rust/tests/ui/consts/offset_from_ub.rs

#![feature(const_ptr_sub_ptr)]
#![feature(core_intrinsics)]

use std::intrinsics::{ptr_offset_from, ptr_offset_from_unsigned};
use std::ptr;

#[repr(C)]
struct Struct {
    data: u8,
    field: u8,
}

pub const DIFFERENT_ALLOC: usize = {
    let uninit = std::mem::MaybeUninit::<Struct>::uninit();
    let base_ptr: *const Struct = &uninit as *const _ as *const Struct;
    let uninit2 = std::mem::MaybeUninit::<Struct>::uninit();
    let field_ptr: *const Struct = &uninit2 as *const _ as *const Struct;
    let offset = unsafe { ptr_offset_from(field_ptr, base_ptr) }; //~ERROR evaluation of constant value failed
    //~| pointers into different allocations
    offset as usize
};

pub const NOT_PTR: usize = {
    unsafe { (42 as *const u8).offset_from(&5u8) as usize }
};

pub const NOT_MULTIPLE_OF_SIZE: isize = {
    let data = [5u8, 6, 7];
    let base_ptr = data.as_ptr();
    let field_ptr = &data[1] as *const u8 as *const u16;
    unsafe { ptr_offset_from(field_ptr, base_ptr as *const u16) } //~ERROR evaluation of constant value failed
    //~| 1_isize cannot be divided by 2_isize without remainder
};

pub const OFFSET_FROM_NULL: isize = {
    let ptr = 0 as *const u8;
    // Null isn't special for zero-sized "accesses" (i.e., the range between the two pointers)
    unsafe { ptr_offset_from(ptr, ptr) }
};

pub const DIFFERENT_INT: isize = { // offset_from with two different integers: like DIFFERENT_ALLOC
    let ptr1 = 8 as *const u8;
    let ptr2 = 16 as *const u8;
    unsafe { ptr_offset_from(ptr2, ptr1) } //~ERROR evaluation of constant value failed
    //~| different pointers without provenance
};

const OUT_OF_BOUNDS_1: isize = {
    let start_ptr = &4 as *const _ as *const u8;
    let length = 10;
    let end_ptr = (start_ptr).wrapping_add(length);
    // First ptr is out of bounds
    unsafe { ptr_offset_from(end_ptr, start_ptr) } //~ERROR evaluation of constant value failed
    //~| pointer to 10 bytes starting at offset 0 is out-of-bounds
};

const OUT_OF_BOUNDS_2: isize = {
    let start_ptr = &4 as *const _ as *const u8;
    let length = 10;
    let end_ptr = (start_ptr).wrapping_add(length);
    // Second ptr is out of bounds
    unsafe { ptr_offset_from(start_ptr, end_ptr) } //~ERROR evaluation of constant value failed
    //~| pointer to 10 bytes starting at offset 0 is out-of-bounds
};

const OUT_OF_BOUNDS_SAME: isize = {
    let start_ptr = &4 as *const _ as *const u8;
    let length = 10;
    let end_ptr = (start_ptr).wrapping_add(length);
    // Out-of-bounds is fine as long as the range between the pointers is empty.
    unsafe { ptr_offset_from(end_ptr, end_ptr) }
};

pub const DIFFERENT_ALLOC_UNSIGNED: usize = {
    let uninit = std::mem::MaybeUninit::<Struct>::uninit();
    let base_ptr: *const Struct = &uninit as *const _ as *const Struct;
    let uninit2 = std::mem::MaybeUninit::<Struct>::uninit();
    let field_ptr: *const Struct = &uninit2 as *const _ as *const Struct;
    unsafe { ptr_offset_from_unsigned(field_ptr, base_ptr) } //~ERROR evaluation of constant value failed
    //~| pointers into different allocations
};

pub const TOO_FAR_APART1: isize = {
    let ptr1 = &0u8 as *const u8;
    let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);
    unsafe { ptr_offset_from(ptr2, ptr1) } //~ERROR evaluation of constant value failed
    //~| too far ahead
};
pub const TOO_FAR_APART2: isize = {
    let ptr1 = &0u8 as *const u8;
    let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);
    unsafe { ptr_offset_from(ptr1, ptr2) } //~ERROR evaluation of constant value failed
    //~| too far before
};

const WRONG_ORDER_UNSIGNED: usize = {
    let a = ['a', 'b', 'c'];
    let p = a.as_ptr();
    unsafe { ptr_offset_from_unsigned(p, p.add(2) ) } //~ERROR evaluation of constant value failed
    //~| first pointer has smaller offset than second: 0 < 8
};
pub const TOO_FAR_APART_UNSIGNED: usize = {
    let ptr1 = &0u8 as *const u8;
    let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);
    // This would fit into a `usize` but we still don't allow it.
    unsafe { ptr_offset_from_unsigned(ptr2, ptr1) } //~ERROR evaluation of constant value failed
    //~| too far ahead
};

