Fix undefined behavior in deferred component insertions

Detected by Miri.

Author: Shatur

CHANGELOG.md

@@ -7,6 +7,10 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 
 ## [Unreleased]
 
+### Fixed
+
+- Deferred component insertions no longer cause undefined behavior.
+
 ## [0.39.3] - 2026-04-01
 
 ### Fixed

Cargo.toml

@@ -38,6 +38,7 @@ typeid = "1.0"
 bytes = { version = "1.10", default-features = false }
 serde = { version = "1.0", default-features = false }
 bitflags = { version = "2.6", features = ["serde"] }
+bumpalo = "3.20"
 smallbitvec = "2.6"
 postcard = { version = "1.1", default-features = false, features = [
   "experimental-derive",

src/shared/replication/deferred_entity.rs

@@ -1,10 +1,11 @@
-use core::{alloc::Layout, ptr::NonNull};
+use core::ptr::NonNull;
 
 use bevy::{
     ecs::component::{ComponentId, Mutable},
     prelude::*,
-    ptr::PtrMut,
+    ptr::OwningPtr,
 };
+use bumpalo::Bump;
 
 /// Like [`EntityWorldMut`], but buffers all structural changes.
 ///
@@ -106,9 +107,9 @@ impl DeferredChanges {
 /// Buffered insertions stored in type-erased way.
 #[derive(Default)]
 pub(crate) struct DeferredInsertions {
+    ptrs: Vec<NonNull<u8>>,
     ids: Vec<ComponentId>,
-    offsets: Vec<usize>,
-    data: Vec<u8>,
+    bump: Bump,
 }
 
 impl DeferredInsertions {
@@ -119,39 +120,14 @@ impl DeferredInsertions {
     /// Component ID should correspond to the passed type, otherwise [`Self::apply`] won't
     /// write the data correctly.
     unsafe fn insert<C: Component>(&mut self, component: C, component_id: ComponentId) {
-        let layout = Layout::new::<C>();
-
-        // If items would otherwise not be aligned, add alignment.
-        let align = layout.align();
-        let extra_offset = if !self.data.len().is_multiple_of(align) {
-            align - (self.data.len() % align)
-        } else {
-            0
-        };
-
-        let grow = layout.size() + extra_offset;
-        let offset = self.data.len() + extra_offset;
-
+        let ptr: NonNull<_> = self.bump.alloc(component).into();
+        self.ptrs.push(ptr.cast());
         self.ids.push(component_id);
-        self.offsets.push(offset);
-        self.data.resize(self.data.len() + grow, 0);
-
-        // SAFETY: pointer references a properly allocated memory.
-        unsafe {
-            let ptr = self.data.as_mut_ptr().byte_add(offset) as *mut C;
-            ptr.write(component);
-        }
     }
 
     fn apply(&mut self, entity: &mut EntityWorldMut) {
-        // SAFETY: iterator produces valid pointers for each component ID.
-        unsafe {
-            let iter = self.offsets.iter().map(|&offset| {
-                let ptr = PtrMut::new(NonNull::new_unchecked(self.data.as_mut_ptr()));
-                ptr.byte_add(offset).promote()
-            });
-            entity.insert_by_ids(&self.ids, iter);
-        }
+        // SAFETY: each pointer is valid and points to a value of the type corresponding to its ID.
+        unsafe { entity.insert_by_ids(&self.ids, self.ptrs.iter().map(|&p| OwningPtr::new(p))) };
     }
 
     fn is_empty(&self) -> bool {
@@ -160,11 +136,14 @@ impl DeferredInsertions {
 
     fn clear(&mut self) {
         self.ids.clear();
-        self.offsets.clear();
-        self.data.clear();
+        self.ptrs.clear();
+        self.bump.reset();
     }
 }
 
+// SAFETY: `NonNull` pointers are unique and allocated by a private arena.
+unsafe impl Send for DeferredInsertions {}
+
 #[cfg(test)]
 mod tests {
     use alloc::sync::Arc;