Auto merge of #144081 - RalfJung:const-ptr-fragments, r=oli-obk

const-eval: full support for pointer fragments

This fixes rust-lang/const-eval#72 and makes `swap_nonoverlapping` fully work in const-eval by enhancing per-byte provenance tracking with tracking of *which* of the bytes of the pointer this one is. Later, if we see all the same bytes in the exact same order, we can treat it like a whole pointer again without ever risking a leak of the data bytes (that encode the offset into the allocation). This lifts the limitation that was discussed quite a bit in rust-lang/rust#137280.

For a concrete piece of code that used to fail and now works properly consider this example doing a byte-for-byte memcpy in const without using intrinsics:
```rust
use std::{mem::{self, MaybeUninit}, ptr};

type Byte = MaybeUninit<u8>;

const unsafe fn memcpy(dst: *mut Byte, src: *const Byte, n: usize) {
    let mut i = 0;
    while i < n {
        *dst.add(i) = *src.add(i);
        i += 1;
    }
}

const _MEMCPY: () = unsafe {
    let ptr = &42;
    let mut ptr2 = ptr::null::<i32>();
    // Copy from ptr to ptr2.
    memcpy(&mut ptr2 as *mut _ as *mut _, &ptr as *const _ as *const _, mem::size_of::<&i32>());
    assert!(*ptr2 == 42);
};
```
What makes this code tricky is that pointers are "opaque blobs" in const-eval, we cannot just let people look at the individual bytes since *we don't know what those bytes look like* -- that depends on the absolute address the pointed-to object will be placed at. The code above "breaks apart" a pointer into individual bytes, and then puts them back together in the same order elsewhere. This PR implements the logic to properly track how those individual bytes relate to the original pointer, and to recognize when they are in the right order again.

We still reject constants where the final value contains a not-fully-put-together pointer: I have no idea how one could construct an LLVM global where one byte is defined as "the 3rd byte of a pointer to that other global over there" -- and even if LLVM supports this somehow, we can leave implementing that to a future PR. It seems unlikely to me anyone would even want this, but who knows.^^

This also changes the behavior of Miri, by tracking the order of bytes with provenance and only considering a pointer to have valid provenance if all bytes are in the original order again. This is related to rust-lang/unsafe-code-guidelines#558. It means one cannot implement XOR linked lists with strict provenance any more, which is however only of theoretical interest. Practically I am curious if anyone will show up with any code that Miri now complains about - that would be interesting data. Cc `@rust-lang/opsem`

Author: bors

src/machine.rs

@@ -280,16 +280,16 @@ impl interpret::Provenance for Provenance {
         Ok(())
     }
 
-    fn join(left: Option<Self>, right: Option<Self>) -> Option<Self> {
+    fn join(left: Self, right: Self) -> Option<Self> {
         match (left, right) {
             // If both are the *same* concrete tag, that is the result.
             (
-                Some(Provenance::Concrete { alloc_id: left_alloc, tag: left_tag }),
-                Some(Provenance::Concrete { alloc_id: right_alloc, tag: right_tag }),
-            ) if left_alloc == right_alloc && left_tag == right_tag => left,
+                Provenance::Concrete { alloc_id: left_alloc, tag: left_tag },
+                Provenance::Concrete { alloc_id: right_alloc, tag: right_tag },
+            ) if left_alloc == right_alloc && left_tag == right_tag => Some(left),
             // If one side is a wildcard, the best possible outcome is that it is equal to the other
             // one, and we use that.
-            (Some(Provenance::Wildcard), o) | (o, Some(Provenance::Wildcard)) => o,
+            (Provenance::Wildcard, o) | (o, Provenance::Wildcard) => Some(o),
             // Otherwise, fall back to `None`.
             _ => None,
         }

src/shims/native_lib/mod.rs

@@ -246,7 +246,7 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
                         let p_map = alloc.provenance();
                         for idx in overlap {
                             // If a provenance was read by the foreign code, expose it.
-                            if let Some(prov) = p_map.get(Size::from_bytes(idx), this) {
+                            if let Some((prov, _idx)) = p_map.get_byte(Size::from_bytes(idx), this) {
                                 this.expose_provenance(prov)?;
                             }
                         }