// These do NOT complain that pointers are too far apart; they pass that check (to then fail the
// next one).
pub const OFFSET_VERY_FAR1: isize = {
    let ptr1 = ptr::null::<u8>();
    let ptr2 = ptr1.wrapping_offset(isize::MAX);
    unsafe { ptr2.offset_from(ptr1) }
    //~^ inside
};
pub const OFFSET_VERY_FAR2: isize = {
    let ptr1 = ptr::null::<u8>();
    let ptr2 = ptr1.wrapping_offset(isize::MAX);
    unsafe { ptr1.offset_from(ptr2.wrapping_offset(1)) }
    //~^ inside
};

fn main() {}
Do not include `const_ptr_sub_ptr` in this stabilization 2022-05-12 01:48:46 -05:00			`#![feature(const_ptr_sub_ptr)]`
improve test by using intrinsic directly 2021-06-18 12:43:03 -05:00			`#![feature(core_intrinsics)]`

Add `unsigned_offset_from` on pointers Like we have `add`/`sub` which are the `usize` version of `offset`, this adds the `usize` equivalent of `offset_from`. Like how `.add(d)` replaced a whole bunch of `.offset(d as isize)`, you can see from the changes here that it's fairly common that code actually knows the order between the pointers and wants a `usize`, not an `isize`. As a bonus, this can do `sub nuw`+`udiv exact`, rather than `sub`+`sdiv exact`, which can be optimized slightly better because it doesn't have to worry about negatives. That's why the slice iterators weren't using `offset_from`, though I haven't updated that code in this PR because slices are so perf-critical that I'll do it as its own change. This is an intrinsic, like `offset_from`, so that it can eventually be allowed in CTFE. It also allows checking the extra safety condition -- see the test confirming that CTFE catches it if you pass the pointers in the wrong order. 2022-04-09 03:27:47 -05:00			`use std::intrinsics::{ptr_offset_from, ptr_offset_from_unsigned};`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`use std::ptr;`
Make <*const/mut T>::offset_from `const fn` 2019-08-20 10:51:54 -05:00
			`#[repr(C)]`
			`struct Struct {`
			`data: u8,`
			`field: u8,`
			`}`

			`pub const DIFFERENT_ALLOC: usize = {`
			`let uninit = std::mem::MaybeUninit::<Struct>::uninit();`
			`let base_ptr: const Struct = &uninit as const _ as *const Struct;`
			`let uninit2 = std::mem::MaybeUninit::<Struct>::uninit();`
			`let field_ptr: const Struct = &uninit2 as const _ as *const Struct;`
improve test by using intrinsic directly 2021-06-18 12:43:03 -05:00			`let offset = unsafe { ptr_offset_from(field_ptr, base_ptr) }; //~ERROR evaluation of constant value failed`
interpret: unify offset_from check with offset check 2022-06-09 19:47:06 -05:00			`//~\| pointers into different allocations`
Make <*const/mut T>::offset_from `const fn` 2019-08-20 10:51:54 -05:00			`offset as usize`
			`};`

			`pub const NOT_PTR: usize = {`
			`unsafe { (42 as *const u8).offset_from(&5u8) as usize }`
			`};`

test offset_from with two integers 2019-11-04 06:30:00 -06:00			`pub const NOT_MULTIPLE_OF_SIZE: isize = {`
Make <*const/mut T>::offset_from `const fn` 2019-08-20 10:51:54 -05:00			`let data = [5u8, 6, 7];`
			`let base_ptr = data.as_ptr();`
			`let field_ptr = &data[1] as const u8 as const u16;`
improve test by using intrinsic directly 2021-06-18 12:43:03 -05:00			`unsafe { ptr_offset_from(field_ptr, base_ptr as *const u16) } //~ERROR evaluation of constant value failed`
			`//~\| 1_isize cannot be divided by 2_isize without remainder`
test offset_from with two integers 2019-11-04 06:30:00 -06:00			`};`

