fix UB from pointer-interconvertibility issue in __detail::__op_state implementation (#1478)

ericniebler · web-flow · commit e8a6a7b25fbc · 2025-02-24T14:36:15.000-08:00
The current implementation casts from a pointer to the first member of a struct (`__state_box::__state_`) to a pointer to the containing struct (`__state_box`), but that is only valid if `__state_box::__state_` is standard layout, which is not guaranteed.

This PR changes `__state_box::__state_` into a byte array, into which the state object is emplaced. That makes `__state_box` a standard layout type unconditionally, which makes the cast from the member to the enclosing struct well-defined.
diff --git a/include/stdexec/__detail/__basic_sender.hpp b/include/stdexec/__detail/__basic_sender.hpp
@@ -28,6 +28,7 @@
 
 #include <utility> // for tuple_size/tuple_element
 #include <cstddef>
+#include <new> // IWYU pragma: keep for placement new
 #include <type_traits>
 
 namespace stdexec {
@@ -235,11 +236,26 @@ namespace stdexec {
       using __state_t = __state_type_t<__tag_t, _Sexpr, _Receiver>;
 
       __state_box(_Sexpr&& __sndr, _Receiver& __rcvr) //
-        noexcept(__nothrow_callable<decltype(__sexpr_impl<__tag_t>::get_state), _Sexpr, _Receiver>)
-        : __state_(__sexpr_impl<__tag_t>::get_state(static_cast<_Sexpr&&>(__sndr), __rcvr)) {
+        noexcept(__nothrow_callable<decltype(__sexpr_impl<__tag_t>::get_state), _Sexpr, _Receiver>) {
+        ::new (static_cast<void*>(__buf_)) auto(
+          __sexpr_impl<__tag_t>::get_state(static_cast<_Sexpr&&>(__sndr), __rcvr));
       }
 
-      __state_t __state_;
+      ~__state_box() {
+        reinterpret_cast<__state_t*>(__buf_)->~__state_t();
+      }
+
+      STDEXEC_ATTRIBUTE((always_inline)) auto __state() & noexcept -> __state_t& {
+        return *reinterpret_cast<__state_t*>(__buf_);
+      }
+
+      STDEXEC_ATTRIBUTE((always_inline)) auto __state() const & noexcept -> const __state_t& {
+        return *reinterpret_cast<const __state_t*>(__buf_);
+      }
+
+      // We use a buffer to store the state object to make __state_box a standard-layout type
+      // regardless of whether __state_t is standard-layout or not.
+      alignas(__state_t) std::byte __buf_[sizeof(__state_t)]; // NOLINT(modernize-avoid-c-arrays)
     };
 
     template <class _Sexpr, class _Receiver, class _State>
@@ -250,6 +266,8 @@ namespace stdexec {
 #endif
       auto __receiver() noexcept -> decltype(auto) {
         void* __state = static_cast<_State*>(this);
+        // The following cast use the pointer-interconvertibility between the __state_box::__buf_
+        // member and the containing __state_box object itself.
         auto* __sbox = static_cast<__state_box<_Sexpr, _Receiver>*>(__state);
         return (static_cast<__op_base<_Sexpr, _Receiver>*>(__sbox)->__rcvr_);
       }
@@ -279,6 +297,14 @@ namespace stdexec {
         , __state_(__sexpr_impl<__tag_t>::get_state(static_cast<_Sexpr&&>(__sndr), __rcvr_)) {
       }
 
+      STDEXEC_ATTRIBUTE((always_inline)) auto __state() & noexcept -> __state_t& {
+        return __state_;
+      }
+
+      STDEXEC_ATTRIBUTE((always_inline)) auto __state() const & noexcept -> const __state_t& {
+        return __state_;
+      }
+
       STDEXEC_ATTRIBUTE((always_inline)) auto __rcvr() & noexcept -> _Receiver& {
         return __rcvr_;
       }
@@ -302,6 +328,9 @@ namespace stdexec {
         noexcept(__nothrow_decay_copyable<_Receiver> && __nothrow_move_constructible<__state_t>)
         : __receiver_box<_Receiver>{static_cast<_Receiver&&>(__rcvr)}
         , __state_box<_Sexpr, _Receiver>{static_cast<_Sexpr&&>(__sndr), this->__rcvr_} {
+        // This is necessary to ensure that the state object is pointer-interconvertible
+        // with the __state_box object for the sake of __enable_receiver_from_this.
+        static_assert(std::is_standard_layout_v<__state_box<_Sexpr, _Receiver>>);
       }
     };
 
@@ -391,7 +420,7 @@ namespace stdexec {
         auto&& __rcvr = this->__rcvr();
         __inner_ops_.apply(
           [&](auto&... __ops) noexcept {
-            __sexpr_impl<__tag_t>::start(this->__state_, __rcvr, __ops...);
+            __sexpr_impl<__tag_t>::start(this->__state(), __rcvr, __ops...);
           },
           __inner_ops_);
       }
@@ -405,15 +434,15 @@ namespace stdexec {
           __sexpr_impl<__tag_t>::complete(_Index(), *this, _Tag2(), static_cast<_Args&&>(__args)...);
         } else {
           __sexpr_impl<__tag_t>::complete(
-            _Index(), this->__state_, __rcvr, _Tag2(), static_cast<_Args&&>(__args)...);
+            _Index(), this->__state(), __rcvr, _Tag2(), static_cast<_Args&&>(__args)...);
         }
       }
 
       template <class _Index>
       STDEXEC_ATTRIBUTE((always_inline)) auto __get_env(_Index) const noexcept
         -> __env_type_t<_Index, __tag_t, _Index, _Sexpr, _Receiver> {
         const auto& __rcvr = this->__rcvr();
-        return __sexpr_impl<__tag_t>::get_env(_Index(), this->__state_, __rcvr);
+        return __sexpr_impl<__tag_t>::get_env(_Index(), this->__state(), __rcvr);
       }
     };
 
