From c9e9916ea229f0bcdf0b6b86c1cf64f7b8db4ad3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Thu, 9 May 2024 12:35:11 +0200 Subject: [PATCH] offset, offset_from: allow zero-byte offset on arbitrary pointers --- .../dangling_pointers/dangling_zst_deref.rs | 10 ---- .../dangling_zst_deref.stderr | 25 -------- .../maybe_null_pointer_deref_zst.rs | 5 -- .../maybe_null_pointer_deref_zst.stderr | 15 ----- .../maybe_null_pointer_write_zst.rs | 8 --- .../maybe_null_pointer_write_zst.stderr | 15 ----- .../null_pointer_deref_zst.rs | 5 -- .../null_pointer_deref_zst.stderr | 15 ----- .../null_pointer_write_zst.rs | 8 --- .../null_pointer_write_zst.stderr | 15 ----- tests/fail/intrinsics/copy_null.rs | 15 ----- tests/fail/intrinsics/copy_null.stderr | 15 ----- tests/fail/intrinsics/ptr_offset_0_plus_0.rs | 9 --- .../intrinsics/ptr_offset_0_plus_0.stderr | 15 ----- tests/fail/intrinsics/ptr_offset_from_oob.rs | 7 --- .../intrinsics/ptr_offset_from_oob.stderr | 15 ----- .../fail/intrinsics/ptr_offset_ptr_plus_0.rs | 7 --- .../intrinsics/ptr_offset_ptr_plus_0.stderr | 20 ------- tests/fail/intrinsics/write_bytes_null.rs | 10 ---- tests/fail/intrinsics/write_bytes_null.stderr | 15 ----- tests/fail/zst2.rs | 12 ---- tests/fail/zst2.stderr | 25 -------- tests/fail/zst3.rs | 15 ----- tests/fail/zst3.stderr | 20 ------- tests/fail/{zst1.rs => zst_local_oob.rs} | 0 .../{zst1.stderr => zst_local_oob.stderr} | 4 +- tests/pass/align_offset_symbolic.rs | 7 +-- tests/pass/zero-sized-accesses-and-offsets.rs | 59 +++++++++++++++++++ 28 files changed, 64 insertions(+), 327 deletions(-) delete mode 100644 tests/fail/dangling_pointers/dangling_zst_deref.rs delete mode 100644 tests/fail/dangling_pointers/dangling_zst_deref.stderr delete mode 100644 tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.rs delete mode 100644 tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.stderr delete mode 100644 tests/fail/dangling_pointers/maybe_null_pointer_write_zst.rs delete mode 100644 tests/fail/dangling_pointers/maybe_null_pointer_write_zst.stderr delete mode 100644 tests/fail/dangling_pointers/null_pointer_deref_zst.rs delete mode 100644 tests/fail/dangling_pointers/null_pointer_deref_zst.stderr delete mode 100644 tests/fail/dangling_pointers/null_pointer_write_zst.rs delete mode 100644 tests/fail/dangling_pointers/null_pointer_write_zst.stderr delete mode 100644 tests/fail/intrinsics/copy_null.rs delete mode 100644 tests/fail/intrinsics/copy_null.stderr delete mode 100644 tests/fail/intrinsics/ptr_offset_0_plus_0.rs delete mode 100644 tests/fail/intrinsics/ptr_offset_0_plus_0.stderr delete mode 100644 tests/fail/intrinsics/ptr_offset_from_oob.rs delete mode 100644 tests/fail/intrinsics/ptr_offset_from_oob.stderr delete mode 100644 tests/fail/intrinsics/ptr_offset_ptr_plus_0.rs delete mode 100644 tests/fail/intrinsics/ptr_offset_ptr_plus_0.stderr delete mode 100644 tests/fail/intrinsics/write_bytes_null.rs delete mode 100644 tests/fail/intrinsics/write_bytes_null.stderr delete mode 100644 tests/fail/zst2.rs delete mode 100644 tests/fail/zst2.stderr delete mode 100644 tests/fail/zst3.rs delete mode 100644 tests/fail/zst3.stderr rename tests/fail/{zst1.rs => zst_local_oob.rs} (100%) rename tests/fail/{zst1.stderr => zst_local_oob.stderr} (88%) create mode 100644 tests/pass/zero-sized-accesses-and-offsets.rs diff --git a/tests/fail/dangling_pointers/dangling_zst_deref.rs b/tests/fail/dangling_pointers/dangling_zst_deref.rs deleted file mode 100644 index a1fefe04ab..0000000000 --- a/tests/fail/dangling_pointers/dangling_zst_deref.rs +++ /dev/null @@ -1,10 +0,0 @@ -// Make sure we find these even with many checks disabled. -//@compile-flags: -Zmiri-disable-alignment-check -Zmiri-disable-stacked-borrows -Zmiri-disable-validation - -fn main() { - let p = { - let b = Box::new(42); - &*b as *const i32 as *const () - }; - let _x = unsafe { *p }; //~ ERROR: has been freed -} diff --git