Add Miri tests for `PtrMetadata` UB

6 files changed, 142 insertions, 0 deletions

diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.rs b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.rs
new file mode 100644
index 00000000000..ff23f1e729e
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.rs
@@ -0,0 +1,22 @@
+//@compile-flags: -Zmiri-disable-validation
+#![feature(core_intrinsics, custom_mir)]
+use std::intrinsics::mir::*;
+
+// This disables validation and uses custom MIR hit exactly the UB in the intrinsic,
+// rather than getting UB from the typed load or parameter passing.
+
+#[custom_mir(dialect = "runtime")]
+pub unsafe fn deref_meta(p: *const *const [i32]) -> usize {
+    mir!({
+        RET = PtrMetadata(*p); //~ ERROR: Undefined Behavior: using uninitialized data
+        Return()
+    })
+}
+
+fn main() {
+    let mut p = std::mem::MaybeUninit::<*const [i32]>::uninit();
+    unsafe {
+        (*p.as_mut_ptr().cast::<[usize; 2]>())[1] = 4;
+        let _meta = deref_meta(p.as_ptr().cast());
+    }
+}
diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.stderr b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.stderr
new file mode 100644
index 00000000000..61e1541d1ee
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_data.stderr
@@ -0,0 +1,20 @@
+error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory
+  --> $DIR/ptr_metadata_uninit_slice_data.rs:LL:CC
+   |
+LL |         RET = PtrMetadata(*p);
+   |         ^^^^^^^^^^^^^^^^^^^^^ using uninitialized data, but this operation requires initialized memory
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `deref_meta` at $DIR/ptr_metadata_uninit_slice_data.rs:LL:CC
+note: inside `main`
+  --> $DIR/ptr_metadata_uninit_slice_data.rs:LL:CC
+   |
+LL |         let _meta = deref_meta(p.as_ptr().cast());
+   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+
diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.rs b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.rs
new file mode 100644
index 00000000000..65f74c0acdd
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.rs
@@ -0,0 +1,22 @@
+//@compile-flags: -Zmiri-disable-validation
+#![feature(core_intrinsics, custom_mir)]
+use std::intrinsics::mir::*;
+
+// This disables validation and uses custom MIR hit exactly the UB in the intrinsic,
+// rather than getting UB from the typed load or parameter passing.
+
+#[custom_mir(dialect = "runtime")]
+pub unsafe fn deref_meta(p: *const *const [i32]) -> usize {
+    mir!({
+        RET = PtrMetadata(*p); //~ ERROR: Undefined Behavior: using uninitialized data
+        Return()
+    })
+}
+
+fn main() {
+    let mut p = std::mem::MaybeUninit::<*const [i32]>::uninit();
+    unsafe {
+        (*p.as_mut_ptr().cast::<[*const i32; 2]>())[0] = 4 as *const i32;
+        let _meta = deref_meta(p.as_ptr().cast());
+    }
+}
diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.stderr b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.stderr
new file mode 100644
index 00000000000..de559263a32
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_slice_len.stderr
@@ -0,0 +1,35 @@
+warning: integer-to-pointer cast
+  --> $DIR/ptr_metadata_uninit_slice_len.rs:LL:CC
+   |
+LL |         (*p.as_mut_ptr().cast::<[*const i32; 2]>())[0] = 4 as *const i32;
+   |         ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ integer-to-pointer cast
+   |
+   = help: This program is using integer-to-pointer casts or (equivalently) `ptr::with_exposed_provenance`,
+   = help: which means that Miri might miss pointer bugs in this program.
+   = help: See https://doc.rust-lang.org/nightly/std/ptr/fn.with_exposed_provenance.html for more details on that operation.
+   = help: To ensure that Miri does not miss bugs in your program, use Strict Provenance APIs (https://doc.rust-lang.org/nightly/std/ptr/index.html#strict-provenance, https://crates.io/crates/sptr) instead.
+   = help: You can then pass the `-Zmiri-strict-provenance` flag to Miri, to ensure you are not relying on `with_exposed_provenance` semantics.
+   = help: Alternatively, the `-Zmiri-permissive-provenance` flag disables this warning.
+   = note: BACKTRACE:
+   = note: inside `main` at $DIR/ptr_metadata_uninit_slice_len.rs:LL:CC
+
+error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory
+  --> $DIR/ptr_metadata_uninit_slice_len.rs:LL:CC
+   |
+LL |         RET = PtrMetadata(*p);
+   |         ^^^^^^^^^^^^^^^^^^^^^ using uninitialized data, but this operation requires initialized memory
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `deref_meta` at $DIR/ptr_metadata_uninit_slice_len.rs:LL:CC
+note: inside `main`
+  --> $DIR/ptr_metadata_uninit_slice_len.rs:LL:CC
+   |
+LL |         let _meta = deref_meta(p.as_ptr().cast());
+   |                     ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error; 1 warning emitted
+
diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.rs b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.rs
new file mode 100644
index 00000000000..ad2e9fc800e
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.rs
@@ -0,0 +1,23 @@
+//@compile-flags: -Zmiri-disable-validation
+#![feature(core_intrinsics, custom_mir)]
+use std::intrinsics::mir::*;
+
+// This disables validation and uses custom MIR hit exactly the UB in the intrinsic,
+// rather than getting UB from the typed load or parameter passing.
+
+#[custom_mir(dialect = "runtime")]
+pub unsafe fn deref_meta(p: *const *const i32) -> () {
+    mir!({
+        RET = PtrMetadata(*p); //~ ERROR: Undefined Behavior: using uninitialized data
+        Return()
+    })
+}
+
+fn main() {
+    // Even though the meta is the trivially-valid `()`, this is still UB
+
+    let p = std::mem::MaybeUninit::<*const i32>::uninit();
+    unsafe {
+        let _meta = deref_meta(p.as_ptr());
+    }
+}
diff --git a/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.stderr b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.stderr
new file mode 100644
index 00000000000..3ab2643afa7
--- /dev/null
+++ b/src/tools/miri/tests/fail/intrinsics/ptr_metadata_uninit_thin.stderr
@@ -0,0 +1,20 @@
+error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory
+  --> $DIR/ptr_metadata_uninit_thin.rs:LL:CC
+   |
+LL |         RET = PtrMetadata(*p);
+   |         ^^^^^^^^^^^^^^^^^^^^^ using uninitialized data, but this operation requires initialized memory
+   |
+   = help: this indicates a bug in the program: it performed an invalid operation, and caused Undefined Behavior
+   = help: see https://doc.rust-lang.org/nightly/reference/behavior-considered-undefined.html for further information
+   = note: BACKTRACE:
+   = note: inside `deref_meta` at $DIR/ptr_metadata_uninit_thin.rs:LL:CC
+note: inside `main`
+  --> $DIR/ptr_metadata_uninit_thin.rs:LL:CC
+   |
+LL |         let _meta = deref_meta(p.as_ptr());
+   |                     ^^^^^^^^^^^^^^^^^^^^^^
+
+note: some details are omitted, run with `MIRIFLAGS=-Zmiri-backtrace=full` for a verbose backtrace
+
+error: aborting due to 1 previous error
+