This function

pub fn foo(x: Box<i32>) { drop(x); }

compiles to

define void @_ZN10playground3foo17h15d47dec4ef032baE(i32* noalias align 4 dereferenceable(4)) unnamed_addr #1 !dbg !148 { start: %x = alloca i32*, align 8 store i32* %0, i32** %x, align 8 call void @llvm.dbg.declare(metadata i32** %x, metadata !150, metadata !DIExpression()), !dbg !151 %1 = load i32*, i32** %x, align 8, !dbg !152, !nonnull !4 ; call core::mem::drop call void @_ZN4core3mem4drop17had227526e86e8e2bE(i32* noalias align 4 dereferenceable(4) %1), !dbg !153 br label %bb1, !dbg !153 bb1: ; preds = %start ret void, !dbg !154 } 

Notice the dereferenceable attribute! Under current LLVM semantics, this means "dereferenceable for the entire duration of this function body". That is, clearly, not accurate.

This issue is closely related to #55005, but affects all Box instead of just a few uses of references, so I felt it is a separate discussion.

I propose we remove the dereferencable attribute from Box for now. It seems like the situation might improve with future LLVM versions, but we should first make things sound.

Thanks to @HadrienG2 for pointing this out. Cc @rust-lang/wg-unsafe-code-guidelines