tests/fail/provenance/mix-ptrs1.rs

@@ -0,0 +1,21 @@
+use std::{mem, ptr};
+
+const PTR_SIZE: usize = mem::size_of::<&i32>();
+
+fn main() {
+    unsafe {
+        let ptr = &0 as *const i32;
+        let arr = [ptr; 2];
+        // We want to do a scalar read of a pointer at offset PTR_SIZE/2 into this array. But we
+        // cannot use a packed struct or `read_unaligned`, as those use the memcpy code path in
+        // Miri. So instead we shift the entire array by a bit and then the actual read we want to
+        // do is perfectly aligned.
+        let mut target_arr = [ptr::null::<i32>(); 3];
+        let target = target_arr.as_mut_ptr().cast::<u8>();
+        target.add(PTR_SIZE / 2).cast::<[*const i32; 2]>().write_unaligned(arr);
+        // Now target_arr[1] is a mix of the two `ptr` we had stored in `arr`.
+        // They all have the same provenance, but not in the right order, so we reject this.
+        let strange_ptr = target_arr[1];
+        assert_eq!(*strange_ptr.with_addr(ptr.addr()), 0); //~ERROR: no provenance
+    }
+}

tests/fail/provenance/mix-ptrs1.stderr

@@ -0,0 +1,16 @@
+error: Undefined Behavior: pointer not dereferenceable: pointer must be dereferenceable for 4 bytes, but got $HEX[noalloc] which is a dangling pointer (it has no provenance)
+  --> tests/fail/provenance/mix-ptrs1.rs:LL:CC
+   |
+LL |         assert_eq!(*strange_ptr.with_addr(ptr.addr()), 0);
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `main` at RUSTLIB/core/src/macros/mod.rs:LL:CC
+   = note: this error originates in the macro `assert_eq` (in Nightly builds, run with -Z macro-backtrace for more info)
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+

tests/fail/provenance/mix-ptrs2.rs

@@ -0,0 +1,37 @@
+use std::mem;
+
+const PTR_SIZE: usize = mem::size_of::<&i32>();
+
+/// Overwrite one byte of a pointer, then restore it.
+fn main() {
+    unsafe fn ptr_bytes<'x>(ptr: &'x mut *const i32) -> &'x mut [mem::MaybeUninit<u8>; PTR_SIZE] {
+        mem::transmute(ptr)
+    }
+
+    // Returns a value with the same provenance as `x` but 0 for the integer value.
+    // `x` must be initialized.
+    unsafe fn zero_with_provenance(x: mem::MaybeUninit<u8>) -> mem::MaybeUninit<u8> {
+        let ptr = [x; PTR_SIZE];
+        let ptr: *const i32 = mem::transmute(ptr);
+        let mut ptr = ptr.with_addr(0);
+        ptr_bytes(&mut ptr)[0]
+    }
+
+    unsafe {
+        let ptr = &42;
+        let mut ptr = ptr as *const i32;
+        // Get a bytewise view of the pointer.
+        let ptr_bytes = ptr_bytes(&mut ptr);
+
+        // The highest bytes must be 0 for this to work.
+        let hi = if cfg!(target_endian = "little") { ptr_bytes.len() - 1 } else { 0 };
+        assert_eq!(*ptr_bytes[hi].as_ptr().cast::<u8>(), 0);
+        // Overwrite provenance on the last byte.
+        ptr_bytes[hi] = mem::MaybeUninit::new(0);
+        // Restore it from the another byte.
+        ptr_bytes[hi] = zero_with_provenance(ptr_bytes[1]);
+
+        // Now ptr is almost good, except the provenance fragment indices do not work out...
+        assert_eq!(*ptr, 42); //~ERROR: no provenance
+    }
+}

tests/fail/provenance/mix-ptrs2.stderr

@@ -0,0 +1,16 @@
+error: Undefined Behavior: pointer not dereferenceable: pointer must be dereferenceable for 4 bytes, but got $HEX[noalloc] which is a dangling pointer (it has no provenance)
+  --> tests/fail/provenance/mix-ptrs2.rs:LL:CC
+   |
+LL |         assert_eq!(*ptr, 42);
+   |         ^^^^^^^^^^^^^^^^^^^^ Undefined Behavior occurred here
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `main` at RUSTLIB/core/src/macros/mod.rs:LL:CC
+   = note: this error originates in the macro `assert_eq` (in Nightly builds, run with -Z macro-backtrace for more info)
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+

tests/fail/uninit/uninit_alloc_diagnostic_with_provenance.rs

@@ -9,22 +9,21 @@ use std::alloc::{Layout, alloc, dealloc};
 use std::mem::{self, MaybeUninit};
 use std::slice::from_raw_parts;
 
