rename ptr::invalid -> ptr::without_provenance

RalfJung · RalfJung · commit fb82ee0d5b08 · 2024-02-21T20:15:52.000+01:00
also introduce ptr::dangling matching NonNull::dangling
diff --git a/tests/fail/dangling_pointers/deref_dangling_box.rs b/tests/fail/dangling_pointers/deref_dangling_box.rs
@@ -8,7 +8,7 @@ use std::ptr::{self, addr_of_mut};
 // (This test relies on the `deref_copy` pass that lowers `**ptr` to materialize the intermediate pointer.)
 
 fn main() {
-    let mut inner = ptr::invalid::<i32>(24);
+    let mut inner = ptr::without_provenance::<i32>(24);
     let outer = addr_of_mut!(inner).cast::<Box<i32>>();
     // Now `outer` is a pointer to a dangling reference.
     // Deref'ing that should be UB.
diff --git a/tests/fail/dangling_pointers/deref_dangling_ref.rs b/tests/fail/dangling_pointers/deref_dangling_ref.rs
@@ -8,7 +8,7 @@ use std::ptr::{self, addr_of_mut};
 // (This test relies on the `deref_copy` pass that lowers `**ptr` to materialize the intermediate pointer.)
 
 fn main() {
-    let mut inner = ptr::invalid::<i32>(24);
+    let mut inner = ptr::without_provenance::<i32>(24);
     let outer = addr_of_mut!(inner).cast::<&'static mut i32>();
     // Now `outer` is a pointer to a dangling reference.
     // Deref'ing that should be UB.
diff --git a/tests/fail/provenance/ptr_invalid.rs b/tests/fail/provenance/ptr_invalid.rs
@@ -1,9 +1,9 @@
 #![feature(strict_provenance, exposed_provenance)]
 
-// Ensure that a `ptr::invalid` ptr is truly invalid.
+// Ensure that a `ptr::without_provenance` ptr is truly invalid.
 fn main() {
     let x = 42;
     let xptr = &x as *const i32;
-    let xptr_invalid = std::ptr::invalid::<i32>(xptr.expose_addr());
+    let xptr_invalid = std::ptr::without_provenance::<i32>(xptr.expose_addr());
     let _val = unsafe { *xptr_invalid }; //~ ERROR: is a dangling pointer
 }
diff --git a/tests/fail/provenance/ptr_invalid_offset.rs b/tests/fail/provenance/ptr_invalid_offset.rs
@@ -4,7 +4,7 @@
 fn main() {
     let x = 22;
     let ptr = &x as *const _ as *const u8;
-    let roundtrip = std::ptr::invalid::<u8>(ptr as usize);
+    let roundtrip = std::ptr::without_provenance::<u8>(ptr as usize);
     // Not even offsetting this is allowed.
     let _ = unsafe { roundtrip.offset(1) }; //~ERROR: is a dangling pointer
 }
diff --git a/tests/pass-dep/shims/mmap.rs b/tests/pass-dep/shims/mmap.rs
@@ -71,7 +71,7 @@ fn test_mmap<Offset: Default>(
 
     let ptr = unsafe {
         mmap(
-            ptr::invalid_mut(page_size * 64),
+            ptr::without_provenance_mut(page_size * 64),
             page_size,
             libc::PROT_READ | libc::PROT_WRITE,
             // We don't support MAP_FIXED
@@ -114,13 +114,13 @@ fn test_mmap<Offset: Default>(
     assert_eq!(ptr, libc::MAP_FAILED);
 
     // We report an error when trying to munmap an address which is not a multiple of the page size
-    let res = unsafe { libc::munmap(ptr::invalid_mut(1), page_size) };
+    let res = unsafe { libc::munmap(ptr::without_provenance_mut(1), page_size) };
     assert_eq!(res, -1);
     assert_eq!(Error::last_os_error().raw_os_error().unwrap(), libc::EINVAL);
 