a/tests/fail/dangling_pointers/dangling_zst_deref.stderr b/tests/fail/dangling_pointers/dangling_zst_deref.stderr deleted file mode 100644 index 72b9a4a2d6..0000000000 --- a/tests/fail/dangling_pointers/dangling_zst_deref.stderr +++ /dev/null @@ -1,25 +0,0 @@ -error: Undefined Behavior: memory access failed: ALLOC has been freed, so this pointer is dangling - --> $DIR/dangling_zst_deref.rs:LL:CC - | -LL | let _x = unsafe { *p }; - | ^^ memory access failed: ALLOC has been freed, so this pointer is dangling - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information -help: ALLOC was allocated here: - --> $DIR/dangling_zst_deref.rs:LL:CC - | -LL | let b = Box::new(42); - | ^^^^^^^^^^^^ -help: ALLOC was deallocated here: - --> $DIR/dangling_zst_deref.rs:LL:CC - | -LL | }; - | ^ - = note: BACKTRACE (of the first span): - = note: inside `main` at $DIR/dangling_zst_deref.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.rs b/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.rs deleted file mode 100644 index 73d0b12068..0000000000 --- a/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.rs +++ /dev/null @@ -1,5 +0,0 @@ -fn main() { - // This pointer *could* be NULL so we cannot load from it, not even at ZST - let ptr = (&0u8 as *const u8).wrapping_sub(0x800) as *const (); - let _x: () = unsafe { *ptr }; //~ ERROR: out-of-bounds -} diff --git a/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.stderr b/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.stderr deleted file mode 100644 index 13c53e20b8..0000000000 --- a/tests/fail/dangling_pointers/maybe_null_pointer_deref_zst.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: ALLOC has size 1, so pointer at offset -2048 is out-of-bounds - --> $DIR/maybe_null_pointer_deref_zst.rs:LL:CC - | -LL | let _x: () = unsafe { *ptr }; - | ^^^^ memory access failed: ALLOC has size 1, so pointer at offset -2048 is out-of-bounds - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/maybe_null_pointer_deref_zst.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.rs b/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.rs deleted file mode 100644 index 5537207ae4..0000000000 --- a/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.rs +++ /dev/null @@ -1,8 +0,0 @@ -fn main() { - // This pointer *could* be NULL so we cannot load from it, not even at ZST. - // Not using the () type here, as writes of that type do not even have MIR generated. - // Also not assigning directly as that's array initialization, not assignment. - let zst_val = [1u8; 0]; - let ptr = (&0u8 as *const u8).wrapping_sub(0x800) as *mut [u8; 0]; - unsafe { *ptr = zst_val }; //~ ERROR: out-of-bounds -} diff --git a/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.stderr b/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.stderr deleted file mode 100644 index e4e23e8ace..0000000000 --- a/tests/fail/dangling_pointers/maybe_null_pointer_write_zst.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: ALLOC has size 1, so pointer at offset -2048 is out-of-bounds - --> $DIR/maybe_null_pointer_write_zst.rs:LL:CC - | -LL | unsafe { *ptr = zst_val }; - | ^^^^^^^^^^^^^^ memory access failed: ALLOC has size 1, so pointer at offset -2048 is out-of-bounds - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/maybe_null_pointer_write_zst.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/dangling_pointers/null_pointer_deref_zst.rs b/tests/fail/dangling_pointers/null_pointer_deref_zst.rs deleted file mode 100644 index f8af43ff35..0000000000 --- a/tests/fail/dangling_pointers/null_pointer_deref_zst.rs +++ /dev/null @@ -1,5 +0,0 @@ -#[allow(deref_nullptr)] -fn main() { - let x: () = unsafe { *std::ptr::null() }; //~ ERROR: memory access failed: null pointer is a dangling pointer - panic!("this should never print: {:?}", x); -} diff --git a/tests/fail/dangling_pointers/null_pointer_deref_zst.stderr b/tests/fail/dangling_pointers/null_pointer_deref_zst.stderr deleted file mode 100644 index 1a8794f3ce..0000000000 --- a/tests/fail/dangling_pointers/null_pointer_deref_zst.