From 3842ea671bfb98b2a7a42edbd31c5bac89078024 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 11 Sep 2024 16:39:07 +0200 Subject: [PATCH] miri: fix overflow detection for unsigned pointer offset --- .../rustc_const_eval/src/interpret/operator.rs | 9 ++++++++- .../intrinsics/ptr_offset_unsigned_overflow.rs | 7 +++++++ .../ptr_offset_unsigned_overflow.stderr | 15 +++++++++++++++ 3 files changed, 30 insertions(+), 1 deletion(-) create mode 100644 src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.rs create mode 100644 src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.stderr diff --git a/compiler/rustc_const_eval/src/interpret/operator.rs b/compiler/rustc_const_eval/src/interpret/operator.rs index e9ba12dbcc4ea..b390bb8778915 100644 --- a/compiler/rustc_const_eval/src/interpret/operator.rs +++ b/compiler/rustc_const_eval/src/interpret/operator.rs @@ -303,8 +303,10 @@ impl<'tcx, M: Machine<'tcx>> InterpCx<'tcx, M> { let pointee_layout = self.layout_of(pointee_ty)?; assert!(pointee_layout.abi.is_sized()); - // We cannot overflow i64 as a type's size must be <= isize::MAX. + // The size always fits in `i64` as it can be at most `isize::MAX`. let pointee_size = i64::try_from(pointee_layout.size.bytes()).unwrap(); + // This uses the same type as `right`, which can be `isize` or `usize`. + // `pointee_size` is guaranteed to fit into both types. let pointee_size = ImmTy::from_int(pointee_size, right.layout); // Multiply element size and element count. let (val, overflowed) = self @@ -316,6 +318,11 @@ impl<'tcx, M: Machine<'tcx>> InterpCx<'tcx, M> { } let offset_bytes = val.to_target_isize(self)?; + if !right.layout.abi.is_signed() && offset_bytes < 0 { + // We were supposed to do an unsigned offset but the result is negative -- this + // can only mean that the cast wrapped around. + throw_ub!(PointerArithOverflow) + } let offset_ptr = self.ptr_offset_inbounds(ptr, offset_bytes)?; Ok(ImmTy::from_scalar(Scalar::from_maybe_pointer(offset_ptr, self), left.layout)) } diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.rs b/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.rs new file mode 100644 index 0000000000000..a2739842bc135 --- /dev/null +++ b/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.rs @@ -0,0 +1,7 @@ +fn main() { + let x = &[0i32; 2]; + let x = x.as_ptr().wrapping_add(1); + // If the `!0` is interpreted as `isize`, it is just `-1` and hence harmless. + // However, this is unsigned arithmetic, so really this is `usize::MAX` and hence UB. + unsafe { x.byte_add(!0).read() }; //~ERROR: does not fit in an `isize` +} diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.stderr b/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.stderr new file mode 100644 index 0000000000000..43cd80a6d3e27 --- /dev/null +++ b/src/tools/miri/tests/fail/intrinsics/ptr_offset_unsigned_overflow.stderr @@ -0,0 +1,15 @@ +error: Undefined Behavior: overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize` + --> $DIR/ptr_offset_unsigned_overflow.rs:LL:CC + | +LL | unsafe { x.byte_add(!0).read() }; + | ^^^^^^^^^^^^^^ overflowing pointer arithmetic: the total offset in bytes does not fit in an `isize` + | + = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior + = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information + = note: BACKTRACE: + = note: inside `main` at $DIR/ptr_offset_unsigned_overflow.rs:LL:CC + +note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace + +error: aborting due to 1 previous error +