add const_leak and reject interning non-leaked const_allocate ptrs

Author: fee1-dead

compiler/rustc_const_eval/messages.ftl

@@ -56,6 +56,13 @@ const_eval_const_context = {$kind ->
     *[other] {""}
 }
 
+const_eval_const_heap_ptr_in_final = encountered `const_allocate` pointer in final value that was not made global
+    .note = use `const_make_global` to make allocated pointers immutable before returning
+
+const_eval_const_make_global_ptr_already_imm = attempting to call `const_make_global` twice on the same allocation {$alloc}
+
+const_eval_const_make_global_ptr_is_non_heap = invalid pointer passed to `const_make_global`
+
 const_eval_copy_nonoverlapping_overlapping =
     `copy_nonoverlapping` called on overlapping ranges
 
@@ -338,6 +345,7 @@ const_eval_realloc_or_alloc_with_offset =
     {$kind ->
         [dealloc] deallocating
         [realloc] reallocating
+        [leak] leaking
         *[other] {""}
     } {$ptr} which does not point to the beginning of an object
 

compiler/rustc_const_eval/src/const_eval/eval_queries.rs

@@ -93,7 +93,7 @@ fn eval_body_using_ecx<'tcx, R: InterpretationResult<'tcx>>(
     // Since evaluation had no errors, validate the resulting constant.
     const_validate_mplace(ecx, &ret, cid)?;
 
-    // Only report this after validation, as validaiton produces much better diagnostics.
+    // Only report this after validation, as validation produces much better diagnostics.
     // FIXME: ensure validation always reports this and stop making interning care about it.
 
     match intern_result {

compiler/rustc_const_eval/src/const_eval/machine.rs

@@ -169,13 +169,19 @@ pub type CompileTimeInterpCx<'tcx> = InterpCx<'tcx, CompileTimeMachine<'tcx>>;
 
 #[derive(Debug, PartialEq, Eq, Copy, Clone)]
 pub enum MemoryKind {
-    Heap,
+    Heap {
+        was_made_immut: bool
+    },
 }
 
 impl fmt::Display for MemoryKind {
     fn fmt(&self, f: &mut fmt::Formatter<'_>) -> fmt::Result {
         match self {
-            MemoryKind::Heap => write!(f, "heap allocation"),
+            MemoryKind::Heap { was_made_immut } => write!(f, "{}heap allocation", if *was_made_immut {
+                "immutable "
+            } else {
+                ""
+            }),
         }
     }
 }
@@ -184,7 +190,7 @@ impl interpret::MayLeak for MemoryKind {
     #[inline(always)]
     fn may_leak(self) -> bool {
         match self {
-            MemoryKind::Heap => false,
+            MemoryKind::Heap { was_made_immut } => was_made_immut,
         }
     }
 }
@@ -420,7 +426,7 @@ impl<'tcx> interpret::Machine<'tcx> for CompileTimeMachine<'tcx> {
                 let ptr = ecx.allocate_ptr(
                     Size::from_bytes(size),
                     align,
-                    interpret::MemoryKind::Machine(MemoryKind::Heap),
+                    interpret::MemoryKind::Machine(MemoryKind::Heap { was_made_immut: false }),
                     AllocInit::Uninit,
                 )?;
                 ecx.write_pointer(ptr, dest)?;
@@ -453,10 +459,32 @@ impl<'tcx> interpret::Machine<'tcx> for CompileTimeMachine<'tcx> {
                     ecx.deallocate_ptr(
                         ptr,
                         Some((size, align)),
-                        interpret::MemoryKind::Machine(MemoryKind::Heap),
+                        interpret::MemoryKind::Machine(MemoryKind::Heap { was_made_immut: false }),
                     )?;
                 }
             }
+
+            sym::const_make_global => {
+                let ptr = ecx.read_pointer(&args[0])?;
+                let size = ecx.read_scalar(&args[1])?.to_target_usize(ecx)?;
+                let align = ecx.read_scalar(&args[2])?.to_target_usize(ecx)?;
+
+                // FIXME: do we need these arguments?
+                let _size: Size = Size::from_bytes(size);
+                let _align = match Align::from_bytes(align) {
+                    Ok(a) => a,
+                    Err(err) => throw_ub_custom!(
+                        fluent::const_eval_invalid_align_details,
+                        name = "const_make_global",
+                        err_kind = err.diag_ident(),
+                        align = err.align()
+                    ),
+                };
+
+                ecx.make_const_heap_ptr_immutable(ptr)?;
+                ecx.write_pointer(ptr, dest)?;
+            }
+
             // The intrinsic represents whether the value is known to the optimizer (LLVM).
             // We're not doing any optimizations here, so there is no optimizer that could know the value.
             // (We know the value here in the machine of course, but this is the runtime of that code,

compiler/rustc_const_eval/src/errors.rs

@@ -43,6 +43,15 @@ pub(crate) struct MutablePtrInFinal {
     pub kind: InternKind,
 }
 
