Try to make miri happy by using *mut u8 instead of usize for addresses

phil-opp · phil-opp · commit 1f848baf85bb · 2022-06-23T09:24:05.000+02:00
diff --git a/src/hole.rs b/src/hole.rs
@@ -1,8 +1,11 @@
 use core::alloc::Layout;
+use core::convert::{TryFrom, TryInto};
 use core::mem;
 use core::mem::{align_of, size_of};
 use core::ptr::NonNull;
 
+use crate::align_up_size;
+
 use super::align_up;
 
 /// A sorted list of holes. It uses the the holes itself to store its nodes.
@@ -42,13 +45,14 @@ impl HoleList {
     /// is invalid or if memory from the `[hole_addr, hole_addr+size)` range is used somewhere else.
     ///
     /// The pointer to `hole_addr` is automatically aligned.
-    pub unsafe fn new(hole_addr: usize, hole_size: usize) -> HoleList {
+    pub unsafe fn new(hole_addr: *mut u8, hole_size: usize) -> HoleList {
         assert_eq!(size_of::<Hole>(), Self::min_size());
 
         let aligned_hole_addr = align_up(hole_addr, align_of::<Hole>());
         let ptr = aligned_hole_addr as *mut Hole;
         ptr.write(Hole {
-            size: hole_size.saturating_sub(aligned_hole_addr - hole_addr),
+            size: hole_size
+                .saturating_sub(aligned_hole_addr.offset_from(hole_addr).try_into().unwrap()),
             next: None,
         });
 
@@ -73,7 +77,7 @@ impl HoleList {
         if size < Self::min_size() {
             size = Self::min_size();
         }
-        let size = align_up(size, mem::align_of::<Hole>());
+        let size = align_up_size(size, mem::align_of::<Hole>());
         let layout = Layout::from_size_align(size, layout.align()).unwrap();
 
         layout
@@ -114,11 +118,7 @@ impl HoleList {
     /// [`allocate_first_fit`]: HoleList::allocate_first_fit
     pub unsafe fn deallocate(&mut self, ptr: NonNull<u8>, layout: Layout) -> Layout {
         let aligned_layout = Self::align_layout(layout);
-        deallocate(
-            &mut self.first,
-            ptr.as_ptr() as usize,
-            aligned_layout.size(),
-        );
+        deallocate(&mut self.first, ptr.as_ptr(), aligned_layout.size());
         aligned_layout
     }
 
@@ -129,11 +129,11 @@ impl HoleList {
 
     /// Returns information about the first hole for test purposes.
     #[cfg(test)]
-    pub fn first_hole(&self) -> Option<(usize, usize)> {
+    pub fn first_hole(&self) -> Option<(*const u8, usize)> {
         self.first
             .next
             .as_ref()
-            .map(|hole| ((*hole) as *const Hole as usize, hole.size))
+            .map(|hole| ((*hole) as *const Hole as *const u8, hole.size))
     }
 }
 
@@ -152,9 +152,9 @@ pub struct Hole {
 
 impl Hole {
     /// Returns basic information about the hole.
-    fn info(&self) -> HoleInfo {
+    fn info(&mut self) -> HoleInfo {
         HoleInfo {
-            addr: self as *const _ as usize,
+            addr: self as *mut _ as *mut u8,
             size: self.size,
         }
     }
@@ -163,7 +163,7 @@ impl Hole {
 /// Basic information about a hole.
 #[derive(Debug, Clone, Copy)]
 struct HoleInfo {
-    addr: usize,
+    addr: *mut u8,
     size: usize,
 }
 