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: null pointer is a dangling pointer (it has no provenance) - --> $DIR/null_pointer_deref_zst.rs:LL:CC - | -LL | let x: () = unsafe { *std::ptr::null() }; - | ^^^^^^^^^^^^^^^^^ memory access failed: null pointer is a dangling pointer (it has no provenance) - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/null_pointer_deref_zst.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/dangling_pointers/null_pointer_write_zst.rs b/tests/fail/dangling_pointers/null_pointer_write_zst.rs deleted file mode 100644 index edd6c8fadc..0000000000 --- a/tests/fail/dangling_pointers/null_pointer_write_zst.rs +++ /dev/null @@ -1,8 +0,0 @@ -#[allow(deref_nullptr)] -fn main() { - // Not using the () type here, as writes of that type do not even have MIR generated. - // Also not assigning directly as that's array initialization, not assignment. - let zst_val = [1u8; 0]; - unsafe { std::ptr::null_mut::<[u8; 0]>().write(zst_val) }; - //~^ERROR: memory access failed: null pointer is a dangling pointer -} diff --git a/tests/fail/dangling_pointers/null_pointer_write_zst.stderr b/tests/fail/dangling_pointers/null_pointer_write_zst.stderr deleted file mode 100644 index 1d4704e2a0..0000000000 --- a/tests/fail/dangling_pointers/null_pointer_write_zst.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: null pointer is a dangling pointer (it has no provenance) - --> $DIR/null_pointer_write_zst.rs:LL:CC - | -LL | unsafe { std::ptr::null_mut::<[u8; 0]>().write(zst_val) }; - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ memory access failed: null pointer is a dangling pointer (it has no provenance) - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/null_pointer_write_zst.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/intrinsics/copy_null.rs b/tests/fail/intrinsics/copy_null.rs deleted file mode 100644 index 237e517f28..0000000000 --- a/tests/fail/intrinsics/copy_null.rs +++ /dev/null @@ -1,15 +0,0 @@ -#![feature(intrinsics)] - -// Directly call intrinsic to avoid debug assertions in libstd -extern "rust-intrinsic" { - fn copy_nonoverlapping(src: *const T, dst: *mut T, count: usize); -} - -fn main() { - let mut data = [0u16; 4]; - let ptr = &mut data[0] as *mut u16; - // Even copying 0 elements from NULL should error. - unsafe { - copy_nonoverlapping(std::ptr::null(), ptr, 0); //~ ERROR: memory access failed: null pointer is a dangling pointer - } -} diff --git a/tests/fail/intrinsics/copy_null.stderr b/tests/fail/intrinsics/copy_null.stderr deleted file mode 100644 index d73c03475d..0000000000 --- a/tests/fail/intrinsics/copy_null.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: null pointer is a dangling pointer (it has no provenance) - --> $DIR/copy_null.rs:LL:CC - | -LL | copy_nonoverlapping(std::ptr::null(), ptr, 0); - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ memory access failed: null pointer is a dangling pointer (it has no provenance) - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/copy_null.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/intrinsics/ptr_offset_0_plus_0.rs b/tests/fail/intrinsics/ptr_offset_0_plus_0.rs deleted file mode 100644 index e2329c1313..0000000000 --- a/tests/fail/intrinsics/ptr_offset_0_plus_0.rs +++ /dev/null @@ -1,9 +0,0 @@ -//@compile-flags: -Zmiri-permissive-provenance - -#[rustfmt::skip] // fails with "left behind trailing whitespace" -fn main() { - let x = 0 as *mut i32; - let _x = x.wrapping_offset(8); // ok, this has no inbounds tag - let _x = unsafe { x.offset(0) }; // UB despite offset 0, NULL is never inbounds - //~^ERROR: null pointer is a dangling pointer -} diff --git a/tests/fail/intrinsics/ptr_offset_0_plus_0.stderr b/tests/fail/intrinsics/ptr_offset_0_plus_0.stderr deleted file mode 100644 index a8984c7fa1..0000000000 --- a/tests/fail/intrinsics/ptr_offset_0_plus_0.