+
+#[derive(Diagnostic)]
+#[diag(const_eval_const_heap_ptr_in_final)]
+#[note]
+pub(crate) struct ConstHeapPtrInFinal {
+    #[primary_span]
+    pub span: Span,
+}
+
 #[derive(Diagnostic)]
 #[diag(const_eval_unstable_in_stable_exposed)]
 pub(crate) struct UnstableInStableExposed {
@@ -493,6 +502,8 @@ impl<'a> ReportErrorExt for UndefinedBehaviorInfo<'a> {
             }
             AbiMismatchArgument { .. } => const_eval_incompatible_types,
             AbiMismatchReturn { .. } => const_eval_incompatible_return_types,
+            ConstMakeGlobalPtrIsNonHeap => const_eval_const_make_global_ptr_is_non_heap,
+            ConstMakeGlobalPtrAlreadyImm { .. } => const_eval_const_make_global_ptr_already_imm,
         }
     }
 
@@ -518,7 +529,8 @@ impl<'a> ReportErrorExt for UndefinedBehaviorInfo<'a> {
             | InvalidUninitBytes(None)
             | DeadLocal
             | UninhabitedEnumVariantWritten(_)
-            | UninhabitedEnumVariantRead(_) => {}
+            | UninhabitedEnumVariantRead(_)
+            | ConstMakeGlobalPtrIsNonHeap => {}
 
             ArithOverflow { intrinsic } => {
                 diag.arg("intrinsic", intrinsic);
@@ -620,6 +632,9 @@ impl<'a> ReportErrorExt for UndefinedBehaviorInfo<'a> {
                 diag.arg("caller_ty", caller_ty.to_string());
                 diag.arg("callee_ty", callee_ty.to_string());
             }
+            ConstMakeGlobalPtrAlreadyImm(alloc) => {
+                diag.arg("alloc", alloc);
+            }
         }
     }
 }

compiler/rustc_const_eval/src/interpret/intern.rs

@@ -31,7 +31,7 @@ use super::{
 };
 use crate::const_eval;
 use crate::const_eval::DummyMachine;
-use crate::errors::NestedStaticInThreadLocal;
+use crate::errors::{ConstHeapPtrInFinal, NestedStaticInThreadLocal};
 
 pub trait CompileTimeMachine<'tcx, T> = Machine<
         'tcx,
@@ -55,14 +55,37 @@ impl HasStaticRootDefId for const_eval::CompileTimeMachine<'_> {
     }
 }
 