			`pub const OFFSET_FROM_NULL: isize = {`
			`let ptr = 0 as *const u8;`
offset, offset_from: allow zero-byte offset on arbitrary pointers 2024-05-09 05:35:11 -05:00			`// Null isn't special for zero-sized "accesses" (i.e., the range between the two pointers)`
			`unsafe { ptr_offset_from(ptr, ptr) }`
Make <*const/mut T>::offset_from `const fn` 2019-08-20 10:51:54 -05:00			`};`

also test different integers 2019-11-04 06:31:29 -06:00			`pub const DIFFERENT_INT: isize = { // offset_from with two different integers: like DIFFERENT_ALLOC`
			`let ptr1 = 8 as *const u8;`
			`let ptr2 = 16 as *const u8;`
adjust tests 2021-07-12 17:21:35 -05:00			`unsafe { ptr_offset_from(ptr2, ptr1) } //~ERROR evaluation of constant value failed`
interpret/miri: better errors on failing offset_from 2024-05-09 06:09:47 -05:00			`//~\| different pointers without provenance`
also test different integers 2019-11-04 06:31:29 -06:00			`};`

adjust offset_from logic: check that both pointers are in-bounds 2022-03-10 17:30:32 -06:00			`const OUT_OF_BOUNDS_1: isize = {`
			`let start_ptr = &4 as const _ as const u8;`
			`let length = 10;`
			`let end_ptr = (start_ptr).wrapping_add(length);`
			`// First ptr is out of bounds`
			`unsafe { ptr_offset_from(end_ptr, start_ptr) } //~ERROR evaluation of constant value failed`
interpret: unify offset_from check with offset check 2022-06-09 19:47:06 -05:00			`//~\| pointer to 10 bytes starting at offset 0 is out-of-bounds`
adjust offset_from logic: check that both pointers are in-bounds 2022-03-10 17:30:32 -06:00			`};`

			`const OUT_OF_BOUNDS_2: isize = {`
			`let start_ptr = &4 as const _ as const u8;`
			`let length = 10;`
			`let end_ptr = (start_ptr).wrapping_add(length);`
			`// Second ptr is out of bounds`
			`unsafe { ptr_offset_from(start_ptr, end_ptr) } //~ERROR evaluation of constant value failed`
interpret: unify offset_from check with offset check 2022-06-09 19:47:06 -05:00			`//~\| pointer to 10 bytes starting at offset 0 is out-of-bounds`
adjust offset_from logic: check that both pointers are in-bounds 2022-03-10 17:30:32 -06:00			`};`

			`const OUT_OF_BOUNDS_SAME: isize = {`
			`let start_ptr = &4 as const _ as const u8;`
			`let length = 10;`
			`let end_ptr = (start_ptr).wrapping_add(length);`
offset, offset_from: allow zero-byte offset on arbitrary pointers 2024-05-09 05:35:11 -05:00			`// Out-of-bounds is fine as long as the range between the pointers is empty.`
			`unsafe { ptr_offset_from(end_ptr, end_ptr) }`
adjust offset_from logic: check that both pointers are in-bounds 2022-03-10 17:30:32 -06:00			`};`

Add `unsigned_offset_from` on pointers Like we have `add`/`sub` which are the `usize` version of `offset`, this adds the `usize` equivalent of `offset_from`. Like how `.add(d)` replaced a whole bunch of `.offset(d as isize)`, you can see from the changes here that it's fairly common that code actually knows the order between the pointers and wants a `usize`, not an `isize`. As a bonus, this can do `sub nuw`+`udiv exact`, rather than `sub`+`sdiv exact`, which can be optimized slightly better because it doesn't have to worry about negatives. That's why the slice iterators weren't using `offset_from`, though I haven't updated that code in this PR because slices are so perf-critical that I'll do it as its own change. This is an intrinsic, like `offset_from`, so that it can eventually be allowed in CTFE. It also allows checking the extra safety condition -- see the test confirming that CTFE catches it if you pass the pointers in the wrong order. 2022-04-09 03:27:47 -05:00			`pub const DIFFERENT_ALLOC_UNSIGNED: usize = {`
			`let uninit = std::mem::MaybeUninit::<Struct>::uninit();`
			`let base_ptr: const Struct = &uninit as const _ as *const Struct;`
			`let uninit2 = std::mem::MaybeUninit::<Struct>::uninit();`
			`let field_ptr: const Struct = &uninit2 as const _ as *const Struct;`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`unsafe { ptr_offset_from_unsigned(field_ptr, base_ptr) } //~ERROR evaluation of constant value failed`
interpret: unify offset_from check with offset check 2022-06-09 19:47:06 -05:00			`//~\| pointers into different allocations`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`};`

