6 pub trait EvalContextExt<'tcx> {
10 ) -> InterpResult<'tcx>;
15 left: ImmTy<'tcx, Tag>,
16 right: ImmTy<'tcx, Tag>,
17 ) -> InterpResult<'tcx, (Scalar<Tag>, bool)>;
19 fn ptr_int_arithmetic(
25 ) -> InterpResult<'tcx, (Scalar<Tag>, bool)>;
31 ) -> InterpResult<'tcx, bool>;
33 fn pointer_offset_inbounds(
38 ) -> InterpResult<'tcx, Scalar<Tag>>;
41 impl<'mir, 'tcx> EvalContextExt<'tcx> for super::MiriEvalContext<'mir, 'tcx> {
42 /// Test if the pointer is in-bounds of a live allocation.
44 fn pointer_inbounds(&self, ptr: Pointer<Tag>) -> InterpResult<'tcx> {
45 let (size, _align) = self.memory().get_size_and_align(ptr.alloc_id, AllocCheck::Live)?;
46 ptr.check_in_alloc(size, CheckInAllocMsg::InboundsTest)
52 left: ImmTy<'tcx, Tag>,
53 right: ImmTy<'tcx, Tag>,
54 ) -> InterpResult<'tcx, (Scalar<Tag>, bool)> {
55 use rustc::mir::BinOp::*;
57 trace!("ptr_op: {:?} {:?} {:?}", *left, bin_op, *right);
59 // If intptrcast is enabled and the operation is not an offset
60 // we can force the cast from pointers to integer addresses and
61 // then dispatch to rustc binary operation method
62 if self.memory().extra.rng.is_some() && bin_op != Offset {
63 let l_bits = self.force_bits(left.imm.to_scalar()?, left.layout.size)?;
64 let r_bits = self.force_bits(right.imm.to_scalar()?, right.layout.size)?;
66 let left = ImmTy::from_scalar(Scalar::from_uint(l_bits, left.layout.size), left.layout);
67 let right = ImmTy::from_scalar(Scalar::from_uint(r_bits, left.layout.size), right.layout);
69 return self.binary_op(bin_op, left, right);
72 // Operations that support fat pointers
75 let eq = match (*left, *right) {
76 (Immediate::Scalar(left), Immediate::Scalar(right)) =>
77 self.ptr_eq(left.not_undef()?, right.not_undef()?)?,
78 (Immediate::ScalarPair(left1, left2), Immediate::ScalarPair(right1, right2)) =>
79 self.ptr_eq(left1.not_undef()?, right1.not_undef()?)? &&
80 self.ptr_eq(left2.not_undef()?, right2.not_undef()?)?,
81 _ => bug!("Type system should not allow comparing Scalar with ScalarPair"),
83 return Ok((Scalar::from_bool(if bin_op == Eq { eq } else { !eq }), false));
88 // Now we expect no more fat pointers.
89 let left_layout = left.layout;
90 let left = left.to_scalar()?;
91 let right_layout = right.layout;
92 let right = right.to_scalar()?;
93 debug_assert!(left.is_ptr() || right.is_ptr() || bin_op == Offset);
97 let pointee_ty = left_layout.ty
99 .expect("Offset called on non-ptr type")
101 let ptr = self.pointer_offset_inbounds(
104 right.to_isize(self)?,
108 // These need both to be pointer, and fail if they are not in the same location
109 Lt | Le | Gt | Ge | Sub if left.is_ptr() && right.is_ptr() => {
110 let left = left.to_ptr().expect("we checked is_ptr");
111 let right = right.to_ptr().expect("we checked is_ptr");
112 if left.alloc_id == right.alloc_id {
113 let res = match bin_op {
114 Lt => left.offset < right.offset,
115 Le => left.offset <= right.offset,
116 Gt => left.offset > right.offset,
117 Ge => left.offset >= right.offset,
119 // subtract the offsets
120 let left_offset = Scalar::from_uint(left.offset.bytes(), self.memory().pointer_size());
121 let right_offset = Scalar::from_uint(right.offset.bytes(), self.memory().pointer_size());
122 let layout = self.layout_of(self.tcx.types.usize)?;
123 return self.binary_op(
125 ImmTy::from_scalar(left_offset, layout),
126 ImmTy::from_scalar(right_offset, layout),
129 _ => bug!("We already established it has to be one of these operators."),
131 Ok((Scalar::from_bool(res), false))
133 // Both are pointers, but from different allocations.
134 err!(InvalidPointerMath)
137 Gt | Ge if left.is_ptr() && right.is_bits() => {
138 // "ptr >[=] integer" can be tested if the integer is small enough.