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: out-of-bounds pointer arithmetic: null pointer is a dangling pointer (it has no provenance) - --> $DIR/ptr_offset_0_plus_0.rs:LL:CC - | -LL | let _x = unsafe { x.offset(0) }; // UB despite offset 0, NULL is never inbounds - | ^^^^^^^^^^^ out-of-bounds pointer arithmetic: null pointer is a dangling pointer (it has no provenance) - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/ptr_offset_0_plus_0.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/intrinsics/ptr_offset_from_oob.rs b/tests/fail/intrinsics/ptr_offset_from_oob.rs deleted file mode 100644 index 0e5acf08b2..0000000000 --- a/tests/fail/intrinsics/ptr_offset_from_oob.rs +++ /dev/null @@ -1,7 +0,0 @@ -fn main() { - let start_ptr = &4 as *const _ as *const u8; - let length = 10; - let end_ptr = start_ptr.wrapping_add(length); - // Even if the offset is 0, a dangling OOB pointer is not allowed. - unsafe { end_ptr.offset_from(end_ptr) }; //~ERROR: pointer at offset 10 is out-of-bounds -} diff --git a/tests/fail/intrinsics/ptr_offset_from_oob.stderr b/tests/fail/intrinsics/ptr_offset_from_oob.stderr deleted file mode 100644 index 32a4461d6b..0000000000 --- a/tests/fail/intrinsics/ptr_offset_from_oob.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: out-of-bounds `offset_from`: ALLOC has size 4, so pointer at offset 10 is out-of-bounds - --> $DIR/ptr_offset_from_oob.rs:LL:CC - | -LL | unsafe { end_ptr.offset_from(end_ptr) }; - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^ out-of-bounds `offset_from`: ALLOC has size 4, so pointer at offset 10 is out-of-bounds - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/ptr_offset_from_oob.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/intrinsics/ptr_offset_ptr_plus_0.rs b/tests/fail/intrinsics/ptr_offset_ptr_plus_0.rs deleted file mode 100644 index 575e28854b..0000000000 --- a/tests/fail/intrinsics/ptr_offset_ptr_plus_0.rs +++ /dev/null @@ -1,7 +0,0 @@ -#[rustfmt::skip] // fails with "left behind trailing whitespace" -fn main() { - let x = Box::into_raw(Box::new(0u32)); - let x = x.wrapping_offset(8); // ok, this has no inbounds tag - let _x = unsafe { x.offset(0) }; // UB despite offset 0, the pointer is not inbounds of the only object it can point to - //~^ERROR: pointer at offset 32 is out-of-bounds -} diff --git a/tests/fail/intrinsics/ptr_offset_ptr_plus_0.stderr b/tests/fail/intrinsics/ptr_offset_ptr_plus_0.stderr deleted file mode 100644 index 304d362bbb..0000000000 --- a/tests/fail/intrinsics/ptr_offset_ptr_plus_0.stderr +++ /dev/null @@ -1,20 +0,0 @@ -error: Undefined Behavior: out-of-bounds pointer arithmetic: ALLOC has size 4, so pointer at offset 32 is out-of-bounds - --> $DIR/ptr_offset_ptr_plus_0.rs:LL:CC - | -LL | let _x = unsafe { x.offset(0) }; // UB despite offset 0, the pointer is not inbounds of the only object it can point to - | ^^^^^^^^^^^ out-of-bounds pointer arithmetic: ALLOC has size 4, so pointer at offset 32 is out-of-bounds - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information -help: ALLOC was allocated here: - --> $DIR/ptr_offset_ptr_plus_0.rs:LL:CC - | -LL | let x = Box::into_raw(Box::new(0u32)); - | ^^^^^^^^^^^^^^ - = note: BACKTRACE (of the first span): - = note: inside `main` at $DIR/ptr_offset_ptr_plus_0.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/intrinsics/write_bytes_null.rs b/tests/fail/intrinsics/write_bytes_null.rs deleted file mode 100644 index 2f46c820fb..0000000000 --- a/tests/fail/intrinsics/write_bytes_null.rs +++ /dev/null @@ -1,10 +0,0 @@ -#![feature(intrinsics)] - -// Directly call intrinsic to avoid debug assertions in libstd -extern "rust-intrinsic" { - fn write_bytes(dst: *mut T, val: u8, count: usize); -} - -fn main() { - unsafe { write_bytes::(std::ptr::null_mut(), 0, 0) }; //~ ERROR: memory access failed: null pointer is a dangling pointer -} diff --git a/tests/fail/intrinsics/write_bytes_null.stderr