+pub enum DisallowInternReason {
+    ConstHeap,
+}
+
+pub trait CanIntern {
+    fn disallows_intern(&self) -> Option<DisallowInternReason>;
+}
+
+impl CanIntern for const_eval::MemoryKind {
+    fn disallows_intern(&self) -> Option<DisallowInternReason> {
+        match self {
+            const_eval::MemoryKind::Heap { was_made_immut: false } => Some(DisallowInternReason::ConstHeap),
+            const_eval::MemoryKind::Heap { was_made_immut: true } => None,
+        }
+    }
+}
+
+impl CanIntern for ! {
+    fn disallows_intern(&self) -> Option<DisallowInternReason> {
+        *self
+    }
+}
+
 /// Intern an allocation. Returns `Err` if the allocation does not exist in the local memory.
 ///
 /// `mutability` can be used to force immutable interning: if it is `Mutability::Not`, the
 /// allocation is interned immutably; if it is `Mutability::Mut`, then the allocation *must be*
 /// already mutable (as a sanity check).
 ///
 /// Returns an iterator over all relocations referred to by this allocation.
-fn intern_shallow<'tcx, T, M: CompileTimeMachine<'tcx, T>>(
+fn intern_shallow<'tcx, T: CanIntern, M: CompileTimeMachine<'tcx, T>>(
     ecx: &mut InterpCx<'tcx, M>,
     alloc_id: AllocId,
     mutability: Mutability,
@@ -71,9 +94,22 @@ fn intern_shallow<'tcx, T, M: CompileTimeMachine<'tcx, T>>(
     trace!("intern_shallow {:?}", alloc_id);
     // remove allocation
     // FIXME(#120456) - is `swap_remove` correct?
-    let Some((_kind, mut alloc)) = ecx.memory.alloc_map.swap_remove(&alloc_id) else {
+    let Some((kind, mut alloc)) = ecx.memory.alloc_map.swap_remove(&alloc_id) else {
         return Err(());
     };
+
+    match kind {
+        MemoryKind::Machine(x) if let Some(reason) = x.disallows_intern() => match reason {
+            // attempting to intern a `const_allocate`d pointer that was not made global via
+            // `const_make_global`. We emit an error here but don't return an `Err` as if we
+            // did the caller assumes we found a dangling pointer.
+            DisallowInternReason::ConstHeap => {
+                ecx.tcx.dcx().emit_err(ConstHeapPtrInFinal { span: ecx.tcx.span });
+            }
+        },
+        MemoryKind::Machine(_) | MemoryKind::Stack | MemoryKind::CallerLocation => {}
+    }
+
     // Set allocation mutability as appropriate. This is used by LLVM to put things into
     // read-only memory, and also by Miri when evaluating other globals that
     // access this one.
@@ -99,7 +135,7 @@ fn intern_shallow<'tcx, T, M: CompileTimeMachine<'tcx, T>>(
     } else {
         ecx.tcx.set_alloc_id_memory(alloc_id, alloc);
     }
-    Ok(alloc.0.0.provenance().ptrs().iter().map(|&(_, prov)| prov))
+    Ok(alloc.inner().provenance().ptrs().iter().map(|&(_, prov)| prov))
 }
 
 /// Creates a new `DefId` and feeds all the right queries to make this `DefId`
@@ -181,7 +217,7 @@ pub fn intern_const_alloc_recursive<'tcx, M: CompileTimeMachine<'tcx, const_eval
         }
         InternKind::Static(Mutability::Not) => {
             (
-                // Outermost allocation is mutable if `!Freeze`.
+                // Outermost allocation is mutable if `!Freeze` i.e. contains interior mutable types.
                 if ret.layout.ty.is_freeze(*ecx.tcx, ecx.typing_env) {
                     Mutability::Not
                 } else {
@@ -309,7 +345,12 @@ pub fn intern_const_alloc_recursive<'tcx, M: CompileTimeMachine<'tcx, const_eval
         // `static mut`.
         just_interned.insert(alloc_id);
         match intern_shallow(ecx, alloc_id, inner_mutability, Some(&mut disambiguator)) {
-            Ok(nested) => todo.extend(nested),
+            Ok(nested) => {
+                // filtering here is necessary for self-referential values created through
+                // `const_allocate`.
+                // see tests/ui/consts/const-eval/heap/make-global-cyclic.rs
+                todo.extend(nested.filter(|prov| !just_interned.contains(&prov.alloc_id())))
+            }
             Err(()) => {
                 ecx.tcx.dcx().delayed_bug("found dangling pointer during const interning");
                 result = Err(InternResult::FoundDanglingPointer);
@@ -321,7 +362,7 @@ pub fn intern_const_alloc_recursive<'tcx, M: CompileTimeMachine<'tcx, const_eval
 
 /// Intern `ret`. This function assumes that `ret` references no other allocation.
 #[instrument(level = "debug", skip(ecx))]
-pub fn intern_const_alloc_for_constprop<'tcx, T, M: CompileTimeMachine<'tcx, T>>(
+pub fn intern_const_alloc_for_constprop<'tcx, T: CanIntern, M: CompileTimeMachine<'tcx, T>>(
     ecx: &mut InterpCx<'tcx, M>,
     alloc_id: AllocId,
 ) -> InterpResult<'tcx, ()> {

compiler/rustc_const_eval/src/interpret/memory.rs

@@ -311,6 +311,46 @@ impl<'tcx, M: Machine<'tcx>> InterpCx<'tcx, M> {
         interp_ok(new_ptr)
     }
 
