add separate intrinsic for uninit memory, and do a stronger check there

Author: RalfJung

src/libcore/intrinsics.rs

@@ -699,7 +699,12 @@ extern "rust-intrinsic" {
     /// A guard for unsafe functions that cannot ever be executed if `T` does not permit
     /// zero-initialization: This will statically either panic, or do nothing.
     #[cfg(not(bootstrap))]
-    pub fn panic_if_non_zero<T>();
+    pub fn panic_if_zero_invalid<T>();
+
+    /// A guard for unsafe functions that cannot ever be executed if `T` has invalid
+    /// bit patterns: This will statically either panic, or do nothing.
+    #[cfg(not(bootstrap))]
+    pub fn panic_if_any_invalid<T>();
 
     /// Gets a reference to a static `Location` indicating where it was called.
     #[cfg(not(bootstrap))]

src/libcore/mem/mod.rs

@@ -459,7 +459,7 @@ pub const fn needs_drop<T>() -> bool {
 #[allow(deprecated)]
 pub unsafe fn zeroed<T>() -> T {
     #[cfg(not(bootstrap))]
-    intrinsics::panic_if_non_zero::<T>();
+    intrinsics::panic_if_zero_invalid::<T>();
     #[cfg(bootstrap)]
     intrinsics::panic_if_uninhabited::<T>();
     intrinsics::init()
@@ -490,7 +490,7 @@ pub unsafe fn zeroed<T>() -> T {
 #[allow(deprecated)]
 pub unsafe fn uninitialized<T>() -> T {
     #[cfg(not(bootstrap))]
-    intrinsics::panic_if_non_zero::<T>();
+    intrinsics::panic_if_any_invalid::<T>();
     #[cfg(bootstrap)]
     intrinsics::panic_if_uninhabited::<T>();
     intrinsics::uninit()

src/librustc_codegen_ssa/mir/block.rs

@@ -532,10 +532,11 @@ impl<'a, 'tcx, Bx: BuilderMethods<'a, 'tcx>> FunctionCx<'a, 'tcx, Bx> {
         // These are intrinsics that compile to panics so that we can get a message
         // which mentions the offending type, even from a const context.
         #[derive(Debug, PartialEq)]
-        enum PanicIntrinsic { IfUninhabited, IfNonZero };
+        enum PanicIntrinsic { IfUninhabited, IfZeroInvalid, IfAnyInvalid };
         let panic_intrinsic = intrinsic.and_then(|i| match i {
             "panic_if_uninhabited" => Some(PanicIntrinsic::IfUninhabited),
-            "panic_if_non_zero" => Some(PanicIntrinsic::IfNonZero),
+            "panic_if_zero_invalid" => Some(PanicIntrinsic::IfZeroInvalid),
+            "panic_if_any_invalid" => Some(PanicIntrinsic::IfAnyInvalid),
             _ => None
         });
         if let Some(intrinsic) = panic_intrinsic {
@@ -544,14 +545,19 @@ impl<'a, 'tcx, Bx: BuilderMethods<'a, 'tcx>> FunctionCx<'a, 'tcx, Bx> {
             let layout = bx.layout_of(ty);
             let do_panic = match intrinsic {
                 IfUninhabited => layout.abi.is_uninhabited(),
-                IfNonZero => !layout.might_permit_zero_init(&bx).unwrap(), // error type is `!`
+                IfZeroInvalid => // We unwrap as the error type is `!`.
+                    !layout.might_permit_raw_init(&bx, /*zero:*/ true).unwrap(),
+                IfAnyInvalid => // We unwrap as the error type is `!`.
+                    !layout.might_permit_raw_init(&bx, /*zero:*/ false).unwrap(),
             };
             if do_panic {
                 let msg_str = if layout.abi.is_uninhabited() {
-                    // Use this error even for IfNonZero as it is more precise.
+                    // Use this error even for the other intrinsics as it is more precise.
                     format!("attempted to instantiate uninhabited type `{}`", ty)
+                } else if intrinsic == IfZeroInvalid {
+                    format!("attempted to zero-initialize type `{}`, which is invalid", ty)
                 } else {
-                    format!("attempted to zero-initialize non-zero type `{}`", ty)
+                    format!("attempted to leave type `{}` uninitialized, which is invalid", ty)
                 };
                 let msg = bx.const_str(Symbol::intern(&msg_str));
                 let location = self.get_caller_location(&mut bx, span).immediate();

src/librustc_target/abi/mod.rs

@@ -1120,34 +1120,45 @@ impl<'a, Ty> TyLayout<'a, Ty> {
         }
     }
 
-    /// Determines if zero-initializing this type might be okay.
+    /// Determines if this type permits "raw" initialization by just transmuting some
+    /// memory into an instance of `T`.
+    /// `zero` indicates if the memory is zero-initialized, or alternatively
+    /// left entirely uninitialized.
     /// This is conservative: in doubt, it will answer `true`.
-    pub fn might_permit_zero_init<C, E>(
+    pub fn might_permit_raw_init<C, E>(
         &self,
         cx: &C,
+        zero: bool,
     ) -> Result<bool, E>
     where
         Self: Copy,
         Ty: TyLayoutMethods<'a, C>,
         C: LayoutOf<Ty = Ty, TyLayout: MaybeResult<Self, Error = E>>
     {
-        fn scalar_allows_zero(s: &Scalar) -> bool {
-            s.valid_range.contains(&0) ||
-            (*s.valid_range.start() > *s.valid_range.end()) // wrap-around allows 0
-        }
+        let scalar_allows_raw_init = move |s: &Scalar| -> bool {
+            let range = &s.valid_range;
+            if zero {
+                // The range must contain 0.
+                range.contains(&0) ||
+                (*range.start() > *range.end()) // wrap-around allows 0
+            } else {
+                // The range must include all values.
+                *range.start() == range.end().wrapping_add(1)
+            }
+        };
 
