From 64244e9a18a0b6a328f8dcfe0741a160d219b429 Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Thu, 14 Nov 2019 10:23:29 +0100
Subject: [PATCH] do full deref-check before reborrowing

---
 src/stacked_borrows.rs                                  | 8 ++++----
 tests/compile-fail/stacked_borrows/issue-miri-1050-1.rs | 6 ++++++
 tests/compile-fail/stacked_borrows/issue-miri-1050-2.rs | 7 +++++++
 3 files changed, 17 insertions(+), 4 deletions(-)
 create mode 100644 tests/compile-fail/stacked_borrows/issue-miri-1050-1.rs
 create mode 100644 tests/compile-fail/stacked_borrows/issue-miri-1050-2.rs

diff --git a/src/stacked_borrows.rs b/src/stacked_borrows.rs
index 32715157a77..0ab9dabab9b 100644
--- a/src/stacked_borrows.rs
+++ b/src/stacked_borrows.rs
@@ -533,9 +533,7 @@ fn reborrow(
     ) -> InterpResult<'tcx> {
         let this = self.eval_context_mut();
         let protector = if protect { Some(this.frame().extra) } else { None };
-        let ptr = this.memory.check_ptr_access(place.ptr, size, place.align)
-            .expect("validity checks should have excluded dangling/unaligned pointer")
-            .expect("we shouldn't get here for ZST");
+        let ptr = place.ptr.to_ptr().expect("we should have a proper pointer");
         trace!("reborrow: {} reference {:?} derived from {:?} (pointee {}): {:?}, size {}",
             kind, new_tag, ptr.tag, place.layout.ty, ptr.erase_tag(), size.bytes());
 
@@ -583,11 +581,13 @@ fn retag_reference(
         let size = this.size_and_align_of_mplace(place)?
             .map(|(size, _)| size)
             .unwrap_or_else(|| place.layout.size);
+        // We can see dangling ptrs in here e.g. after a Box's `Unique` was
+        // updated using "self.0 = ..." (can happen in Box::from_raw); see miri#1050.
+        let place = this.mplace_access_checked(place)?;
         if size == Size::ZERO {
             // Nothing to do for ZSTs.
             return Ok(*val);
         }
-        let place = this.force_mplace_ptr(place)?;
 
         // Compute new borrow.
         let new_tag = match kind {
diff --git a/tests/compile-fail/stacked_borrows/issue-miri-1050-1.rs b/tests/compile-fail/stacked_borrows/issue-miri-1050-1.rs
new file mode 100644
index 00000000000..24df70a8179
--- /dev/null
+++ b/tests/compile-fail/stacked_borrows/issue-miri-1050-1.rs
@@ -0,0 +1,6 @@
+// error-pattern: pointer must be in-bounds
+
+fn main() { unsafe {
+    let ptr = Box::into_raw(Box::new(0u16));
+    Box::from_raw(ptr as *mut u32);
+} }
diff --git a/tests/compile-fail/stacked_borrows/issue-miri-1050-2.rs b/tests/compile-fail/stacked_borrows/issue-miri-1050-2.rs
new file mode 100644
index 00000000000..74aab153ea9
--- /dev/null
+++ b/tests/compile-fail/stacked_borrows/issue-miri-1050-2.rs
@@ -0,0 +1,7 @@
+// error-pattern: dangling pointer was dereferenced
+use std::ptr::NonNull;
+
+fn main() { unsafe {
+    let ptr = NonNull::<i32>::dangling();
+    Box::from_raw(ptr.as_ptr());
+} }