+    /// mark the `const_allocate`d pointer immutable so we can intern it.
+    pub fn make_const_heap_ptr_immutable(
+        &mut self,
+        ptr: Pointer<Option<M::Provenance>>,
+    ) -> InterpResult<'tcx>
+    where
+        M: Machine<'tcx, MemoryKind = crate::const_eval::MemoryKind>,
+    {
+        let (alloc_id, _, _) = self.ptr_get_alloc_id(ptr, 0)?;
+
+        let not_local_heap = matches!(
+            self.tcx.try_get_global_alloc(alloc_id),
+            Some(GlobalAlloc::Memory(_))
+        );
+
+        if not_local_heap {
+            throw_ub!(ConstMakeGlobalPtrIsNonHeap);
+        }
+
+        let (kind, alloc) = self.memory.alloc_map.get_mut_or(alloc_id, || {
+            Err(err_ub!(PointerUseAfterFree(alloc_id, CheckInAllocMsg::Dereferenceable)))
+        })?;
+
+        alloc.mutability = Mutability::Not;
+
+        match kind {
+            MemoryKind::Stack | MemoryKind::CallerLocation => {
+                throw_ub!(ConstMakeGlobalPtrIsNonHeap);
+            }
+            MemoryKind::Machine(crate::const_eval::MemoryKind::Heap { was_made_immut }) => {
+                if *was_made_immut {
+                    throw_ub!(ConstMakeGlobalPtrAlreadyImm(alloc_id));
+                }
+                *was_made_immut = true;
+            }
+        }
+
+        interp_ok(())
+    }
+
     #[instrument(skip(self), level = "debug")]
     pub fn deallocate_ptr(
         &mut self,

compiler/rustc_const_eval/src/util/check_validity_requirement.rs

@@ -53,7 +53,7 @@ fn check_validity_requirement_strict<'tcx>(
     let mut cx = InterpCx::new(cx.tcx(), DUMMY_SP, cx.typing_env, machine);
 
     let allocated = cx
-        .allocate(ty, MemoryKind::Machine(crate::const_eval::MemoryKind::Heap))
+        .allocate(ty, MemoryKind::Machine(crate::const_eval::MemoryKind::Heap { was_made_immut: false }))
         .expect("OOM: failed to allocate for uninit check");
 
     if kind == ValidityRequirement::Zero {
@@ -185,7 +185,7 @@ pub(crate) fn validate_scalar_in_layout<'tcx>(
         bug!("could not compute layout of {scalar:?}:{ty:?}")
     };
     let allocated = cx
-        .allocate(layout, MemoryKind::Machine(crate::const_eval::MemoryKind::Heap))
+        .allocate(layout, MemoryKind::Machine(crate::const_eval::MemoryKind::Heap { was_made_immut: false }))
         .expect("OOM: failed to allocate for uninit check");
 
     cx.write_scalar(scalar, &allocated).unwrap();

compiler/rustc_hir_analysis/src/check/intrinsic.rs

@@ -415,6 +415,12 @@ pub(crate) fn check_intrinsic_type(
             vec![Ty::new_mut_ptr(tcx, tcx.types.u8), tcx.types.usize, tcx.types.usize],
             tcx.types.unit,
         ),
+        sym::const_make_global => (
+            0,
+            0,
+            vec![Ty::new_mut_ptr(tcx, tcx.types.u8), tcx.types.usize, tcx.types.usize],
+            Ty::new_imm_ptr(tcx, tcx.types.u8),
+        ),
 
         sym::ptr_offset_from => (
             1,

compiler/rustc_middle/src/mir/interpret/error.rs

@@ -257,7 +257,7 @@ pub enum InvalidProgramInfo<'tcx> {
 /// Details of why a pointer had to be in-bounds.
 #[derive(Debug, Copy, Clone)]
 pub enum CheckInAllocMsg {
-    /// We are access memory.
+    /// We are accessing memory.
     MemoryAccess,
     /// We are doing pointer arithmetic.
     InboundsPointerArithmetic,
@@ -427,6 +427,10 @@ pub enum UndefinedBehaviorInfo<'tcx> {
     AbiMismatchArgument { caller_ty: Ty<'tcx>, callee_ty: Ty<'tcx> },
     /// ABI-incompatible return types.
     AbiMismatchReturn { caller_ty: Ty<'tcx>, callee_ty: Ty<'tcx> },
+    /// Called `const_make_global` on a non-heap pointer.
+    ConstMakeGlobalPtrIsNonHeap,
+    /// Called `const_make_global` twice.
+    ConstMakeGlobalPtrAlreadyImm(AllocId),
 }
 
 #[derive(Debug, Clone, Copy)]

compiler/rustc_span/src/symbol.rs

@@ -714,6 +714,7 @@ symbols! {
         const_indexing,
         const_let,
         const_loop,
+        const_make_global,
         const_mut_refs,
         const_panic,
         const_panic_fmt,