Rollup merge of #148746 - RalfJung:mutable-ref-in-const, r=davidtwco

const validation: remove check for mutable refs in final value of const

This check rejects code that is not necessarily UB, e.g. a mutable ref to a `static mut` that is very carefully used correctly. That led to us having to describe it in the Reference, which uncovered just how ad-hoc this check is (rust-lang/reference#2074).

Even without this check, we still reject things like
```rust
const C: &mut i32 = &mut 0;
```
This is rejected by const checking -- the part of the frontend that looks at the source code and says whether it is allowed in const context. In the Reference, this restriction is explained [here](https://doc.rust-lang.org/nightly/reference/const_eval.html#r-const-eval.const-expr.borrows).

So, the check during validation is just a safety net. And it is already a safety net with gaping holes since we only check `&mut T`, not `&UnsafeCell<T>`, due to the fact that we promote some immutable values that have `!Freeze` type so `&!Freeze` actually can occur in the final value of a const.

So... it may be time for me to acknowledge that the "mutable ref in final value of const" check is a cure that's worth than the disease. Nobody asked for that check, I just added it because I was worried about soundness issues when we allow mutable references in constants. Originally it was much stricter, but I had to slowly relax it to its current form to prevent t from firing on code we intend to allow. In the end there are only 3 tests left that trigger this error, and they are all just constants containing references to mutable statics -- not the safest code in the world, but also not so bad that we have to spend a lot of time devising a core language limitation and associated Reference wording to prevent it from ever happening.

So... `@rust-lang/wg-const-eval` `@rust-lang/lang`  I propose that we allow code like this
```rust
static mut S: i32 = 3;
const C2: &'static mut i32 = unsafe { &mut * &raw mut S };
```
`@theemathas` would be great if you could try to poke a hole into this. ;)

Author: matthiaskrgr

compiler/rustc_const_eval/messages.ftl

@@ -473,7 +473,6 @@ const_eval_validation_invalid_ref_meta = {$front_matter}: encountered invalid re
 const_eval_validation_invalid_ref_slice_meta = {$front_matter}: encountered invalid reference metadata: slice is bigger than largest supported object
 const_eval_validation_invalid_vtable_ptr = {$front_matter}: encountered {$value}, but expected a vtable pointer
 const_eval_validation_invalid_vtable_trait = {$front_matter}: wrong trait in wide pointer vtable: expected `{$expected_dyn_type}`, but encountered `{$vtable_dyn_type}`
-const_eval_validation_mutable_ref_in_const = {$front_matter}: encountered mutable reference in `const` value
 const_eval_validation_mutable_ref_to_immutable = {$front_matter}: encountered mutable reference or box pointing to read-only memory
 const_eval_validation_never_val = {$front_matter}: encountered a value of the never type `!`
 const_eval_validation_nonnull_ptr_out_of_range = {$front_matter}: encountered a maybe-null pointer, but expected something that is definitely non-zero

compiler/rustc_const_eval/src/errors.rs

@@ -665,7 +665,6 @@ impl<'tcx> ReportErrorExt for ValidationErrorInfo<'tcx> {
             PointerAsInt { .. } => const_eval_validation_pointer_as_int,
             PartialPointer => const_eval_validation_partial_pointer,
             MutableRefToImmutable => const_eval_validation_mutable_ref_to_immutable,
-            MutableRefInConst => const_eval_validation_mutable_ref_in_const,
             NullFnPtr { .. } => const_eval_validation_null_fn_ptr,
             NeverVal => const_eval_validation_never_val,
             NonnullPtrMaybeNull { .. } => const_eval_validation_nonnull_ptr_out_of_range,
@@ -824,7 +823,6 @@ impl<'tcx> ReportErrorExt for ValidationErrorInfo<'tcx> {
                 err.arg("maybe", maybe);
             }
             MutableRefToImmutable
-            | MutableRefInConst
             | NonnullPtrMaybeNull
             | NeverVal
             | UnsafeCellInImmutable

compiler/rustc_const_eval/src/interpret/validity.rs

@@ -639,12 +639,6 @@ impl<'rt, 'tcx, M: Machine<'tcx>> ValidityVisitor<'rt, 'tcx, M> {
                             // This can actually occur with transmutes.
                             throw_validation_failure!(self.path, MutableRefToImmutable);
                         }
-                        // In a const, any kind of mutable reference is not good.
-                        if matches!(self.ctfe_mode, Some(CtfeValidationMode::Const { .. })) {
-                            if ptr_expected_mutbl == Mutability::Mut {
-                                throw_validation_failure!(self.path, MutableRefInConst);
-                            }
-                        }
                     }
                 }
                 // Potentially skip recursive check.

compiler/rustc_middle/src/mir/interpret/error.rs

@@ -496,7 +496,6 @@ pub enum ValidationErrorKind<'tcx> {
     },
     MutableRefToImmutable,
     UnsafeCellInImmutable,
-    MutableRefInConst,
     NullFnPtr {
         /// Records whether this pointer is definitely null or just may be null.
         maybe: bool,

tests/ui/consts/const-mut-refs/mut_ref_in_final.rs

@@ -77,6 +77,36 @@ const RAW_MUT_CAST_C: SyncPtr<i32> = SyncPtr { x : &mut 42 as *mut _ as *const _
 const RAW_MUT_COERCE_C: SyncPtr<i32> = SyncPtr { x: &mut 0 };
 //~^ ERROR mutable borrows of temporaries
 
