Hi,

I saw your talk at EuroConf 2022 and was ~~horrified~~ surprised to see that you were using MaybeUninit::uninit().assume_init(), this is completely UB and is equivalent to using std::mem::uninitialized whish was deprecated for being UB.

From the std docs:

The compiler, in general, assumes that a variable is properly initialized according to the requirements of the variable’s type. For example, a variable of reference type must be aligned and non-null. This is an invariant that must always be upheld, even in unsafe code. And no matter whether that reference ever gets used to access memory.

For more information's you can also read Ralf blog post: "What The Hardware Does" is not What Your Program Does: Uninitialized Memory.

It's possible to cause UB in safe code, by implementing NtListElement by hand and providing a wrong offset. Here is a MRE:

use nt_list::single_list::{NtSingleList, NtBoxingSingleListHead, NtSingleListEntry};
use nt_list::{NtListElement, NtBoxedListElement};

#[derive(NtSingleList)]
enum MyList {}

struct MyElement(NtSingleListEntry<Self, MyList>); // Not even `repr(C)` :)

impl NtListElement<MyList> for MyElement {
    fn offset() -> usize { 1000000 }
}

impl NtBoxedListElement for MyElement { type L = MyList; }

fn main() {
    let mut list = NtBoxingSingleListHead::new();

    list.push_front(MyElement(Default::default()));
}

; cargo run
   Compiling nt-list-ub v0.1.0 (/home/waffle/projects/repos/nt-list-ub)
    Finished dev [unoptimized + debuginfo] target(s) in 1.06s
     Running `target/debug/nt-list-ub`
zsh: segmentation fault (core dumped)  cargo run

At the very least traits that unsafe code uses should be unsafe.

int2ptr casts obscure the code and make it quite hard to analyze with tools like miri. It doesn't seem like you really need them (an artifact of C past?), so this PR removes them (replacing with pointer offsets).

I had added an extra line to mention the "alloc" feature for all symbols of the boxing module: https://github.com/ColinFinck/nt-list/blob/c9f48d45dde2ce42ef5ea460265d14a1c2e6b023/nt-list/src/list/mod.rs#L69-L71

However, this wasn't picked up: https://docs.rs/nt-list/0.1.0/nt_list/list/struct.NtBoxingListHead.html

This should be fixed once I figure out why this didn't work and how to fix it.

Even if you use the library as intended, with derives and fully safe code, it still causes UB, according to miri and SB:

use nt_list::single_list::{NtSingleList, NtBoxingSingleListHead, NtSingleListEntry};
use nt_list::NtListElement;

#[derive(NtSingleList)]
enum MyList {}

#[derive(NtListElement)]
#[repr(C)]
struct MyElement { 
    #[boxed] 
    _entry: NtSingleListEntry<Self, MyList>
}

fn main() {
    let mut list = NtBoxingSingleListHead::new();

    list.push_front(MyElement { _entry: Default::default() });
}

; cargo miri run
Preparing a sysroot for Miri (target: x86_64-unknown-linux-gnu)... done
    Finished dev [unoptimized + debuginfo] target(s) in 0.02s
     Running `/home/waffle/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/bin/cargo-miri runner target/miri/x86_64-unknown-linux-gnu/debug/nt-list-ub`
error: Undefined Behavior: trying to retag from <3005> for Unique permission at alloc1496[0x0], but that tag only grants SharedReadOnly permission for this location
   --> /home/waffle/projects/repos/nt-list/nt-list/src/single_list/base.rs:272:18
    |
272 |         unsafe { &mut *(self.element_ptr() as *mut E) }
    |                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    |                  |
    |                  trying to retag from <3005> for Unique permission at alloc1496[0x0], but that tag only grants SharedReadOnly permission for this location
    |                  this error occurs as part of retag at alloc1496[0x0..0x8]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <3005> was created by a SharedReadOnly retag at offsets [0x0..0x8]
   --> src/main.rs:18:1
    |
18  | }
    | ^
    = note: BACKTRACE:
    = note: inside `nt_list::single_list::NtSingleListEntry::<MyElement, MyList>::containing_record_mut` at /home/waffle/projects/repos/nt-list/nt-list/src/single_list/base.rs:272:18
    = note: inside `<nt_list::single_list::IterMut<'_, MyElement, MyList> as std::iter::Iterator>::next` at /home/waffle/projects/repos/nt-list/nt-list/src/single_list/base.rs:231:31
    = note: inside `<nt_list::single_list::NtBoxingSingleListHead<MyElement, MyList> as std::ops::Drop>::drop` at /home/waffle/projects/repos/nt-list/nt-list/src/single_list/boxing.rs:179:24
    = note: inside `std::ptr::drop_in_place::<nt_list::single_list::NtBoxingSingleListHead<MyElement, MyList>> - shim(Some(nt_list::single_list::NtBoxingSingleListHead<MyElement, MyList>))` at /home/waffle/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/ptr/mod.rs:491:1
note: inside `main` at src/main.rs:18:1
   --> src/main.rs:18:1
    |
18  | }
    | ^