			`pub const TOO_FAR_APART1: isize = {`
interpret/miri: better errors on failing offset_from 2024-05-09 06:09:47 -05:00			`let ptr1 = &0u8 as *const u8;`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);`
			`unsafe { ptr_offset_from(ptr2, ptr1) } //~ERROR evaluation of constant value failed`
			`//~\| too far ahead`
			`};`
			`pub const TOO_FAR_APART2: isize = {`
interpret/miri: better errors on failing offset_from 2024-05-09 06:09:47 -05:00			`let ptr1 = &0u8 as *const u8;`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);`
			`unsafe { ptr_offset_from(ptr1, ptr2) } //~ERROR evaluation of constant value failed`
			`//~\| too far before`
Add `unsigned_offset_from` on pointers Like we have `add`/`sub` which are the `usize` version of `offset`, this adds the `usize` equivalent of `offset_from`. Like how `.add(d)` replaced a whole bunch of `.offset(d as isize)`, you can see from the changes here that it's fairly common that code actually knows the order between the pointers and wants a `usize`, not an `isize`. As a bonus, this can do `sub nuw`+`udiv exact`, rather than `sub`+`sdiv exact`, which can be optimized slightly better because it doesn't have to worry about negatives. That's why the slice iterators weren't using `offset_from`, though I haven't updated that code in this PR because slices are so perf-critical that I'll do it as its own change. This is an intrinsic, like `offset_from`, so that it can eventually be allowed in CTFE. It also allows checking the extra safety condition -- see the test confirming that CTFE catches it if you pass the pointers in the wrong order. 2022-04-09 03:27:47 -05:00			`};`

			`const WRONG_ORDER_UNSIGNED: usize = {`
			`let a = ['a', 'b', 'c'];`
			`let p = a.as_ptr();`
			`unsafe { ptr_offset_from_unsigned(p, p.add(2) ) } //~ERROR evaluation of constant value failed`
interpret: unify offset_from check with offset check 2022-06-09 19:47:06 -05:00			`//~\| first pointer has smaller offset than second: 0 < 8`
Add `unsigned_offset_from` on pointers Like we have `add`/`sub` which are the `usize` version of `offset`, this adds the `usize` equivalent of `offset_from`. Like how `.add(d)` replaced a whole bunch of `.offset(d as isize)`, you can see from the changes here that it's fairly common that code actually knows the order between the pointers and wants a `usize`, not an `isize`. As a bonus, this can do `sub nuw`+`udiv exact`, rather than `sub`+`sdiv exact`, which can be optimized slightly better because it doesn't have to worry about negatives. That's why the slice iterators weren't using `offset_from`, though I haven't updated that code in this PR because slices are so perf-critical that I'll do it as its own change. This is an intrinsic, like `offset_from`, so that it can eventually be allowed in CTFE. It also allows checking the extra safety condition -- see the test confirming that CTFE catches it if you pass the pointers in the wrong order. 2022-04-09 03:27:47 -05:00			`};`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`pub const TOO_FAR_APART_UNSIGNED: usize = {`
interpret/miri: better errors on failing offset_from 2024-05-09 06:09:47 -05:00			`let ptr1 = &0u8 as *const u8;`
interpret, ptr_offset_from: refactor and test too-far-apart check 2022-07-24 15:01:47 -05:00			`let ptr2 = ptr1.wrapping_add(isize::MAX as usize + 42);`
			// This would fit into a `usize` but we still don't allow it.
			`unsafe { ptr_offset_from_unsigned(ptr2, ptr1) } //~ERROR evaluation of constant value failed`
			`//~\| too far ahead`
			`};`

			`// These do NOT complain that pointers are too far apart; they pass that check (to then fail the`
			`// next one).`
			`pub const OFFSET_VERY_FAR1: isize = {`
			`let ptr1 = ptr::null::<u8>();`
			`let ptr2 = ptr1.wrapping_offset(isize::MAX);`
			`unsafe { ptr2.offset_from(ptr1) }`
			`//~^ inside`
			`};`
			`pub const OFFSET_VERY_FAR2: isize = {`
			`let ptr1 = ptr::null::<u8>();`
			`let ptr2 = ptr1.wrapping_offset(isize::MAX);`
			`unsafe { ptr1.offset_from(ptr2.wrapping_offset(1)) }`
			`//~^ inside`
			`};`
Add `unsigned_offset_from` on pointers Like we have `add`/`sub` which are the `usize` version of `offset`, this adds the `usize` equivalent of `offset_from`. Like how `.add(d)` replaced a whole bunch of `.offset(d as isize)`, you can see from the changes here that it's fairly common that code actually knows the order between the pointers and wants a `usize`, not an `isize`. As a bonus, this can do `sub nuw`+`udiv exact`, rather than `sub`+`sdiv exact`, which can be optimized slightly better because it doesn't have to worry about negatives. That's why the slice iterators weren't using `offset_from`, though I haven't updated that code in this PR because slices are so perf-critical that I'll do it as its own change. This is an intrinsic, like `offset_from`, so that it can eventually be allowed in CTFE. It also allows checking the extra safety condition -- see the test confirming that CTFE catches it if you pass the pointers in the wrong order. 2022-04-09 03:27:47 -05:00
Make <*const/mut T>::offset_from `const fn` 2019-08-20 10:51:54 -05:00			`fn main() {}`