+// Various cases of dangling references.
+fn dangling() {
+    const fn helper_int2ptr() -> Option<&'static mut i32> { unsafe {
+        // Undefined behaviour (integer as pointer), who doesn't love tests like this.
+        Some(&mut *(42 as *mut i32))
+    } }
+    const INT2PTR: Option<&mut i32> = helper_int2ptr(); //~ ERROR encountered a dangling reference
+    static INT2PTR_STATIC: Option<&mut i32> = helper_int2ptr(); //~ ERROR encountered a dangling reference
+
+    const fn helper_dangling() -> Option<&'static mut i32> { unsafe {
+        // Undefined behaviour (dangling pointer), who doesn't love tests like this.
+        Some(&mut *(&mut 42 as *mut i32))
+    } }
+    const DANGLING: Option<&mut i32> = helper_dangling(); //~ ERROR dangling reference
+    static DANGLING_STATIC: Option<&mut i32> = helper_dangling(); //~ ERROR dangling reference
+
+}
+
+// Allowed, because there is an explicit static mut.
+static mut BUFFER: i32 = 42;
+const fn ptr_to_buffer() -> Option<&'static mut i32> { unsafe {
+    Some(&mut *std::ptr::addr_of_mut!(BUFFER))
+} }
+const MUT_TO_BUFFER: Option<&mut i32> = ptr_to_buffer();
+
+// These are fine! Just statics pointing to mutable statics, nothing fundamentally wrong with this.
+static MUT_STATIC: Option<&mut i32> = ptr_to_buffer();
+static mut MUT_ARRAY: &mut [u8] = &mut [42];
+static MUTEX: std::sync::Mutex<&mut [u8]> = std::sync::Mutex::new(unsafe { &mut *MUT_ARRAY });
+
 fn main() {
     println!("{}", unsafe { *A });
     unsafe { *B = 4 } // Bad news

tests/ui/consts/const-mut-refs/mut_ref_in_final.stderr

@@ -120,7 +120,51 @@ LL | const RAW_MUT_COERCE_C: SyncPtr<i32> = SyncPtr { x: &mut 0 };
    = note: To avoid accidentally creating global mutable state, such temporaries must be immutable
    = help: If you really want global mutable state, try replacing the temporary by an interior mutable `static` or a `static mut`
 
-error: aborting due to 12 previous errors
+error[E0080]: constructing invalid value at .<enum-variant(Some)>.0: encountered a dangling reference (0x2a[noalloc] has no provenance)
+  --> $DIR/mut_ref_in_final.rs:86:5
+   |
+LL |     const INT2PTR: Option<&mut i32> = helper_int2ptr();
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is undefined behavior to use this value
+   |
+   = note: the rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
+   = note: the raw bytes of the constant (size: $SIZE, align: $ALIGN) {
+               HEX_DUMP
+           }
+
+error[E0080]: constructing invalid value at .<enum-variant(Some)>.0: encountered a dangling reference (0x2a[noalloc] has no provenance)
+  --> $DIR/mut_ref_in_final.rs:87:5
+   |
+LL |     static INT2PTR_STATIC: Option<&mut i32> = helper_int2ptr();
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is undefined behavior to use this value
+   |
+   = note: the rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
+   = note: the raw bytes of the constant (size: $SIZE, align: $ALIGN) {
+               HEX_DUMP
+           }
+
+error[E0080]: constructing invalid value at .<enum-variant(Some)>.0: encountered a dangling reference (use-after-free)
+  --> $DIR/mut_ref_in_final.rs:93:5
+   |
+LL |     const DANGLING: Option<&mut i32> = helper_dangling();
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is undefined behavior to use this value
+   |
+   = note: the rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
+   = note: the raw bytes of the constant (size: $SIZE, align: $ALIGN) {
+               HEX_DUMP
+           }
+
+error[E0080]: constructing invalid value at .<enum-variant(Some)>.0: encountered a dangling reference (use-after-free)
+  --> $DIR/mut_ref_in_final.rs:94:5
+   |
+LL |     static DANGLING_STATIC: Option<&mut i32> = helper_dangling();
+   |     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ it is undefined behavior to use this value
+   |
+   = note: the rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
+   = note: the raw bytes of the constant (size: $SIZE, align: $ALIGN) {
+               HEX_DUMP
+           }
+
+error: aborting due to 16 previous errors
 
 Some errors have detailed explanations: E0080, E0716, E0764.
 For more information about an error, try `rustc --explain E0080`.

tests/ui/consts/const-mut-refs/mut_ref_in_final_dynamic_check.rs

@@ -9,6 +9,5 @@ const C1: &'static mut [usize] = &mut [];
 
 static mut S: i32 = 3;
 const C2: &'static mut i32 = unsafe { &mut S };
-//~^ ERROR: encountered mutable reference
 
 fn main() {}

tests/ui/consts/const-mut-refs/mut_ref_in_final_dynamic_check.stderr

@@ -8,18 +8,6 @@ LL | const C1: &'static mut [usize] = &mut [];
    = note: To avoid accidentally creating global mutable state, such temporaries must be immutable
    = help: If you really want global mutable state, try replacing the temporary by an interior mutable `static` or a `static mut`
 
-error[E0080]: constructing invalid value: encountered mutable reference in `const` value
-  --> $DIR/issue-17718-const-bad-values.rs:11:1
-   |
-LL | const C2: &'static mut i32 = unsafe { &mut S };
-   | ^^^^^^^^^^^^^^^^^^^^^^^^^^ it is undefined behavior to use this value
-   |
-   = note: the rules on what exactly is undefined behavior aren't clear, so this check might be overzealous. Please open an issue on the rustc repository if you believe it should not be considered undefined behavior.
-   = note: the raw bytes of the constant (size: $PTR, align: $PTR) {
-               HEX_DUMP
-           }
-
-error: aborting due to 2 previous errors
+error: aborting due to 1 previous error
 
-Some errors have detailed explanations: E0080, E0764.
-For more information about an error, try `rustc --explain E0080`.
+For more information about this error, try `rustc --explain E0764`.