when writing a scalar pair, always reset the entire destination range

Author: RalfJung

compiler/rustc_const_eval/src/interpret/place.rs

@@ -704,6 +704,7 @@ where
         // wrong type.
 
         let tcx = *self.tcx;
+        let will_later_validate = M::enforce_validity(self, layout);
         let Some(mut alloc) = self.get_place_alloc_mut(&MPlaceTy { mplace: dest, layout })? else {
             // zero-sized access
             return interp_ok(());
@@ -714,23 +715,31 @@ where
                 alloc.write_scalar(alloc_range(Size::ZERO, scalar.size()), scalar)?;
             }
             Immediate::ScalarPair(a_val, b_val) => {
-                let BackendRepr::ScalarPair(a, b) = layout.backend_repr else {
+                let BackendRepr::ScalarPair(_a, b) = layout.backend_repr else {
                     span_bug!(
                         self.cur_span(),
                         "write_immediate_to_mplace: invalid ScalarPair layout: {:#?}",
                         layout
                     )
                 };
-                let b_offset = a.size(&tcx).align_to(b.align(&tcx).abi);
+                let a_size = a_val.size();
+                let b_offset = a_size.align_to(b.align(&tcx).abi);
                 assert!(b_offset.bytes() > 0); // in `operand_field` we use the offset to tell apart the fields
 
                 // It is tempting to verify `b_offset` against `layout.fields.offset(1)`,
                 // but that does not work: We could be a newtype around a pair, then the
                 // fields do not match the `ScalarPair` components.
 
-                alloc.write_scalar(alloc_range(Size::ZERO, a_val.size()), a_val)?;
+                // In preparation, if we do *not* later reset the padding, we clear the entire
+                // destination now to ensure that no stray pointer fragments are being
+                // preserved (see <https://github.com/rust-lang/rust/issues/148470>).
+                // We can skip this if there is no padding (e.g. for wide pointers).
+                if !will_later_validate && a_size + b_val.size() != layout.size {
+                    alloc.write_uninit_full();
+                }
+
+                alloc.write_scalar(alloc_range(Size::ZERO, a_size), a_val)?;
                 alloc.write_scalar(alloc_range(b_offset, b_val.size()), b_val)?;
-                // We don't have to reset padding here, `write_immediate` will anyway do a validation run.
             }
             Immediate::Uninit => alloc.write_uninit_full(),
         }

compiler/rustc_middle/src/mir/interpret/allocation/provenance_map.rs

@@ -290,9 +290,12 @@ impl<Prov: Provenance> ProvenanceMap<Prov> {
     }
 
     /// Removes all provenance inside the given range.
-    /// If there is provenance overlapping with the edges, might result in an error.
     #[allow(irrefutable_let_patterns)] // these actually make the code more clear
     pub fn clear(&mut self, range: AllocRange, data_bytes: &[u8], cx: &impl HasDataLayout) {
+        if range.size == Size::ZERO {
+            return;
+        }
+
         let start = range.start;
         let end = range.end();
         // Clear the bytewise part -- this is easy.

tests/ui/consts/const-eval/ptr_fragments.rs

@@ -67,6 +67,30 @@ const _PARTIAL_OVERWRITE: () = {
     }
 };
 
+#[allow(dead_code)]
+fn fragment_in_dst_padding_gets_overwritten() {
+    #[repr(C)]
+    struct Pair {
+        x: u128,
+        // at offset 16
+        y: u64,
+    }
+
+    const C: MaybeUninit<Pair> = unsafe {
+        let mut m = MaybeUninit::<Pair>::uninit();
+        // Store pointer half-way into trailing padding.
+        m.as_mut_ptr().byte_add(20).cast::<&i32>().write_unaligned(&0);
+        // Overwrite `m`.
+        let val = Pair { x: 0, y: 0 };
+        *m.as_mut_ptr() = val;
+        // If the assignment of `val` above only copied the field and left the rest of `m`
+        // unchanged, there would be pointer fragments left in the padding which would be carried
+        // all the way to the final value, causing compilation failure.
+        // We prevent this by having the copy of `val` overwrite the entire destination.
+        m
+    };
+}
+
 fn main() {
     assert_eq!(unsafe { MEMCPY_RET.assume_init().read() }, 42);
 }