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to previous error

I'm not sure what exactly is the problem, but the way this library derives pointers is incorrect according to the rules (TM). Note that tests don't pass under miri either:

; cargo miri test   
Preparing a sysroot for Miri (target: x86_64-unknown-linux-gnu)... done
    Finished test [unoptimized + debuginfo] target(s) in 0.02s
     Running unittests src/lib.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/nt_list-9ea035d0fbb79076)

running 11 tests
test list::boxing::tests::test_append ... error: Undefined Behavior: trying to retag from <198784> for SharedReadOnly permission at alloc80736[0x0], but that tag does not exist in the borrow stack for this location
   --> nt-list/src/list/base.rs:461:18
    |
461 |         unsafe { &*self.element_ptr() }
    |                  ^^^^^^^^^^^^^^^^^^^^
    |                  |
    |                  trying to retag from <198784> for SharedReadOnly permission at alloc80736[0x0], but that tag does not exist in the borrow stack for this location
    |                  this error occurs as part of retag at alloc80736[0x0..0x18]
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <198784> was created by a SharedReadOnly retag at offsets [0x8..0x18]
   --> nt-list/src/list/base.rs:469:19
    |
469 |         let ptr = self as *const Self;
    |                   ^^^^
    = note: BACKTRACE:
    = note: inside `list::base::NtListEntry::<list::boxing::tests::MyElement, list::boxing::tests::MyList>::containing_record` at nt-list/src/list/base.rs:461:18
note: inside `<list::base::Iter<'_, list::boxing::tests::MyElement, list::boxing::tests::MyList> as core::iter::Iterator>::next` at nt-list/src/list/base.rs:299:31
   --> nt-list/src/list/base.rs:299:31
    |
299 |                 let element = (*self.flink).containing_record();
    |                               ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
    = note: inside `<list::base::Iter<'_, list::boxing::tests::MyElement, list::boxing::tests::MyList> as core::iter::Iterator>::fold::<usize, [closure@<list::base::Iter<'_, list::boxing::tests::MyElement, list::boxing::tests::MyList> as core::iter::Iterator>::count::{closure#0}]>` at /home/waffle/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:2413:29
    = note: inside `<list::base::Iter<'_, list::boxing::tests::MyElement, list::boxing::tests::MyList> as core::iter::Iterator>::count` at /home/waffle/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/iter/traits/iterator.rs:256:9
note: inside `list::base::NtListHead::<list::boxing::tests::MyElement, list::boxing::tests::MyList>::len` at nt-list/src/list/base.rs:174:9
   --> nt-list/src/list/base.rs:174:9
    |
174 |         self.iter().count()
    |         ^^^^^^^^^^^^^^^^^^^
note: inside `list::boxing::NtBoxingListHead::<list::boxing::tests::MyElement, list::boxing::tests::MyList>::len` at nt-list/src/list/boxing.rs:162:18
   --> nt-list/src/list/boxing.rs:162:18
    |
162 |         unsafe { self.inner().len() }
    |                  ^^^^^^^^^^^^^^^^^^
note: inside `list::boxing::tests::test_append` at nt-list/src/list/boxing.rs:307:20
   --> nt-list/src/list/boxing.rs:307:20
    |
307 |         assert_eq!(list1.as_ref().len(), 20);
    |                    ^^^^^^^^^^^^^^^^^^^^
note: inside closure at nt-list/src/list/boxing.rs:293:5
   --> nt-list/src/list/boxing.rs:293:5
    |
292 |       #[test]
    |       ------- in this procedural macro expansion
293 | /     fn test_append() {
294 | |         // Append two lists of equal size.
295 | |         moveit! {
296 | |             let mut list1 = NtBoxingListHead::<MyElement, MyList>::new();
...   |
326 | |         verify_all_links(list3.as_ref().inner());
327 | |     }
    | |_____^
    = note: this error originates in the attribute macro `test` (in Nightly builds, run with -Z macro-backtrace for more info)

note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

error: aborting due to previous error

error: test failed, to rerun pass `-p nt-list --lib`

Caused by:
  process didn't exit successfully: `/home/waffle/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/bin/cargo-miri runner /home/waffle/projects/repos/nt-list/target/miri/x86_64-unknown-linux-gnu/debug/deps/nt_list-9ea035d0fbb79076` (exit status: 1)

I would highly recommend running miri in CI and while developing, to avoid issues like this in the future :)