-fn byte_with_provenance<T>(val: u8, prov: *const T) -> MaybeUninit<u8> {
-    let ptr = prov.with_addr(val as usize);
+fn byte_with_provenance<T>(val: u8, prov: *const T, frag_idx: usize) -> MaybeUninit<u8> {
+    let ptr = prov.with_addr(usize::from_ne_bytes([val; _]));
     let bytes: [MaybeUninit<u8>; mem::size_of::<*const ()>()] = unsafe { mem::transmute(ptr) };
-    let lsb = if cfg!(target_endian = "little") { 0 } else { bytes.len() - 1 };
-    bytes[lsb]
+    bytes[frag_idx]
 }
 
 fn main() {
     let layout = Layout::from_size_align(16, 8).unwrap();
     unsafe {
         let ptr = alloc(layout);
         let ptr_raw = ptr.cast::<MaybeUninit<u8>>();
-        *ptr_raw.add(0) = byte_with_provenance(0x42, &42u8);
+        *ptr_raw.add(0) = byte_with_provenance(0x42, &42u8, 0);
         *ptr.add(1) = 0x12;
         *ptr.add(2) = 0x13;
-        *ptr_raw.add(3) = byte_with_provenance(0x43, &0u8);
+        *ptr_raw.add(3) = byte_with_provenance(0x43, &0u8, 1);
         let slice1 = from_raw_parts(ptr, 8);
         let slice2 = from_raw_parts(ptr.add(8), 8);
         drop(slice1.cmp(slice2));

tests/fail/uninit/uninit_alloc_diagnostic_with_provenance.stderr

@@ -17,7 +17,7 @@ LL |         drop(slice1.cmp(slice2));
 
 Uninitialized memory occurred at ALLOC[0x4..0x8], in this allocation:
 ALLOC (Rust heap, size: 16, align: 8) {
-    ╾42[ALLOC]<TAG> (1 ptr byte)╼ 12 13 ╾43[ALLOC]<TAG> (1 ptr byte)╼ __ __ __ __ __ __ __ __ __ __ __ __ │ ━..━░░░░░░░░░░░░
+    ╾42[ALLOC]<TAG> (ptr fragment 0)╼ 12 13 ╾43[ALLOC]<TAG> (ptr fragment 1)╼ __ __ __ __ __ __ __ __ __ __ __ __ │ ━..━░░░░░░░░░░░░
 }
 ALLOC (global (static or const), size: 1, align: 1) {
     2a                                              │ *

tests/native-lib/fail/tracing/partial_init.stderr

@@ -35,7 +35,7 @@ LL |     partial_init();
 
 Uninitialized memory occurred at ALLOC[0x2..0x3], in this allocation:
 ALLOC (stack variable, size: 3, align: 1) {
-    ╾00[wildcard] (1 ptr byte)╼ ╾00[wildcard] (1 ptr byte)╼ __                                        │ ━━░
+    ╾00[wildcard] (ptr fragment 0)╼ ╾00[wildcard] (ptr fragment 0)╼ __                                        │ ━━░
 }
 
 note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace

tests/pass/provenance.rs

@@ -6,7 +6,6 @@ const PTR_SIZE: usize = mem::size_of::<&i32>();
 
 fn main() {
     basic();
-    partial_overwrite_then_restore();
     bytewise_ptr_methods();
     bytewise_custom_memcpy();
     bytewise_custom_memcpy_chunked();
@@ -29,40 +28,6 @@ fn basic() {
     assert_eq!(unsafe { *ptr_back }, 42);
 }
 
-/// Overwrite one byte of a pointer, then restore it.
-fn partial_overwrite_then_restore() {
-    unsafe fn ptr_bytes<'x>(ptr: &'x mut *const i32) -> &'x mut [mem::MaybeUninit<u8>; PTR_SIZE] {
-        mem::transmute(ptr)
-    }
-
-    // Returns a value with the same provenance as `x` but 0 for the integer value.
-    // `x` must be initialized.
-    unsafe fn zero_with_provenance(x: mem::MaybeUninit<u8>) -> mem::MaybeUninit<u8> {
-        let ptr = [x; PTR_SIZE];
-        let ptr: *const i32 = mem::transmute(ptr);
-        let mut ptr = ptr.with_addr(0);
-        ptr_bytes(&mut ptr)[0]
-    }
-
-    unsafe {
-        let ptr = &42;
-        let mut ptr = ptr as *const i32;
-        // Get a bytewise view of the pointer.
-        let ptr_bytes = ptr_bytes(&mut ptr);
-
-        // The highest bytes must be 0 for this to work.
-        let hi = if cfg!(target_endian = "little") { ptr_bytes.len() - 1 } else { 0 };
-        assert_eq!(*ptr_bytes[hi].as_ptr().cast::<u8>(), 0);
-        // Overwrite provenance on the last byte.
-        ptr_bytes[hi] = mem::MaybeUninit::new(0);
-        // Restore it from the another byte.
-        ptr_bytes[hi] = zero_with_provenance(ptr_bytes[1]);
-
-        // Now ptr should be good again.
-        assert_eq!(*ptr, 42);
-    }
-}
-
 fn bytewise_ptr_methods() {
     let mut ptr1 = &1;
     let mut ptr2 = &2;