Auto merge of #1930 - tavianator:avoid-adjacent-allocations, r=RalfJung

bors · bors · commit 81e59e6b92cf · 2021-12-06T01:33:55.000Z
intptrcast: Never allocate two objects directly adjecent When two objects directly follow each other in memory, what is the provenance of an integer cast to a pointer that points directly between them? For a zero-size region, it could point into the end of the first object, or the start of the second. We can avoid answering this difficult question by simply never allocating two objects directly beside each other. This fixes some of the false positives from #1866.
diff --git a/src/intptrcast.rs b/src/intptrcast.rs
@@ -1,5 +1,4 @@
 use std::cell::RefCell;
-use std::cmp::max;
 use std::collections::hash_map::Entry;
 
 use log::trace;
@@ -107,9 +106,11 @@ impl<'mir, 'tcx> GlobalState {
                     slack,
                 );
 
-                // Remember next base address.  If this allocation is zero-sized, leave a gap
-                // of at least 1 to avoid two allocations having the same base address.
-                global_state.next_base_addr = base_addr.checked_add(max(size.bytes(), 1)).unwrap();
+                // Remember next base address.  Leave a gap of at least 1 to avoid two zero-sized allocations
+                // having the same base address, and to avoid ambiguous provenance for the address between two
+                // allocations (also see https://github.com/rust-lang/unsafe-code-guidelines/issues/313).
+                let size_plus_1 = size.bytes().checked_add(1).unwrap();
+                global_state.next_base_addr = base_addr.checked_add(size_plus_1).unwrap();
                 // Given that `next_base_addr` increases in each allocation, pushing the
                 // corresponding tuple keeps `int_to_ptr_map` sorted
                 global_state.int_to_ptr_map.push((base_addr, alloc_id));
diff --git a/tests/run-pass/adjacent-allocs.rs b/tests/run-pass/adjacent-allocs.rs
@@ -0,0 +1,22 @@
+fn main() {
+    // The slack between allocations is random.
+    // Loop a few times to hit the zero-slack case.
+    for _ in 0..1024 {
+        let n = 0u64;
+        let ptr: *const u64 = &n;
+
+        // Allocate a new stack variable whose lifetime quickly ends.
+        // If there's a chance that &m == ptr.add(1), then an int-to-ptr cast of
+        // that value will have ambiguous provenance between n and m.
+        // See https://github.com/rust-lang/miri/issues/1866#issuecomment-985770125
+        {
+            let m = 0u64;
+            let _ = &m as *const u64;
+        }
+
+        let iptr = ptr as usize;
+        let zst = (iptr + 8) as *const ();
+        // This is a ZST ptr just at the end of `n`, so it should be valid to deref.
+        unsafe { *zst }
+    }
+}
