1 //@compile-flags: -Zmiri-permissive-provenance
2 #![deny(unsafe_op_in_unsafe_fn)]
3 //! This does some tricky ptr-int-casting.
5 use core::alloc::{GlobalAlloc, Layout};
6 use std::alloc::System;
9 /// `ptr` must be valid for writes of `len` bytes
10 unsafe fn volatile_write_zeroize_mem(ptr: *mut u8, len: usize) {
12 // ptr as usize + i can't overlow because `ptr` is valid for writes of `len`
13 let ptr_new: *mut u8 = ((ptr as usize) + i) as *mut u8;
14 // SAFETY: `ptr` is valid for writes of `len` bytes, so `ptr_new` is valid for a
17 core::ptr::write_volatile(ptr_new, 0u8);
22 pub struct ZeroizeAlloc;
24 unsafe impl GlobalAlloc for ZeroizeAlloc {
25 unsafe fn alloc(&self, layout: Layout) -> *mut u8 {
26 // SAFETY: uphold by caller
27 unsafe { System.alloc(layout) }
30 unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout) {
31 // securely wipe the deallocated memory
32 // SAFETY: `ptr` is valid for writes of `layout.size()` bytes since it was
33 // previously successfully allocated (by the safety assumption on this function)
34 // and not yet deallocated
36 volatile_write_zeroize_mem(ptr, layout.size());
38 // SAFETY: uphold by caller
39 unsafe { System.dealloc(ptr, layout) }
42 unsafe fn alloc_zeroed(&self, layout: Layout) -> *mut u8 {
43 // SAFETY: uphold by caller
44 unsafe { System.alloc_zeroed(layout) }
49 static GLOBAL: ZeroizeAlloc = ZeroizeAlloc;
52 let layout = Layout::new::<[u8; 16]>();
53 let ptr = unsafe { std::alloc::alloc_zeroed(layout) };
55 std::alloc::dealloc(ptr, layout);