From f5421609d6acd3512b5d06eb2e7d93437432cdd5 Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Tue, 17 Feb 2026 15:13:58 +0100
Subject: [PATCH] Miri: recursive validity: also recurse into Boxes

---
 compiler/rustc_const_eval/src/interpret/validity.rs |  7 +------
 .../fail/validity/recursive-validity-box-bool.rs    |  8 ++++++++
 .../validity/recursive-validity-box-bool.stderr     | 13 +++++++++++++
 3 files changed, 22 insertions(+), 6 deletions(-)
 create mode 100644 src/tools/miri/tests/fail/validity/recursive-validity-box-bool.rs
 create mode 100644 src/tools/miri/tests/fail/validity/recursive-validity-box-bool.stderr

diff --git a/compiler/rustc_const_eval/src/interpret/validity.rs b/compiler/rustc_const_eval/src/interpret/validity.rs
index 5d8ae42f5ecc..6fc8d5ef8f96 100644
--- a/compiler/rustc_const_eval/src/interpret/validity.rs
+++ b/compiler/rustc_const_eval/src/interpret/validity.rs
@@ -647,13 +647,8 @@ impl<'rt, 'tcx, M: Machine<'tcx>> ValidityVisitor<'rt, 'tcx, M> {
                 }
             } else {
                 // This is not CTFE, so it's Miri with recursive checking.
-                // FIXME: we do *not* check behind boxes, since creating a new box first creates it uninitialized
-                // and then puts the value in there, so briefly we have a box with uninit contents.
-                // FIXME: should we also skip `UnsafeCell` behind shared references? Currently that is not
+                // FIXME: should we also `UnsafeCell` behind shared references? Currently that is not
                 // needed since validation reads bypass Stacked Borrows and data race checks.
-                if matches!(ptr_kind, PointerKind::Box) {
-                    return interp_ok(());
-                }
             }
             let path = &self.path;
             ref_tracking.track(place, || {
diff --git a/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.rs b/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.rs
new file mode 100644
index 000000000000..dee2c9aad2c7
--- /dev/null
+++ b/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.rs
@@ -0,0 +1,8 @@
+//@compile-flags: -Zmiri-recursive-validation
+
+fn main() {
+    let x = 3u8;
+    let xref = &x;
+    let xref_wrong_type: Box<bool> = unsafe { std::mem::transmute(xref) }; //~ERROR: encountered 0x03, but expected a boolean
+    let _val = *xref_wrong_type;
+}
diff --git a/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.stderr b/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.stderr
new file mode 100644
index 000000000000..d658909efd93
--- /dev/null
+++ b/src/tools/miri/tests/fail/validity/recursive-validity-box-bool.stderr
@@ -0,0 +1,13 @@
+error: Undefined Behavior: constructing invalid value at .<deref>: encountered 0x03, but expected a boolean
+  --> tests/fail/validity/recursive-validity-box-bool.rs:LL:CC
+   |
+LL |     let xref_wrong_type: Box<bool> = unsafe { std::mem::transmute(xref) };
+   |                                               ^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+