b/tests/fail/intrinsics/write_bytes_null.stderr deleted file mode 100644 index def180935c..0000000000 --- a/tests/fail/intrinsics/write_bytes_null.stderr +++ /dev/null @@ -1,15 +0,0 @@ -error: Undefined Behavior: memory access failed: null pointer is a dangling pointer (it has no provenance) - --> $DIR/write_bytes_null.rs:LL:CC - | -LL | unsafe { write_bytes::(std::ptr::null_mut(), 0, 0) }; - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ memory access failed: null pointer is a dangling pointer (it has no provenance) - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information - = note: BACKTRACE: - = note: inside `main` at $DIR/write_bytes_null.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/zst2.rs b/tests/fail/zst2.rs deleted file mode 100644 index 04218c264a..0000000000 --- a/tests/fail/zst2.rs +++ /dev/null @@ -1,12 +0,0 @@ -fn main() { - // Not using the () type here, as writes of that type do not even have MIR generated. - // Also not assigning directly as that's array initialization, not assignment. - let zst_val = [1u8; 0]; - - // make sure ZST accesses are checked against being "truly" dangling pointers - // (into deallocated allocations). - let mut x_box = Box::new(1u8); - let x = &mut *x_box as *mut _ as *mut [u8; 0]; - drop(x_box); - unsafe { *x = zst_val }; //~ ERROR: has been freed -} diff --git a/tests/fail/zst2.stderr b/tests/fail/zst2.stderr deleted file mode 100644 index b3f65e7866..0000000000 --- a/tests/fail/zst2.stderr +++ /dev/null @@ -1,25 +0,0 @@ -error: Undefined Behavior: memory access failed: ALLOC has been freed, so this pointer is dangling - --> $DIR/zst2.rs:LL:CC - | -LL | unsafe { *x = zst_val }; - | ^^^^^^^^^^^^ memory access failed: ALLOC has been freed, so this pointer is dangling - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information -help: ALLOC was allocated here: - --> $DIR/zst2.rs:LL:CC - | -LL | let mut x_box = Box::new(1u8); - | ^^^^^^^^^^^^^ -help: ALLOC was deallocated here: - --> $DIR/zst2.rs:LL:CC - | -LL | drop(x_box); - | ^^^^^^^^^^^ - = note: BACKTRACE (of the first span): - = note: inside `main` at $DIR/zst2.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/zst3.rs b/tests/fail/zst3.rs deleted file mode 100644 index 454bef25f2..0000000000 --- a/tests/fail/zst3.rs +++ /dev/null @@ -1,15 +0,0 @@ -fn main() { - // Not using the () type here, as writes of that type do not even have MIR generated. - // Also not assigning directly as that's array initialization, not assignment. - let zst_val = [1u8; 0]; - - // make sure ZST accesses are checked against being "truly" dangling pointers - // (that are out-of-bounds). - let mut x_box = Box::new(1u8); - let x = (&mut *x_box as *mut u8).wrapping_offset(1); - // This one is just "at the edge", but still okay - unsafe { *(x as *mut [u8; 0]) = zst_val }; - // One byte further is OOB. - let x = x.wrapping_offset(1); - unsafe { *(x as *mut [u8; 0]) = zst_val }; //~ ERROR: out-of-bounds -} diff --git a/tests/fail/zst3.stderr b/tests/fail/zst3.stderr deleted file mode 100644 index b9495fbd20..0000000000 --- a/tests/fail/zst3.stderr +++ /dev/null @@ -1,20 +0,0 @@ -error: Undefined Behavior: memory access failed: ALLOC has size 1, so pointer at offset 2 is out-of-bounds - --> $DIR/zst3.rs:LL:CC - | -LL | unsafe { *(x as *mut [u8; 0]) = zst_val }; - | ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ memory access failed: ALLOC has size 1, so pointer at offset 2 is out-of-bounds - | - = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior - = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information -help: ALLOC was allocated here: - --> $DIR/zst3.rs:LL:CC - | -LL | let mut x_box = Box::new(1u8); - | ^^^^^^^^^^^^^ - = note: BACKTRACE (of the first span): - = note: inside `main` at $DIR/zst3.rs:LL:CC - -note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace - -error: aborting due to 1 previous error - diff --git a/tests/fail/zst1.rs b/tests/fail/zst_local_oob.rs