offset_from intrinsic: always allow pointers to point to the same address

RalfJung · RalfJung · commit a48f566b9a4e · 2024-07-06T17:14:26.000+02:00
diff --git a/core/src/ptr/const_ptr.rs b/core/src/ptr/const_ptr.rs
@@ -604,9 +604,9 @@ impl<T: ?Sized> *const T {
     //github.com/
     //github.com/ * `self` and `origen` must either
     //github.com/
+    //github.com/   * point to the same address, or
     //github.com/   * both be *derived from* a pointer to the same [allocated object], and the memory range between
-    //github.com/     the two pointers must be either empty or in bounds of that object. (See below for an example.)
-    //github.com/   * or both be derived from an integer literal/constant, and point to the same address.
+    //github.com/     the two pointers must be in bounds of that object. (See below for an example.)
     //github.com/
     //github.com/ * The distance between the pointers, in bytes, must be an exact multiple
     //github.com/   of the size of `T`.
@@ -653,14 +653,14 @@ impl<T: ?Sized> *const T {
     //github.com/ let ptr1 = Box::into_raw(Box::new(0u8)) as *const u8;
     //github.com/ let ptr2 = Box::into_raw(Box::new(1u8)) as *const u8;
     //github.com/ let diff = (ptr2 as isize).wrapping_sub(ptr1 as isize);
-    //github.com/ // Make ptr2_other an "alias" of ptr2, but derived from ptr1.
-    //github.com/ let ptr2_other = (ptr1 as *const u8).wrapping_offset(diff);
+    //github.com/ // Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1.
+    //github.com/ let ptr2_other = (ptr1 as *const u8).wrapping_offset(diff).wrapping_offset(1);
     //github.com/ assert_eq!(ptr2 as usize, ptr2_other as usize);
     //github.com/ // Since ptr2_other and ptr2 are derived from pointers to different objects,
     //github.com/ // computing their offset is undefined behavior, even though
-    //github.com/ // they point to the same address!
+    //github.com/ // they point to addresses that are in-bounds of the same object!
     //github.com/ unsafe {
-    //github.com/     let zero = ptr2_other.offset_from(ptr2); // Undefined Behavior
+    //github.com/     let one = ptr2_other.offset_from(ptr2); // Undefined Behavior! ⚠️
     //github.com/ }
     //github.com/ ```
     #[stable(feature = "ptr_offset_from", since = "1.47.0")]
diff --git a/core/src/ptr/mut_ptr.rs b/core/src/ptr/mut_ptr.rs
@@ -829,9 +829,9 @@ impl<T: ?Sized> *mut T {
     //github.com/
     //github.com/ * `self` and `origen` must either
     //github.com/
+    //github.com/   * point to the same address, or
     //github.com/   * both be *derived from* a pointer to the same [allocated object], and the memory range between
-    //github.com/     the two pointers must be either empty or in bounds of that object. (See below for an example.)
-    //github.com/   * or both be derived from an integer literal/constant, and point to the same address.
+    //github.com/     the two pointers must be in bounds of that object. (See below for an example.)
     //github.com/
     //github.com/ * The distance between the pointers, in bytes, must be an exact multiple
     //github.com/   of the size of `T`.
@@ -878,14 +878,14 @@ impl<T: ?Sized> *mut T {
     //github.com/ let ptr1 = Box::into_raw(Box::new(0u8));
     //github.com/ let ptr2 = Box::into_raw(Box::new(1u8));
     //github.com/ let diff = (ptr2 as isize).wrapping_sub(ptr1 as isize);
-    //github.com/ // Make ptr2_other an "alias" of ptr2, but derived from ptr1.
-    //github.com/ let ptr2_other = (ptr1 as *mut u8).wrapping_offset(diff);
+    //github.com/ // Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1.
+    //github.com/ let ptr2_other = (ptr1 as *mut u8).wrapping_offset(diff).wrapping_offset(1);
     //github.com/ assert_eq!(ptr2 as usize, ptr2_other as usize);
     //github.com/ // Since ptr2_other and ptr2 are derived from pointers to different objects,
     //github.com/ // computing their offset is undefined behavior, even though
-    //github.com/ // they point to the same address!
+    //github.com/ // they point to addresses that are in-bounds of the same object!
     //github.com/ unsafe {
-    //github.com/     let zero = ptr2_other.offset_from(ptr2); // Undefined Behavior
+    //github.com/     let one = ptr2_other.offset_from(ptr2); // Undefined Behavior! ⚠️
     //github.com/ }
     //github.com/ ```
     #[stable(feature = "ptr_offset_from", since = "1.47.0")]
diff --git a/core/src/ptr/non_null.rs b/core/src/ptr/non_null.rs
@@ -735,9 +735,9 @@ impl<T: ?Sized> NonNull<T> {
     //github.com/
     //github.com/ * `self` and `origen` must either
     //github.com/
+    //github.com/   * point to the same address, or
     //github.com/   * both be *derived from* a pointer to the same [allocated object], and the memory range between
-    //github.com/     the two pointers must be either empty or in bounds of that object. (See below for an example.)
-    //github.com/   * or both be derived from an integer literal/constant, and point to the same address.
+    //github.com/     the two pointers must be in bounds of that object. (See below for an example.)
     //github.com/
     //github.com/ * The distance between the pointers, in bytes, must be an exact multiple
     //github.com/   of the size of `T`.
@@ -789,14 +789,15 @@ impl<T: ?Sized> NonNull<T> {
     //github.com/ let ptr1 = NonNull::new(Box::into_raw(Box::new(0u8))).unwrap();
     //github.com/ let ptr2 = NonNull::new(Box::into_raw(Box::new(1u8))).unwrap();
     //github.com/ let diff = (ptr2.addr().get() as isize).wrapping_sub(ptr1.addr().get() as isize);
-    //github.com/ // Make ptr2_other an "alias" of ptr2, but derived from ptr1.
-    //github.com/ let ptr2_other = NonNull::new(ptr1.as_ptr().wrapping_byte_offset(diff)).unwrap();
+    //github.com/ // Make ptr2_other an "alias" of ptr2.add(1), but derived from ptr1.
+    //github.com/ let diff_plus_1 = diff.wrapping_add(1);
+    //github.com/ let ptr2_other = NonNull::new(ptr1.as_ptr().wrapping_byte_offset(diff_plus_1)).unwrap();
     //github.com/ assert_eq!(ptr2.addr(), ptr2_other.addr());
     //github.com/ // Since ptr2_other and ptr2 are derived from pointers to different objects,
     //github.com/ // computing their offset is undefined behavior, even though
-    //github.com/ // they point to the same address!
+    //github.com/ // they point to addresses that are in-bounds of the same object!
     //github.com/
-    //github.com/ let zero = unsafe { ptr2_other.offset_from(ptr2) }; // Undefined Behavior
+    //github.com/ let one = unsafe { ptr2_other.offset_from(ptr2) }; // Undefined Behavior! ⚠️
     //github.com/ ```
     #[inline]
     #[cfg_attr(miri, track_caller)] // even without panics, this helps for Miri backtraces