139 let left = left.to_ptr().expect("we checked is_ptr");
140 let right = right.to_bits(self.memory().pointer_size()).expect("we checked is_bits");
141 let (_alloc_size, alloc_align) = self.memory()
142 .get_size_and_align(left.alloc_id, AllocCheck::MaybeDead)
143 .expect("alloc info with MaybeDead cannot fail");
144 let min_ptr_val = u128::from(alloc_align.bytes()) + u128::from(left.offset.bytes());
145 let result = match bin_op {
146 Gt => min_ptr_val > right,
147 Ge => min_ptr_val >= right,
152 Ok((Scalar::from_bool(true), false))
154 // Sorry, can't tell.
155 err!(InvalidPointerMath)
158 // These work if the left operand is a pointer, and the right an integer
159 Add | BitAnd | Sub | Rem if left.is_ptr() && right.is_bits() => {
160 // Cast to i128 is fine as we checked the kind to be ptr-sized
161 self.ptr_int_arithmetic(
163 left.to_ptr().expect("we checked is_ptr"),
164 right.to_bits(self.memory().pointer_size()).expect("we checked is_bits"),
165 right_layout.abi.is_signed(),
168 // Commutative operators also work if the integer is on the left
169 Add | BitAnd if left.is_bits() && right.is_ptr() => {
170 // This is a commutative operation, just swap the operands
171 self.ptr_int_arithmetic(
173 right.to_ptr().expect("we checked is_ptr"),
174 left.to_bits(self.memory().pointer_size()).expect("we checked is_bits"),
175 left_layout.abi.is_signed(),
178 // Nothing else works
179 _ => err!(InvalidPointerMath),
187 ) -> InterpResult<'tcx, bool> {
188 let size = self.pointer_size();
189 Ok(match (left, right) {
190 (Scalar::Raw { .. }, Scalar::Raw { .. }) =>
191 left.to_bits(size)? == right.to_bits(size)?,
192 (Scalar::Ptr(left), Scalar::Ptr(right)) => {
193 // Comparison illegal if one of them is out-of-bounds, *unless* they
194 // are in the same allocation.
195 if left.alloc_id == right.alloc_id {
196 left.offset == right.offset
198 // Make sure both pointers are in-bounds.
199 // This accepts one-past-the end. Thus, there is still technically
200 // some non-determinism that we do not fully rule out when two
201 // allocations sit right next to each other. The C/C++ standards are
202 // somewhat fuzzy about this case, so pragmatically speaking I think
203 // for now this check is "good enough".
204 // FIXME: Once we support intptrcast, we could try to fix these holes.
205 // Dead allocations in miri cannot overlap with live allocations, but
206 // on read hardware this can easily happen. Thus for comparisons we require
207 // both pointers to be live.
208 if self.pointer_inbounds(left).is_ok() && self.pointer_inbounds(right).is_ok() {
209 // Two in-bounds pointers in different allocations are different.
212 return err!(InvalidPointerMath);
216 // Comparing ptr and integer.
217 (Scalar::Ptr(ptr), Scalar::Raw { data, size }) |
218 (Scalar::Raw { data, size }, Scalar::Ptr(ptr)) => {
219 assert_eq!(size as u64, self.pointer_size().bytes());
220 let bits = data as u64;
222 // Case I: Comparing real pointers with "small" integers.
223 // Really we should only do this for NULL, but pragmatically speaking on non-bare-metal systems,
224 // an allocation will never be at the very bottom of the address space.
225 // Such comparisons can arise when comparing empty slices, which sometimes are "fake"
226 // integer pointers (okay because the slice is empty) and sometimes point into a
228 // The most common source of such integer pointers is `NonNull::dangling()`, which
229 // equals the type's alignment. i128 might have an alignment of 16 bytes, but few types have
230 // alignment 32 or higher, hence the limit of 32.
231 // FIXME: Once we support intptrcast, we could try to fix these holes.
233 // Test if the pointer can be different from NULL or not.
234 // We assume that pointers that are not NULL are also not "small".
235 if !self.memory().ptr_may_be_null(ptr) {
240 let (alloc_size, alloc_align) = self.memory()
241 .get_size_and_align(ptr.alloc_id, AllocCheck::MaybeDead)
242 .expect("alloc info with MaybeDead cannot fail");
244 // Case II: Alignment gives it away
245 if ptr.offset.bytes() % alloc_align.bytes() == 0 {
246 // The offset maintains the allocation alignment, so we know `base+offset`
247 // is aligned by `alloc_align`.
248 // FIXME: We could be even more general, e.g., offset 2 into a 4-aligned
249 // allocation cannot equal 3.
250 if bits % alloc_align.bytes() != 0 {
251 // The integer is *not* aligned. So they cannot be equal.
255 // Case III: The integer is too big, and the allocation goes on a bit
256 // without wrapping around the address space.