@@ -189,24 +189,29 @@ fn split_hole(hole: HoleInfo, required_layout: Layout) -> Option<Allocation> {
         (hole.addr, None)
     } else {
         // the required alignment causes some padding before the allocation
-        let aligned_addr = align_up(hole.addr + HoleList::min_size(), required_align);
+        let aligned_addr = align_up(hole.addr.wrapping_add(HoleList::min_size()), required_align);
         (
             aligned_addr,
             Some(HoleInfo {
                 addr: hole.addr,
-                size: aligned_addr - hole.addr,
+                size: unsafe { aligned_addr.offset_from(hole.addr) }
+                    .try_into()
+                    .unwrap(),
             }),
         )
     };
 
     let aligned_hole = {
-        if aligned_addr + required_size > hole.addr + hole.size {
+        if aligned_addr.wrapping_offset(required_size.try_into().unwrap())
+            > hole.addr.wrapping_offset(hole.size.try_into().unwrap())
+        {
             // hole is too small
             return None;
         }
         HoleInfo {
             addr: aligned_addr,
-            size: hole.size - (aligned_addr - hole.addr),
+            size: hole.size
+                - usize::try_from(unsafe { aligned_addr.offset_from(hole.addr) }).unwrap(),
         }
     };
 
@@ -219,7 +224,9 @@ fn split_hole(hole: HoleInfo, required_layout: Layout) -> Option<Allocation> {
     } else {
         // the hole is bigger than necessary, so there is some padding behind the allocation
         Some(HoleInfo {
-            addr: aligned_hole.addr + required_size,
+            addr: aligned_hole
+                .addr
+                .wrapping_offset(required_size.try_into().unwrap()),
             size: aligned_hole.size - required_size,
         })
     };
@@ -291,40 +298,43 @@ fn allocate_first_fit(mut previous: &mut Hole, layout: Layout) -> Result<HoleInf
 
 /// Frees the allocation given by `(addr, size)`. It starts at the given hole and walks the list to
 /// find the correct place (the list is sorted by address).
-fn deallocate(mut hole: &mut Hole, addr: usize, mut size: usize) {
+fn deallocate(mut hole: &mut Hole, addr: *mut u8, mut size: usize) {
     loop {
         assert!(size >= HoleList::min_size());
 
         let hole_addr = if hole.size == 0 {
             // It's the dummy hole, which is the head of the HoleList. It's somewhere on the stack,
             // so it's address is not the address of the hole. We set the addr to 0 as it's always
             // the first hole.
-            0
+            core::ptr::null_mut()
         } else {
             // tt's a real hole in memory and its address is the address of the hole
-            hole as *mut _ as usize
+            hole as *mut _ as *mut u8
         };
 
         // Each freed block must be handled by the previous hole in memory. Thus the freed
         // address must be always behind the current hole.
         assert!(
-            hole_addr + hole.size <= addr,
+            hole_addr.wrapping_offset(hole.size.try_into().unwrap()) <= addr,
             "invalid deallocation (probably a double free)"
         );
 
         // get information about the next block
-        let next_hole_info = hole.next.as_ref().map(|next| next.info());
+        let next_hole_info = hole.next.as_mut().map(|next| next.info());
 
         match next_hole_info {
-            Some(next) if hole_addr + hole.size == addr && addr + size == next.addr => {
+            Some(next)
+                if hole_addr.wrapping_offset(hole.size.try_into().unwrap()) == addr
+                    && addr.wrapping_offset(size.try_into().unwrap()) == next.addr =>
+            {
                 // block fills the gap between this hole and the next hole
                 // before:  ___XXX____YYYYY____    where X is this hole and Y the next hole
                 // after:   ___XXXFFFFYYYYY____    where F is the freed block
 
                 hole.size += size + next.size; // merge the F and Y blocks to this X block
                 hole.next = hole.next.as_mut().unwrap().next.take(); // remove the Y block
             }
-            _ if hole_addr + hole.size == addr => {
+            _ if hole_addr.wrapping_add(hole.size.try_into().unwrap()) == addr => {
                 // block is right behind this hole but there is used memory after it
                 // before:  ___XXX______YYYYY____    where X is this hole and Y the next hole
                 // after:   ___XXXFFFF__YYYYY____    where F is the freed block
@@ -335,7 +345,7 @@ fn deallocate(mut hole: &mut Hole, addr: usize, mut size: usize) {
 