     // We report an error when trying to munmap a length that cannot be rounded up to a multiple of
     // the page size.
-    let res = unsafe { libc::munmap(ptr::invalid_mut(page_size), usize::MAX - 1) };
+    let res = unsafe { libc::munmap(ptr::without_provenance_mut(page_size), usize::MAX - 1) };
     assert_eq!(res, -1);
     assert_eq!(Error::last_os_error().raw_os_error().unwrap(), libc::EINVAL);
 }
@@ -156,7 +156,7 @@ fn test_mremap() {
     // Test all of our error conditions
     // Not aligned
     let ptr =
-        unsafe { libc::mremap(ptr::invalid_mut(1), page_size, page_size, libc::MREMAP_MAYMOVE) };
+        unsafe { libc::mremap(ptr::without_provenance_mut(1), page_size, page_size, libc::MREMAP_MAYMOVE) };
     assert_eq!(ptr, libc::MAP_FAILED);
     assert_eq!(Error::last_os_error().raw_os_error().unwrap(), libc::EINVAL);
 
diff --git a/tests/pass-dep/shims/posix_memalign.rs b/tests/pass-dep/shims/posix_memalign.rs
@@ -58,7 +58,7 @@ fn main() {
 
     // Non-power of 2 align
     unsafe {
-        let mut ptr: *mut libc::c_void = ptr::invalid_mut(0x1234567);
+        let mut ptr: *mut libc::c_void = ptr::without_provenance_mut(0x1234567);
         let align = 15;
         let size = 8;
         assert_eq!(libc::posix_memalign(&mut ptr, align, size), libc::EINVAL);
@@ -70,7 +70,7 @@ fn main() {
 
     // Too small align (smaller than ptr)
     unsafe {
-        let mut ptr: *mut libc::c_void = ptr::invalid_mut(0x1234567);
+        let mut ptr: *mut libc::c_void = ptr::without_provenance_mut(0x1234567);
         let align = std::mem::size_of::<usize>() / 2;
         let size = 8;
         assert_eq!(libc::posix_memalign(&mut ptr, align, size), libc::EINVAL);
diff --git a/tests/pass/align_offset_symbolic.rs b/tests/pass/align_offset_symbolic.rs
@@ -100,7 +100,7 @@ fn huge_align() {
     #[cfg(target_pointer_width = "16")]
     const SIZE: usize = 1 << 13;
     struct HugeSize(#[allow(dead_code)] [u8; SIZE - 1]);
-    let _ = std::ptr::invalid::<HugeSize>(SIZE).align_offset(SIZE);
+    let _ = std::ptr::without_provenance::<HugeSize>(SIZE).align_offset(SIZE);
 }
 
 // This shows that we cannot store the promised alignment info in `AllocExtra`,
diff --git a/tests/pass/atomic.rs b/tests/pass/atomic.rs
@@ -137,15 +137,15 @@ fn atomic_ptr() {
 
     let ptr = AtomicPtr::<i32>::new(ptr::null_mut());
     assert!(ptr.load(Relaxed).addr() == 0);
-    ptr.store(ptr::invalid_mut(13), SeqCst);
+    ptr.store(ptr::without_provenance_mut(13), SeqCst);
     assert!(ptr.swap(x, Relaxed).addr() == 13);
     unsafe { assert!(*ptr.load(Acquire) == 0) };
 
     // comparison ignores provenance
     assert_eq!(
         ptr.compare_exchange(
             (&mut 0 as *mut i32).with_addr(x.addr()),
-            ptr::invalid_mut(0),
+            ptr::without_provenance_mut(0),
             SeqCst,
             SeqCst
         )
@@ -156,7 +156,7 @@ fn atomic_ptr() {
     assert_eq!(
         ptr.compare_exchange(
             (&mut 0 as *mut i32).with_addr(x.addr()),
-            ptr::invalid_mut(0),
+            ptr::without_provenance_mut(0),
             SeqCst,
             SeqCst
         )
diff --git a/tests/pass/ptr_raw.rs b/tests/pass/ptr_raw.rs
@@ -35,12 +35,12 @@ fn assign_overlapping() {
 fn deref_invalid() {
     unsafe {
         // `addr_of!(*ptr)` is never UB.
-        let _val = addr_of!(*ptr::invalid::<i32>(0));
-        let _val = addr_of!(*ptr::invalid::<i32>(1)); // not aligned
+        let _val = addr_of!(*ptr::without_provenance::<i32>(0));
+        let _val = addr_of!(*ptr::without_provenance::<i32>(1)); // not aligned
 
         // Similarly, just mentioning the place is fine.
-        let _ = *ptr::invalid::<i32>(0);
-        let _ = *ptr::invalid::<i32>(1);
+        let _ = *ptr::without_provenance::<i32>(0);
+        let _ = *ptr::without_provenance::<i32>(1);
     }
 }
 
diff --git a/tests/pass/slices.rs b/tests/pass/slices.rs
@@ -29,7 +29,7 @@ fn slice_of_zst() {
 
