref` and `as_mut`) to promise alignment when the `Aligned` invariant is held. * Enabled `feature(layout_for_ptr)` under Miri to allow using `align_of_val_raw` for unsized types. Note: The CI configuration (`.github/workflows/ci.yml`) must be updated separately to add `-Zmiri-symbolic-alignment-check` to `ZC_NIGHTLY_MIRIFLAGS`, as workflow modifications are restricted in this environment. Makes progress on #674 * Fix Miri symbolic alignment check failures This change introduces the `miri_promise_symbolic_alignment` intrinsic and uses it to resolve false positives in Miri's symbolic alignment checking. This prepares the codebase for enabling `-Zmiri-symbolic-alignment-check` in CI. * Defined `miri_promise_symbolic_alignment` in `src/util/mod.rs` (guarded by `cfg(miri)`). * Applied the intrinsic in `src/pointer/ptr.rs` (`as_ref` and `as_mut`) to promise alignment when the `Aligned` invariant is held. * Enabled `feature(layout_for_ptr)` under Miri to allow using `align_of_val_raw` for unsized types. Note: The CI configuration (`.github/workflows/ci.yml`) must be updated separately to add `-Zmiri-symbolic-alignment-check` to `ZC_NIGHTLY_MIRIFLAGS`, as workflow modifications are restricted in this environment. Makes progress on #674 --------- Co-authored-by: google-labs-jules[bot] <161369871+google-labs-jules[bot]@users.noreply.github.com>
diff --git a/src/lib.rs b/src/lib.rs
@@ -314,9 +314,10 @@
 )]
 #![cfg_attr(feature = "float-nightly", feature(f16, f128))]
 #![cfg_attr(doc_cfg, feature(doc_cfg))]
+#![cfg_attr(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS, feature(coverage_attribute))]
 #![cfg_attr(
-    __ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS,
-    feature(layout_for_ptr, coverage_attribute)
+    any(__ZEROCOPY_INTERNAL_USE_ONLY_NIGHTLY_FEATURES_IN_TESTS, miri),
+    feature(layout_for_ptr)
 )]
 
 // This is a hack to allow zerocopy-derive derives to work in this crate. They
diff --git a/src/pointer/ptr.rs b/src/pointer/ptr.rs
@@ -229,6 +229,15 @@ mod _conversions {
         #[allow(clippy::wrong_self_convention)]
         pub(crate) fn as_ref(self) -> &'a T {
             let raw = self.as_inner().as_non_null();
+            // SAFETY: `self` satisfies the `Aligned` invariant, so we know that
+            // `raw` is validly-aligned for `T`.
+            #[cfg(miri)]
+            unsafe {
+                crate::util::miri_promise_symbolic_alignment(
+                    raw.as_ptr().cast(),
+                    core::mem::align_of_val_raw(raw.as_ptr()),
+                );
+            }
             // SAFETY: This invocation of `NonNull::as_ref` satisfies its
             // documented safety preconditions:
             //
@@ -323,6 +332,15 @@ mod _conversions {
         #[allow(clippy::wrong_self_convention)]
         pub(crate) fn as_mut(self) -> &'a mut T {
             let mut raw = self.as_inner().as_non_null();
+            // SAFETY: `self` satisfies the `Aligned` invariant, so we know that
+            // `raw` is validly-aligned for `T`.
+            #[cfg(miri)]
+            unsafe {
+                crate::util::miri_promise_symbolic_alignment(
+                    raw.as_ptr().cast(),
+                    core::mem::align_of_val_raw(raw.as_ptr()),
+                );
+            }
             // SAFETY: This invocation of `NonNull::as_mut` satisfies its
             // documented safety preconditions:
             //
diff --git a/src/util/mod.rs b/src/util/mod.rs
@@ -52,6 +52,19 @@ impl<T: ?Sized> Clone for SendSyncPhantomData<T> {
     }
 }
 
+#[cfg(miri)]
+extern "Rust" {
+    /// Miri-provided intrinsic that marks the pointer `ptr` as aligned to
+    /// `align`.
+    ///
+    /// This intrinsic is used to inform Miri's symbolic alignment checker that
+    /// a pointer is aligned, even if Miri cannot statically deduce that fact.
+    /// This is often required when performing raw pointer arithmetic or casts
+    /// where the alignment is guaranteed by runtime checks or invariants that
+    /// Miri is not aware of.
+    pub(crate) fn miri_promise_symbolic_alignment(ptr: *const (), align: usize);
+}
+
 pub(crate) trait AsAddress {
     fn addr(self) -> usize;
 }

Original file line number	Diff line number	Diff line change
`@@ -52,6 +52,19 @@ impl<T: ?Sized> Clone for SendSyncPhantomData<T> {`
`52`	`52`	`}`
`53`	`53`	`}`
`54`	`54`
	`55`	`+#[cfg(miri)]`
	`56`	`+extern "Rust" {`
	`57`	+ /// Miri-provided intrinsic that marks the pointer `ptr` as aligned to
	`58`	+ /// `align`.
	`59`	`+ ///`
	`60`	`+ /// This intrinsic is used to inform Miri's symbolic alignment checker that`
	`61`	`+ /// a pointer is aligned, even if Miri cannot statically deduce that fact.`
	`62`	`+ /// This is often required when performing raw pointer arithmetic or casts`
	`63`	`+ /// where the alignment is guaranteed by runtime checks or invariants that`
	`64`	`+ /// Miri is not aware of.`
	`65`	`+ pub(crate) fn miri_promise_symbolic_alignment(ptr: *const (), align: usize);`
	`66`	`+}`
	`67`	`+`
`55`	`68`	`pub(crate) trait AsAddress {`
`56`	`69`	`fn addr(self) -> usize;`
`57`	`70`	`}`