similarity index 100% rename from tests/fail/zst1.rs rename to tests/fail/zst_local_oob.rs diff --git a/tests/fail/zst1.stderr b/tests/fail/zst_local_oob.stderr similarity index 88% rename from tests/fail/zst1.stderr rename to tests/fail/zst_local_oob.stderr index cda837da7e..ba1ccaa0a3 100644 --- a/tests/fail/zst1.stderr +++ b/tests/fail/zst_local_oob.stderr @@ -1,5 +1,5 @@ error: Undefined Behavior: memory access failed: ALLOC has size 0, so pointer to 1 byte starting at offset 0 is out-of-bounds - --> $DIR/zst1.rs:LL:CC + --> $DIR/zst_local_oob.rs:LL:CC | LL | let _val = unsafe { *x }; | ^^ memory access failed: ALLOC has size 0, so pointer to 1 byte starting at offset 0 is out-of-bounds @@ -7,7 +7,7 @@ LL | let _val = unsafe { *x }; = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information = note: BACKTRACE: - = note: inside `main` at $DIR/zst1.rs:LL:CC + = note: inside `main` at $DIR/zst_local_oob.rs:LL:CC note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace diff --git a/tests/pass/align_offset_symbolic.rs b/tests/pass/align_offset_symbolic.rs index dec3d779a7..9647277821 100644 --- a/tests/pass/align_offset_symbolic.rs +++ b/tests/pass/align_offset_symbolic.rs @@ -118,10 +118,9 @@ fn vtable() { let parts: (*const (), *const u8) = unsafe { mem::transmute(ptr) }; let vtable = parts.1; let offset = vtable.align_offset(mem::align_of::()); - let _vtable_aligned = vtable.wrapping_add(offset) as *const [TWOPTR; 0]; - // FIXME: we can't actually do the access since vtable pointers act like zero-sized allocations. - // Enable the next line once https://github.com/rust-lang/rust/issues/117945 is implemented. - //let _place = unsafe { &*vtable_aligned }; + let vtable_aligned = vtable.wrapping_add(offset) as *const [TWOPTR; 0]; + // Zero-sized deref, so no in-bounds requirement. + let _place = unsafe { &*vtable_aligned }; } fn main() { diff --git a/tests/pass/zero-sized-accesses-and-offsets.rs b/tests/pass/zero-sized-accesses-and-offsets.rs new file mode 100644 index 0000000000..2d142bef73 --- /dev/null +++ b/tests/pass/zero-sized-accesses-and-offsets.rs @@ -0,0 +1,59 @@ +//! Tests specific for : zero-sized operations. +#![feature(strict_provenance)] + +use std::ptr; + +fn main() { + // Null. + test_ptr(ptr::null_mut::<()>()); + // No provenance. + test_ptr(ptr::without_provenance_mut::<()>(1)); + // Out-of-bounds. + let mut b = Box::new(0i32); + let ptr = ptr::addr_of_mut!(*b) as *mut (); + test_ptr(ptr.wrapping_byte_add(2)); + // Dangling (use-after-free). + drop(b); + test_ptr(ptr); +} + +fn test_ptr(ptr: *mut ()) { + unsafe { + // Reads and writes. + let mut val = *ptr; + *ptr = val; + ptr.read(); + ptr.write(()); + // Memory access intrinsics. + // - memcpy (1st and 2nd argument) + ptr.copy_from_nonoverlapping(&(), 1); + ptr.copy_to_nonoverlapping(&mut val, 1); + // - memmove (1st and 2nd argument) + ptr.copy_from(&(), 1); + ptr.copy_to(&mut val, 1); + // - memset + ptr.write_bytes(0u8, 1); + // Offset. + let _ = ptr.offset(0); + let _ = ptr.offset(1); // this is still 0 bytes + // Distance. + let ptr = ptr.cast::(); + ptr.offset_from(ptr); + /* + FIXME: this is disabled for now as these cases are not yet allowed. + // Distance from other "bad" pointers that have the same address, but different provenance. Some + // of this is library UB, but we don't want it to be language UB since that would violate + // provenance monotonicity: if we allow computing the distance between two ptrs with no + // provenance, we have to allow computing it between two ptrs with arbitrary provenance. + // - Distance from "no provenance" + ptr.offset_from(ptr::without_provenance_mut(ptr.addr())); + // - Distance from out-of-bounds pointer + let mut b = Box::new(0i32); + let other_ptr = ptr::addr_of_mut!(*b); + ptr.offset_from(other_ptr.with_addr(ptr.addr())); + // - Distance from use-after-free pointer + drop(b); + ptr.offset_from(other_ptr.with_addr(ptr.addr())); + */ + } +}