                 hole.size += size; // merge the F block to this X block
             }
-            Some(next) if addr + size == next.addr => {
+            Some(next) if addr.wrapping_offset(size.try_into().unwrap()) == next.addr => {
                 // block is right before the next hole but there is used memory before it
                 // before:  ___XXX______YYYYY____    where X is this hole and Y the next hole
                 // after:   ___XXX__FFFFYYYYY____    where F is the freed block
@@ -366,7 +376,7 @@ fn deallocate(mut hole: &mut Hole, addr: usize, mut size: usize) {
                     next: hole.next.take(), // the reference to the Y block (if it exists)
                 };
                 // write the new hole to the freed memory
-                debug_assert_eq!(addr % align_of::<Hole>(), 0);
+                debug_assert_eq!(addr as usize % align_of::<Hole>(), 0);
                 let ptr = addr as *mut Hole;
                 unsafe { ptr.write(new_hole) };
                 // add the F block as the next block of the X block
diff --git a/src/lib.rs b/src/lib.rs
@@ -17,6 +17,7 @@ use core::alloc::GlobalAlloc;
 use core::alloc::Layout;
 #[cfg(feature = "alloc_ref")]
 use core::alloc::{AllocError, Allocator};
+use core::convert::{TryFrom, TryInto};
 use core::mem::MaybeUninit;
 #[cfg(feature = "use_spin")]
 use core::ops::Deref;
@@ -33,7 +34,7 @@ mod test;
 
 /// A fixed size heap backed by a linked list of free memory blocks.
 pub struct Heap {
-    bottom: usize,
+    bottom: *mut u8,
     size: usize,
     used: usize,
     holes: HoleList,
@@ -54,7 +55,7 @@ impl Heap {
     #[cfg(feature = "const_mut_refs")]
     pub const fn empty() -> Heap {
         Heap {
-            bottom: 0,
+            bottom: core::ptr::null_mut(),
             size: 0,
             used: 0,
             holes: HoleList::empty(),
@@ -67,7 +68,7 @@ impl Heap {
     ///
     /// This function must be called at most once and must only be used on an
     /// empty heap.
-    pub unsafe fn init(&mut self, heap_bottom: usize, heap_size: usize) {
+    pub unsafe fn init(&mut self, heap_bottom: *mut u8, heap_size: usize) {
         self.bottom = heap_bottom;
         self.size = heap_size;
         self.used = 0;
@@ -89,9 +90,12 @@ impl Heap {
     ///
     /// This method panics if the heap is already initialized.
     pub fn init_from_slice(&mut self, mem: &'static mut [MaybeUninit<u8>]) {
-        assert!(self.bottom == 0, "The heap has already been initialized.");
+        assert!(
+            self.bottom.is_null(),
+            "The heap has already been initialized."
+        );
         let size = mem.len();
-        let address = mem.as_ptr() as usize;
+        let address = mem.as_mut_ptr().cast();
         // SAFETY: All initialization requires the bottom address to be valid, which implies it
         // must not be 0. Initially the address is 0. The assertion above ensures that no
         // initialization had been called before.
@@ -104,7 +108,7 @@ impl Heap {
     /// and the memory in the `[heap_bottom, heap_bottom + heap_size)` range must not be used for
     /// anything else. This function is unsafe because it can cause undefined behavior if the
     /// given address is invalid.
-    pub unsafe fn new(heap_bottom: usize, heap_size: usize) -> Heap {
+    pub unsafe fn new(heap_bottom: *mut u8, heap_size: usize) -> Heap {
         if heap_size < HoleList::min_size() {
             Self::empty()
         } else {
@@ -123,7 +127,7 @@ impl Heap {
     /// single operation that can not panic.
     pub fn from_slice(mem: &'static mut [MaybeUninit<u8>]) -> Heap {
         let size = mem.len();
-        let address = mem.as_ptr() as usize;
+        let address = mem.as_mut_ptr().cast();
         // SAFETY: The given address and size is valid according to the safety invariants of the
         // mutable reference handed to us by the caller.
         unsafe { Self::new(address, size) }
@@ -156,7 +160,7 @@ impl Heap {
     }
 
     /// Returns the bottom address of the heap.
-    pub fn bottom(&self) -> usize {
+    pub fn bottom(&self) -> *mut u8 {
         self.bottom
     }
 