258 // Compute the highest address at which this allocation could live.
259 // Substract one more, because it must be possible to add the size
260 // to the base address without overflowing; that is, the very last address
261 // of the address space is never dereferencable (but it can be in-bounds, i.e.,
262 // one-past-the-end).
264 ((1u128 << self.pointer_size().bits())
265 - u128::from(alloc_size.bytes())
268 if let Some(max_addr) = max_base_addr.checked_add(ptr.offset.bytes()) {
270 // The integer is too big, this cannot possibly be equal.
276 // None of the supported cases.
277 return err!(InvalidPointerMath);
282 fn ptr_int_arithmetic(
288 ) -> InterpResult<'tcx, (Scalar<Tag>, bool)> {
289 use rustc::mir::BinOp::*;
291 fn map_to_primval((res, over): (Pointer<Tag>, bool)) -> (Scalar<Tag>, bool) {
292 (Scalar::Ptr(res), over)
297 // The only way this can overflow is by underflowing, so signdeness of the right
298 // operands does not matter.
299 map_to_primval(left.overflowing_signed_offset(-(right as i128), self)),
301 map_to_primval(left.overflowing_signed_offset(right as i128, self)),
303 map_to_primval(left.overflowing_offset(Size::from_bytes(right as u64), self)),
305 BitAnd if !signed => {
306 let ptr_base_align = self.memory().get(left.alloc_id)?.align.bytes();
308 // FIXME: use `interpret::truncate`, once that takes a `Size` instead of a `Layout`.
309 let shift = 128 - self.memory().pointer_size().bits();
310 let value = !(ptr_base_align as u128 - 1);
311 // Truncate (shift left to drop out leftover values, shift right to fill with zeroes).
312 (value << shift) >> shift
314 let ptr_size = self.memory().pointer_size();
315 trace!("ptr BitAnd, align {}, operand {:#010x}, base_mask {:#010x}",
316 ptr_base_align, right, base_mask);
317 if right & base_mask == base_mask {
318 // Case 1: the base address bits are all preserved, i.e., right is all-1 there.
319 let offset = (left.offset.bytes() as u128 & right) as u64;
321 Scalar::Ptr(Pointer::new_with_tag(
323 Size::from_bytes(offset),
328 } else if right & base_mask == 0 {
329 // Case 2: the base address bits are all taken away, i.e., right is all-0 there.
330 let v = Scalar::from_uint((left.offset.bytes() as u128) & right, ptr_size);
333 return err!(ReadPointerAsBytes);
338 // Doing modulo a divisor of the alignment is allowed.
339 // (Intuition: modulo a divisor leaks less information.)
340 let ptr_base_align = self.memory().get(left.alloc_id)?.align.bytes();
341 let right = right as u64;
342 let ptr_size = self.memory().pointer_size();
344 // Modulo 1 is always 0.
345 (Scalar::from_uint(0u32, ptr_size), false)
346 } else if ptr_base_align % right == 0 {
347 // The base address would be cancelled out by the modulo operation, so we can
348 // just take the modulo of the offset.
350 Scalar::from_uint((left.offset.bytes() % right) as u128, ptr_size),
354 return err!(ReadPointerAsBytes);
360 "unimplemented binary op on pointer {:?}: {:?}, {:?} ({})",
364 if signed { "signed" } else { "unsigned" }
366 return err!(Unimplemented(msg));
371 /// Raises an error if the offset moves the pointer outside of its allocation.
372 /// We consider ZSTs their own huge allocation that doesn't overlap with anything (and nothing
373 /// moves in there because the size is 0). We also consider the NULL pointer its own separate
374 /// allocation, and all the remaining integers pointers their own allocation.
375 fn pointer_offset_inbounds(
378 pointee_ty: Ty<'tcx>,
380 ) -> InterpResult<'tcx, Scalar<Tag>> {
381 // FIXME: assuming here that type size is less than `i64::max_value()`.
382 let pointee_size = self.layout_of(pointee_ty)?.size.bytes() as i64;
384 .checked_mul(pointee_size)
385 .ok_or_else(|| InterpError::Overflow(mir::BinOp::Mul))?;
386 // Now let's see what kind of pointer this is.
387 if let Scalar::Ptr(ptr) = ptr {
388 // Both old and new pointer must be in-bounds of a *live* allocation.
389 // (Of the same allocation, but that part is trivial with our representation.)
390 self.pointer_inbounds(ptr)?;
391 let ptr = ptr.signed_offset(offset, self)?;
392 self.pointer_inbounds(ptr)?;
395 // An integer pointer. They can only be offset by 0, and we pretend there
396 // is a little zero-sized allocation here.
400 err!(InvalidPointerMath)