miri: fix overflow detection for unsigned pointer offset

Author: RalfJung

compiler/rustc_const_eval/src/interpret/operator.rs

@@ -303,8 +303,10 @@ impl<'tcx, M: Machine<'tcx>> InterpCx<'tcx, M> {
                 let pointee_layout = self.layout_of(pointee_ty)?;
                 assert!(pointee_layout.abi.is_sized());
 
-                // We cannot overflow i64 as a type's size must be <= isize::MAX.
+                // The size always fits in `i64` as it can be at most `isize::MAX`.
                 let pointee_size = i64::try_from(pointee_layout.size.bytes()).unwrap();
+                // This uses the same type as `right`, which can be `isize` or `usize`.
+                // `pointee_size` is guaranteed to fit into both types.
                 let pointee_size = ImmTy::from_int(pointee_size, right.layout);
                 // Multiply element size and element count.
                 let (val, overflowed) = self
@@ -316,6 +318,11 @@ impl<'tcx, M: Machine<'tcx>> InterpCx<'tcx, M> {
                 }
 
                 let offset_bytes = val.to_target_isize(self)?;
+                if !right.layout.abi.is_signed() && offset_bytes < 0 {
+                    // We were supposed to do an unsigned offset but the result is negative -- this
+                    // can only mean that the cast wrapped around.
+                    throw_ub!(PointerArithOverflow)
+                }
                 let offset_ptr = self.ptr_offset_inbounds(ptr, offset_bytes)?;
                 Ok(ImmTy::from_scalar(Scalar::from_maybe_pointer(offset_ptr, self), left.layout))
             }

src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.rs

@@ -0,0 +1,9 @@
+fn main() {
+    let x = &[0i32; 2];
+    let x = std::ptr::from_ref(&x[0]).wrapping_add(1);
+    // Will be equal to -4isize when multiplied be the size (4) -- and that step does not itself overflow.
+    let offset = !0usize >> 2;
+    // However, the usize-to-isize cast is lossy and hence this should be UB.
+    // Or put differently, -4isize as usize is out-of-bounds.
+    unsafe { x.add(offset).read() }; //~ERROR: does not fit in an `isize`
+}

src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.stderr

@@ -0,0 +1,15 @@
+error: Undefined Behavior: overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize`
+  --> $DIR/ptr_offset_unsigned_overflow.rs:LL:CC
+   |
+LL |     unsafe { x.add(offset).read() };
+   |              ^^^^^^^^^^^^^ overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize`
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `main` at $DIR/ptr_offset_unsigned_overflow.rs:LL:CC
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+