intptrcast: Never allocate two objects directly adjecent

[tavianator]

When two objects directly follow each other in memory, what is the
provenance of an integer cast to a pointer that points directly between
them? For a zero-size region, it could point into the end of the first
object, or the start of the second.

We can avoid answering this difficult question by simply never
allocating two objects directly beside each other. This fixes some of
the false positives from #1866.

[RalfJung]

Thanks for the MR!

I am not very happy about this work-around, since it is just that -- it doesn't actually solve the problem, it just makes it less likely to occur in practice. But that is probably still better than the status quo. I opened rust-lang/unsafe-code-guidelines#313 to track the fundamental problem that causes this.

[tavianator]

I am not very happy about this work-around, since it is just that -- it doesn't actually solve the problem, it just makes it less likely to occur in practice.

Agreed, although depending on what “the problem“ is, I expect it's either very difficult or impossible to solve :). I'm not sure there's a consistent semantics at all for a language with both pointer provenance and pointer<->integer casts. Though I haven't been following the C provenance working group stuff.

[RalfJung]

I'm not sure there's a consistent semantics at all for a language with both pointer provenance and pointer<->integer casts.

I sure hope there is, because otherwise I have to either remove int-to-ptr casts from Rust or live with the fact that Rust is internally inconsistent and fundamentally impossible to get right. ;) But if there is a counterexample that demonstrates that no such semantics can exist, that would sure be very interesting.

[RalfJung]

@bors r+

Thanks again for the fix. :)

[bors]

📌 Commit 6a98c64 has been approved by RalfJung

[bors]

⌛ Testing commit 6a98c64 with merge 81e59e6...

[bors]

☀️ Test successful - checks-actions
Approved by: RalfJung
Pushing 81e59e6 to master...