when writing a scalar pair, always reset the entire destination range

Author: RalfJung

compiler/rustc_const_eval/src/interpret/place.rs

@@ -704,6 +704,7 @@ where
         // wrong type.
 
         let tcx = *self.tcx;
+        let will_later_validate = M::enforce_validity(self, layout);
         let Some(mut alloc) = self.get_place_alloc_mut(&MPlaceTy { mplace: dest, layout })? else {
             // zero-sized access
             return interp_ok(());
@@ -728,9 +729,15 @@ where
                 // but that does not work: We could be a newtype around a pair, then the
                 // fields do not match the `ScalarPair` components.
 
+                // In preparation, if we do *not* later reset the padding, we clear the entire
+                // destination now to ensure that no stray pointer fragments are being
+                // preserved (see <https://github.com/rust-lang/rust/issues/148470>).
+                if !will_later_validate {
+                    alloc.write_uninit_full();
+                }
+
                 alloc.write_scalar(alloc_range(Size::ZERO, a_val.size()), a_val)?;
                 alloc.write_scalar(alloc_range(b_offset, b_val.size()), b_val)?;
-                // We don't have to reset padding here, `write_immediate` will anyway do a validation run.
             }
             Immediate::Uninit => alloc.write_uninit_full(),
         }

compiler/rustc_middle/src/mir/interpret/allocation/provenance_map.rs

@@ -290,9 +290,12 @@ impl<Prov: Provenance> ProvenanceMap<Prov> {
     }
 
     /// Removes all provenance inside the given range.
-    /// If there is provenance overlapping with the edges, might result in an error.
     #[allow(irrefutable_let_patterns)] // these actually make the code more clear
     pub fn clear(&mut self, range: AllocRange, data_bytes: &[u8], cx: &impl HasDataLayout) {
+        if range.size == Size::ZERO {
+            return;
+        }
+
         let start = range.start;
         let end = range.end();
         // Clear the bytewise part -- this is easy.

tests/ui/consts/const-eval/ptr_fragments.rs

@@ -67,6 +67,30 @@ const _PARTIAL_OVERWRITE: () = {
     }
 };
 
+#[allow(dead_code)]
+fn fragment_in_dst_padding_gets_overwritten() {
+    #[repr(C)]
+    struct Pair {
+        x: u128,
+        // at offset 16
+        y: u64,
+    }
+
+    const C: MaybeUninit<Pair> = unsafe {
+        let mut m = MaybeUninit::<Pair>::uninit();
+        // Store pointer half-way into trailing padding.
+        m.as_mut_ptr().byte_add(20).cast::<&i32>().write_unaligned(&0);
+        // Overwrite `m`.
+        let val = Pair { x: 0, y: 0 };
+        *m.as_mut_ptr() = val;
+        // If the assignment of `val` above only copied the field and left the rest of `m`
+        // unchanged, there would be pointer fragments left in the padding which would be carried
+        // all the way to the final value, causing compilation failure.
+        // We prevent this by having the copy of `val` overwrite the entire destination.
+        m
+    };
+}
+
 fn main() {
     assert_eq!(unsafe { MEMCPY_RET.assume_init().read() }, 42);
 }