fix aliasing UB, layout UB, and incorrect initialization UB

Morgane55440 · Morgane55440 · commit 9de204a4972c · 2026-06-02T22:28:11.000+02:00
diff --git a/src/data/graph.rs b/src/data/graph.rs
@@ -146,12 +146,10 @@ fn index_twice<T>(arr: &mut [T], a: usize, b: usize) -> Pair<&mut T> {
     } else if a == b {
         Pair::One(&mut arr[max(a, b)])
     } else {
-        // safe because a, b are in bounds and distinct
-        unsafe {
-            let ar = &mut *(arr.get_unchecked_mut(a) as *mut _);
-            let br = &mut *(arr.get_unchecked_mut(b) as *mut _);
-            Pair::Both(ar, br)
-        }
+        // can't panic because a, b are in bounds and distinct
+        let [ar,br] = arr.get_disjoint_mut([a,b]).unwrap();
+        Pair::Both(ar, br)
+        
     }
 }
 
diff --git a/src/dynamics/joint/multibody_joint/multibody.rs b/src/dynamics/joint/multibody_joint/multibody.rs
@@ -30,6 +30,11 @@ impl Force {
     }
 
     fn as_vector(&self) -> &SVector<Real, SPATIAL_DIM> {
+        // SAFETY : this is safe because :
+        // - Force is repr(C)
+        // - Vector is repr(C)
+        // - AngVector is repr(C) or Real
+        // - total size in Reals is SPATIAL_DIM
         unsafe { core::mem::transmute(self) }
     }
 }
diff --git a/src/dynamics/rigid_body_components.rs b/src/dynamics/rigid_body_components.rs
@@ -504,6 +504,7 @@ impl RigidBodyMassProps {
 
 #[cfg_attr(feature = "serde-serialize", derive(Serialize, Deserialize))]
 #[derive(Clone, Debug, Copy, PartialEq)]
+#[repr(C)]
 /// The velocities of this rigid-body.
 pub struct RigidBodyVelocity<T: ScalarType> {
     /// The linear velocity of the rigid-body.
@@ -593,6 +594,11 @@ impl RigidBodyVelocity<Real> {
     #[inline]
     #[cfg(feature = "dim2")]
     pub fn as_vector(&self) -> &na::Vector3<Real> {
+        // SAFETY : this is safe because :
+        // - RigidBodyVelocity is repr(C)
+        // - the vector types used are repr(C)
+        // - the only non vector type is Real
+        // - total size in Reals is 3
         unsafe { core::mem::transmute(self) }
     }
 
@@ -602,6 +608,11 @@ impl RigidBodyVelocity<Real> {
     #[inline]
     #[cfg(feature = "dim2")]
     pub fn as_vector_mut(&mut self) -> &mut na::Vector3<Real> {
+        // SAFETY : this is safe because :
+        // - RigidBodyVelocity is repr(C)
+        // - the vector types used are repr(C)
+        // - the only non vector type is Real
+        // - total size in Reals is 3
         unsafe { core::mem::transmute(self) }
     }
 
@@ -611,6 +622,11 @@ impl RigidBodyVelocity<Real> {
     #[inline]
     #[cfg(feature = "dim3")]
     pub fn as_vector(&self) -> &na::Vector6<Real> {
+        // SAFETY : this is safe because :
+        // - RigidBodyVelocity is repr(C)
+        // - the vector types used are repr(C)
+        // - the only non vector type is Real
+        // - total size in Reals is 6
         unsafe { core::mem::transmute(self) }
     }
 
@@ -620,6 +636,11 @@ impl RigidBodyVelocity<Real> {
     #[inline]
     #[cfg(feature = "dim3")]
     pub fn as_vector_mut(&mut self) -> &mut na::Vector6<Real> {
+        // SAFETY : this is safe because :
+        // - RigidBodyVelocity is repr(C)
+        // - the vector types used are repr(C)
+        // - the only non vector type is Real
+        // - total size in Reals is 6
         unsafe { core::mem::transmute(self) }
     }
 
diff --git a/src/dynamics/solver/mod.rs b/src/dynamics/solver/mod.rs
@@ -34,12 +34,7 @@ mod velocity_solver;
 
 // TODO: SAFETY: restrict with bytemuck::Zeroable to make this safe.
 pub unsafe fn reset_buffer<T>(buffer: &mut Vec<T>, len: usize) {
-    buffer.clear();
-    buffer.reserve(len);
+    buffer.clear();   
 
-    unsafe {
-        // NOTE: writing zeros is faster than u8::MAX.
-        buffer.as_mut_ptr().write_bytes(0, len);
-        buffer.set_len(len);
-    }
+    buffer.resize_with(len, || unsafe { core::mem::zeroed()})
 }
diff --git a/src/utils/index_mut2.rs b/src/utils/index_mut2.rs
@@ -25,14 +25,7 @@ pub trait IndexMut2<I>: IndexMut<I> {
 impl<T> IndexMut2<usize> for Vec<T> {
     #[inline]
     fn index_mut2(&mut self, i: usize, j: usize) -> (&mut T, &mut T) {
-        assert!(i != j, "Unable to index the same element twice.");
-        assert!(i < self.len() && j < self.len(), "Index out of bounds.");
-
-        unsafe {
-            let a = &mut *(self.get_unchecked_mut(i) as *mut _);
-            let b = &mut *(self.get_unchecked_mut(j) as *mut _);
-            (a, b)
-        }
+        <[T]>::index_mut2(self, i,j)
     }
 }
 
@@ -42,10 +35,8 @@ impl<T> IndexMut2<usize> for [T] {
         assert!(i != j, "Unable to index the same element twice.");
         assert!(i < self.len() && j < self.len(), "Index out of bounds.");
 
-        unsafe {
-            let a = &mut *(self.get_unchecked_mut(i) as *mut _);
-            let b = &mut *(self.get_unchecked_mut(j) as *mut _);
-            (a, b)
-        }
+        // cannot panic, per the above checks
+        let [a,b] = self.get_disjoint_mut([i,j]).unwrap();
+        (a,b)
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -30,6 +30,11 @@ impl Force {`
`30`	`30`	`}`
`31`	`31`
`32`	`32`	`fn as_vector(&self) -> &SVector<Real, SPATIAL_DIM> {`
	`33`	`+ // SAFETY : this is safe because :`
	`34`	`+ // - Force is repr(C)`
	`35`	`+ // - Vector is repr(C)`
	`36`	`+ // - AngVector is repr(C) or Real`
	`37`	`+ // - total size in Reals is SPATIAL_DIM`
`33`	`38`	`unsafe { core::mem::transmute(self) }`
`34`	`39`	`}`
`35`	`40`	`}`