While some aspects of object layout are specified by the standard, many others are not. In fact, many aspects of object layout are left explicitly implementation-defined, to allow the compiler the flexibility to reorder fields and insert/remove padding as necessary to optimize performance / memory usage. In practice, the compiler uses a deterministic algorithm to calculate object layouts, which only rarely changes. This may hide UB if code relies on object layout, for e.g. when doing FFI calls, or when doing transmutes between types.

Likelihood:

We know of at least one case where the standard library is making such an invalid assumption. It is unlikely that most user-code would take advantage of this, but we have not audited this to determine this for sure.

Mitigation:

• Document the limitation
• Alert on uses of unsafe operations that may violate this:
  • Transmute
  • Pointer offset'

Path to soundness:

Add a soundness checker to detect usages that rely on underspecified object layout.