         // Abi is the most informative here.
         let res = match &self.abi {
             Abi::Uninhabited => false, // definitely UB
-            Abi::Scalar(s) => scalar_allows_zero(s),
+            Abi::Scalar(s) => scalar_allows_raw_init(s),
             Abi::ScalarPair(s1, s2) =>
-                scalar_allows_zero(s1) && scalar_allows_zero(s2),
+                scalar_allows_raw_init(s1) && scalar_allows_raw_init(s2),
             Abi::Vector { element: s, count } =>
-                *count == 0 || scalar_allows_zero(s),
+                *count == 0 || scalar_allows_raw_init(s),
             Abi::Aggregate { .. } => {
                 // For aggregates, recurse.
                 let inner = match self.variants {
-                    Variants::Multiple { .. } => // FIXME: get variant with "0" discriminant.
+                    Variants::Multiple { .. } => // FIXME: could we be more precise here?
                         return Ok(true),
                     Variants::Single { index } => self.for_variant(&cx, index),
                 };
@@ -1157,12 +1168,13 @@ impl<'a, Ty> TyLayout<'a, Ty> {
                     FieldPlacement::Array { .. } =>
                         // FIXME: The widely use smallvec 0.6 creates uninit arrays
                         // with any element type, so let us not (yet) complain about that.
-                        // count == 0 || inner.field(cx, 0).to_result()?.might_permit_zero_init(cx)?
+                        // count == 0 ||
+                        // inner.field(cx, 0).to_result()?.might_permit_raw_init(cx, zero)?
                         true,
                     FieldPlacement::Arbitrary { ref offsets, .. } => {
                         // Check that all fields accept zero-init.
                         for idx in 0..offsets.len() {
-                            if !inner.field(cx, idx).to_result()?.might_permit_zero_init(cx)? {
+                            if !inner.field(cx, idx).to_result()?.might_permit_raw_init(cx, zero)? {
                                 return Ok(false);
                             }
                         }
@@ -1172,7 +1184,7 @@ impl<'a, Ty> TyLayout<'a, Ty> {
                 }
             }
         };
-        trace!("might_permit_zero_init({:?}) = {}", self.details, res);
+        trace!("might_permit_raw_init({:?}, zero={}) = {}", self.details, zero, res);
         Ok(res)
     }
 }

src/librustc_typeck/check/intrinsic.rs

@@ -153,8 +153,10 @@ pub fn check_intrinsic_type(tcx: TyCtxt<'_>, it: &hir::ForeignItem) {
                         .subst(tcx, tcx.mk_substs([tcx.lifetimes.re_static.into()].iter())),
                 ),
             ),
-            "panic_if_uninhabited" => (1, Vec::new(), tcx.mk_unit()),
-            "panic_if_non_zero" => (1, Vec::new(), tcx.mk_unit()),
+            "panic_if_uninhabited" |
+            "panic_if_zero_invalid" |
+            "panic_if_any_invalid" =>
+                (1, Vec::new(), tcx.mk_unit()),
             "init" => (1, Vec::new(), param(0)),
             "uninit" => (1, Vec::new(), param(0)),
             "forget" => (1, vec![param(0)], tcx.mk_unit()),

src/test/ui/intrinsics/panic-uninitialized-zeroed.rs

@@ -73,29 +73,36 @@ fn main() {
         // Types that do not like zero-initialziation
         test_panic_msg(
             || mem::uninitialized::<fn()>(),
-            "attempted to zero-initialize non-zero type `fn()`"
+            "attempted to leave type `fn()` uninitialized, which is invalid"
         );
         test_panic_msg(
             || mem::zeroed::<fn()>(),
-            "attempted to zero-initialize non-zero type `fn()`"
+            "attempted to zero-initialize type `fn()`, which is invalid"
         );
 
         test_panic_msg(
             || mem::uninitialized::<*const dyn Send>(),
-            "attempted to zero-initialize non-zero type `*const dyn std::marker::Send`"
+            "attempted to leave type `*const dyn std::marker::Send` uninitialized, which is invalid"
         );
         test_panic_msg(
             || mem::zeroed::<*const dyn Send>(),
-            "attempted to zero-initialize non-zero type `*const dyn std::marker::Send`"
+            "attempted to zero-initialize type `*const dyn std::marker::Send`, which is invalid"
         );
 
         test_panic_msg(
             || mem::uninitialized::<(NonNull<u32>, u32, u32)>(),
-            "attempted to zero-initialize non-zero type `(std::ptr::NonNull<u32>, u32, u32)`"
+            "attempted to leave type `(std::ptr::NonNull<u32>, u32, u32)` uninitialized, \
+                which is invalid"
         );
         test_panic_msg(
             || mem::zeroed::<(NonNull<u32>, u32, u32)>(),
-            "attempted to zero-initialize non-zero type `(std::ptr::NonNull<u32>, u32, u32)`"
+            "attempted to zero-initialize type `(std::ptr::NonNull<u32>, u32, u32)`, \
+                which is invalid"
+        );
+
+        test_panic_msg(
+            || mem::uninitialized::<bool>(),
+            "attempted to leave type `bool` uninitialized, which is invalid"
         );
 
         // Some things that should work.