     // In a slice of zero-size elements the pointer is meaningless.
     // Ensure iteration still works even if the pointer is at the end of the address space.
-    let slice: &[()] = unsafe { slice::from_raw_parts(ptr::invalid(-5isize as usize), 10) };
+    let slice: &[()] = unsafe { slice::from_raw_parts(ptr::without_provenance(-5isize as usize), 10) };
     assert_eq!(slice.len(), 10);
     assert_eq!(slice.iter().count(), 10);
 
@@ -43,7 +43,7 @@ fn slice_of_zst() {
 
     // Test mutable iterators as well
     let slice: &mut [()] =
-        unsafe { slice::from_raw_parts_mut(ptr::invalid_mut(-5isize as usize), 10) };
+        unsafe { slice::from_raw_parts_mut(ptr::without_provenance_mut(-5isize as usize), 10) };
     assert_eq!(slice.len(), 10);
     assert_eq!(slice.iter_mut().count(), 10);
 
@@ -263,7 +263,7 @@ fn test_for_invalidated_pointers() {
 fn large_raw_slice() {
     let size = isize::MAX as usize;
     // Creating a raw slice of size isize::MAX and asking for its size is okay.
-    let s = std::ptr::slice_from_raw_parts(ptr::invalid::<u8>(1), size);
+    let s = std::ptr::slice_from_raw_parts(ptr::without_provenance::<u8>(1), size);
     assert_eq!(size, unsafe { std::mem::size_of_val_raw(s) });
 }
 
diff --git a/tests/pass/underscore_pattern.rs b/tests/pass/underscore_pattern.rs
@@ -38,7 +38,7 @@ fn invalid_match() {
 
 fn dangling_let() {
     unsafe {
-        let ptr = ptr::invalid::<bool>(0x40);
+        let ptr = ptr::without_provenance::<bool>(0x40);
         let _ = *ptr;
     }
 }
@@ -54,7 +54,7 @@ fn invalid_let() {
 // Adding a type annotation used to change how MIR is generated, make sure we cover both cases.
 fn dangling_let_type_annotation() {
     unsafe {
-        let ptr = ptr::invalid::<bool>(0x40);
+        let ptr = ptr::without_provenance::<bool>(0x40);
         let _: bool = *ptr;
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@`
`4`	`4`	`fn main() {`
`5`	`5`	`let x = 22;`
`6`	`6`	`let ptr = &x as const _ as const u8;`
`7`		`- let roundtrip = std::ptr::invalid::<u8>(ptr as usize);`
	`7`	`+ let roundtrip = std::ptr::without_provenance::<u8>(ptr as usize);`
`8`	`8`	`// Not even offsetting this is allowed.`
`9`	`9`	`let _ = unsafe { roundtrip.offset(1) }; //~ERROR: is a dangling pointer`
`10`	`10`	`}`
Original file line number	Diff line number	Diff line change
`@@ -100,7 +100,7 @@ fn huge_align() {`
`100`	`100`	`#[cfg(target_pointer_width = "16")]`
`101`	`101`	`const SIZE: usize = 1 << 13;`
`102`	`102`	`struct HugeSize(#[allow(dead_code)] [u8; SIZE - 1]);`
`103`		`- let _ = std::ptr::invalid::<HugeSize>(SIZE).align_offset(SIZE);`
	`103`	`+ let _ = std::ptr::without_provenance::<HugeSize>(SIZE).align_offset(SIZE);`
`104`	`104`	`}`
`105`	`105`
`106`	`106`	// This shows that we cannot store the promised alignment info in `AllocExtra`,
Original file line number	Diff line number	Diff line change
`@@ -38,7 +38,7 @@ fn invalid_match() {`
`38`	`38`
`39`	`39`	`fn dangling_let() {`
`40`	`40`	`unsafe {`
`41`		`- let ptr = ptr::invalid::<bool>(0x40);`
	`41`	`+ let ptr = ptr::without_provenance::<bool>(0x40);`
`42`	`42`	`let _ = *ptr;`
`43`	`43`	`}`
`44`	`44`	`}`
`@@ -54,7 +54,7 @@ fn invalid_let() {`
`54`	`54`	`// Adding a type annotation used to change how MIR is generated, make sure we cover both cases.`
`55`	`55`	`fn dangling_let_type_annotation() {`
`56`	`56`	`unsafe {`
`57`		`- let ptr = ptr::invalid::<bool>(0x40);`
	`57`	`+ let ptr = ptr::without_provenance::<bool>(0x40);`
`58`	`58`	`let _: bool = *ptr;`
`59`	`59`	`}`
`60`	`60`	`}`