Skip to content

Commit 1ad91c8

Browse files
celinvalcelinval
committed
Fix copy* contract to make it untyped
The intrinsics `copy` and `copy_nonoverlapping` are untyped copies, so they don't respect the validity requirements of `T`.
1 parent aa1b9c2 commit 1ad91c8

File tree

1 file changed

+6
-6
lines changed

1 file changed

+6
-6
lines changed

library/core/src/intrinsics.rs

Lines changed: 6 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -2727,7 +2727,7 @@ pub const fn is_val_statically_known<T: Copy>(_arg: T) -> bool {
27272727
#[requires(ub_checks::can_dereference(x) && ub_checks::can_write(x))]
27282728
#[requires(ub_checks::can_dereference(y) && ub_checks::can_write(y))]
27292729
#[requires(x.addr() != y.addr() || core::mem::size_of::<T>() == 0)]
2730-
#[requires((x.addr() >= y.addr() + core::mem::size_of::<T>()) || (y.addr() >= x.addr() + core::mem::size_of::<T>()))]
2730+
#[requires(ub_checks::is_nonoverlapping(x as *const (), x as *const (), size_of::<T>(), 1))]
27312731
pub const unsafe fn typed_swap<T>(x: *mut T, y: *mut T) {
27322732
// SAFETY: The caller provided single non-overlapping items behind
27332733
// pointers, so swapping them with `count: 1` is fine.
@@ -2956,11 +2956,11 @@ pub const fn ptr_metadata<P: ptr::Pointee<Metadata = M> + ?Sized, M>(_ptr: *cons
29562956
#[inline(always)]
29572957
#[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
29582958
#[rustc_diagnostic_item = "ptr_copy_nonoverlapping"]
2959+
// Copy is "untyped".
29592960
#[requires(!count.overflowing_mul(size_of::<T>()).1
2960-
&& ub_checks::can_dereference(core::ptr::slice_from_raw_parts(src, count))
2961+
&& ub_checks::can_dereference(core::ptr::slice_from_raw_parts(src as *const crate::mem::MaybeUninit<T>, count))
29612962
&& ub_checks::can_write(core::ptr::slice_from_raw_parts_mut(dst, count)))]
2962-
#[requires(src.addr() != dst.addr() || core::mem::size_of::<T>() == 0)]
2963-
#[requires((src.addr() >= dst.addr() + core::mem::size_of::<T>()) || (dst.addr() >= src.addr() + core::mem::size_of::<T>()))]
2963+
#[requires(ub_checks::is_nonoverlapping(src as *const (), dst as *const (), size_of::<T>(), count))]
29642964
// TODO: Modifies doesn't work with slices today.
29652965
// https://github.com/model-checking/kani/pull/3295
29662966
// #[cfg_attr(kani, kani::modifies(crate::ptr::slice_from_raw_parts(dst, count)))]
@@ -3068,8 +3068,8 @@ pub const unsafe fn copy_nonoverlapping<T>(src: *const T, dst: *mut T, count: us
30683068
#[rustc_diagnostic_item = "ptr_copy"]
30693069
// FIXME: How to verify safety for types that do not implement Copy and count > 1??
30703070
#[requires(!count.overflowing_mul(size_of::<T>()).1
3071-
&& ub_checks::can_dereference(core::ptr::slice_from_raw_parts(src, count))
3072-
&& ub_checks::can_write(core::ptr::slice_from_raw_parts_mut(dst, count)))]
3071+
&& ub_checks::can_dereference(core::ptr::slice_from_raw_parts(src as *const crate::mem::MaybeUninit<T>, count))
3072+
&& ub_checks::can_write(core::ptr::slice_from_raw_parts_mut(dst, count)))]
30733073
// TODO: Modifies doesn't work with slices today.
30743074
// https://github.com/model-checking/kani/pull/3295
30753075
// #[cfg_attr(kani, kani::modifies(crate::ptr::slice_from_raw_parts(dst, count)))]

0 commit comments

Comments
 (0)