Unexpected UB: retagging of variadic arguments

[RalfJung]

I would not expect this code to have UB:

#![feature(c_variadic)]
unsafe extern "C" fn write_through(
    ptr_to_val: *mut i32,
    hidden_mut_ref_to_val: ...
) {
    // UB: this write access invalidates a
    // protected mutable reference within
    // the list of variable arguments.
    unsafe { *ptr_to_val = 32; }
}

fn main() {
    let mut val: i32 = 0;
    let mut_ref_to_val = &mut val;
    let ptr_to_val = mut_ref_to_val as *mut _;
    unsafe {
        write_through(ptr_to_val, mut_ref_to_val);
    }
}

(Example by @icmccorm)

We end up retagging with a protector at that call based on caller-side type information. That shouldn't happen, the with-protector retagging is a callee operation and shouldn't use caller-side type information.

Cc @folkertdev

[folkertdev]

To clarify, this actually works

#![feature(c_variadic)]
unsafe extern "C" fn write_through(
    ptr_to_val: *mut i32,
    hidden_mut_ref_to_val: ...
) {
    unsafe { *ptr_to_val = 32; }
}

fn main() {
    let mut val: i32 = 0;
    let mut_ref_to_val = &mut val;
    let ptr_to_val = mut_ref_to_val as *mut _;
    unsafe {
        write_through(ptr_to_val, mut_ref_to_val as *mut _);
    }
}

This has a similar error to the OP

#![feature(c_variadic)]
unsafe extern "C" fn write_through(
    ptr_to_val: *mut i32,
    hidden_mut_ref_to_val: &mut i32 
) {
    // UB: this write access invalidates a
    // protected mutable reference within
    // the list of variable arguments.
    unsafe { *ptr_to_val = 32; }
}

fn main() {
    let mut val: i32 = 0;
    let mut_ref_to_val = &mut val;
    let ptr_to_val = mut_ref_to_val as *mut _;
    unsafe {
        write_through(ptr_to_val, mut_ref_to_val);
    }
}

but when the function expects a *mut i32 that is fine.

#![feature(c_variadic)]
unsafe extern "C" fn write_through(
    ptr_to_val: *mut i32,
    hidden_mut_ref_to_val: *mut i32 
) {
    // UB: this write access invalidates a
    // protected mutable reference within
    // the list of variable arguments.
    unsafe { *ptr_to_val = 32; }
}

fn main() {
    let mut val: i32 = 0;
    let mut_ref_to_val = &mut val;
    let ptr_to_val = mut_ref_to_val as *mut _;
    unsafe {
        write_through(ptr_to_val, mut_ref_to_val);
    }
}

So the reasoning here is that because the c-variadic function reads the value as a pointer, the reference should be converted into a pointer before the call, which would make the OP pass. Do I understand that correctly?

[RalfJung]

I tried to explain the reasoning in the issue description. :)

The callee has no way of knowing that the caller used &mut for this argument so it makes no sense that it would do a retag. Currently what happens in Miri is effectively if caller_type.kind().is_ref() but we should only ever use callee_type.kind().is_ref().

[icmccorm]

It seems to me that this would be a pretty quick fix in the const-eval interpreter. We would just have to use RetagMode::None when we populate the va list.

[folkertdev]

I'm a bit out of my depth here but that looks right. Want to make a PR for that?

[RalfJung]

It seems to me that this would be a pretty quick fix in the const-eval interpreter. We would just have to use RetagMode::None when we populate the va list.

Yeah that sounds right. :)

[icmccorm]

Awesome - @folkertdev, I'll make a PR, and add a test with some of the examples you made.