@@ -166,8 +170,9 @@ impl Heap {
     }
 
     /// Return the top address of the heap
-    pub fn top(&self) -> usize {
-        self.bottom + self.size
+    pub fn top(&self) -> *mut u8 {
+        self.bottom
+            .wrapping_offset(isize::try_from(self.size).unwrap())
     }
 
     /// Returns the size of the used part of the heap
@@ -234,7 +239,7 @@ impl LockedHeap {
     /// and the memory in the `[heap_bottom, heap_bottom + heap_size)` range must not be used for
     /// anything else. This function is unsafe because it can cause undefined behavior if the
     /// given address is invalid.
-    pub unsafe fn new(heap_bottom: usize, heap_size: usize) -> LockedHeap {
+    pub unsafe fn new(heap_bottom: *mut u8, heap_size: usize) -> LockedHeap {
         LockedHeap(Spinlock::new(Heap {
             bottom: heap_bottom,
             size: heap_size,
@@ -272,18 +277,23 @@ unsafe impl GlobalAlloc for LockedHeap {
 
 /// Align downwards. Returns the greatest x with alignment `align`
 /// so that x <= addr. The alignment must be a power of 2.
-pub fn align_down(addr: usize, align: usize) -> usize {
+pub fn align_down_size(size: usize, align: usize) -> usize {
     if align.is_power_of_two() {
-        addr & !(align - 1)
+        size & !(align - 1)
     } else if align == 0 {
-        addr
+        size
     } else {
         panic!("`align` must be a power of 2");
     }
 }
 
+pub fn align_up_size(size: usize, align: usize) -> usize {
+    align_down_size(size + align - 1, align)
+}
+
 /// Align upwards. Returns the smallest x with alignment `align`
 /// so that x >= addr. The alignment must be a power of 2.
-pub fn align_up(addr: usize, align: usize) -> usize {
-    align_down(addr + align - 1, align)
+pub fn align_up(addr: *mut u8, align: usize) -> *mut u8 {
+    let offset = addr.align_offset(align);
+    addr.wrapping_offset(offset.try_into().unwrap())
 }
diff --git a/src/test.rs b/src/test.rs
@@ -6,7 +6,7 @@ use std::prelude::v1::*;
 fn new_heap() -> Heap {
     const HEAP_SIZE: usize = 1000;
     let heap_space = Box::leak(Box::new([MaybeUninit::uninit(); HEAP_SIZE]));
-    let assumed_location = heap_space.as_ptr() as usize;
+    let assumed_location = heap_space.as_mut_ptr().cast();
 
     let heap = Heap::from_slice(heap_space);
     assert!(heap.bottom == assumed_location);
@@ -18,7 +18,7 @@ fn new_max_heap() -> Heap {
     const HEAP_SIZE: usize = 1024;
     const HEAP_SIZE_MAX: usize = 2048;
     let heap_space = Box::leak(Box::new([MaybeUninit::<u8>::uninit(); HEAP_SIZE_MAX]));
-    let start_ptr = heap_space.as_ptr() as usize;
+    let start_ptr = heap_space.as_mut_ptr().cast();
 
     // Unsafe so that we have provenance over the whole allocation.
     let heap = unsafe { Heap::new(start_ptr, HEAP_SIZE) };
@@ -49,14 +49,17 @@ fn allocate_double_usize() {
     let layout = Layout::from_size_align(size, align_of::<usize>());
     let addr = heap.allocate_first_fit(layout.unwrap());
     assert!(addr.is_ok());
-    let addr = addr.unwrap().as_ptr() as usize;
+    let addr = addr.unwrap().as_ptr();
     assert!(addr == heap.bottom);
     let (hole_addr, hole_size) = heap.holes.first_hole().expect("ERROR: no hole left");
-    assert!(hole_addr == heap.bottom + size);
+    assert!(hole_addr == heap.bottom.wrapping_add(size));
     assert!(hole_size == heap.size - size);
 
     unsafe {
-        assert_eq!((*((addr + size) as *const Hole)).size, heap.size - size);
+        assert_eq!(
+            (*((addr.wrapping_offset(size.try_into().unwrap())) as *const Hole)).size,
+            heap.size - size
+        );
     }
 }
 
