UB: update the extra clause for provenance UB during const evaluation #2091
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
the
S-waiting-on-review
theemathas
reviewed
Nov 16, 2025
Contributor
|
This text currently does not cover the validity of the following in consteval:
|
RalfJung
force-pushed
the
const-eval-provenance-ub
branch
from
553a6a8 to
c0c2fb2
Compare
Member
Author
This is already defined to be the same as
These are just structs, from an opsem perspective. We don't currently list them at all, even outside the const-eval clause. |
Contributor
|
My understanding is that async blocks behave more like unions? I'm not sure. |
Contributor
|
The current wording also doesn't prohibit mixing pointer fragments with different offsets, like in rust-lang/rust#146291 |
Member
Author
The wording is "all bytes must be fragments of the same original pointer value in the correct order". "same pointer value" means same address/offset and same provenance. |
Member
Author
More like a weird kind of enum. Anyway, they are container types that have fields, and we recurse into them like we recurse into structs and enums. If you think we should be more explicit about closures and async lowering, please file an issue; that is entirely orthogonal to the const-eval clause. |
Contributor
|
Turns out that async blocks in const is gated behind an unstable feature, so that's a non-issue for the purposes of the reference. |
traviscross
reviewed
Nov 18, 2025
traviscross
reviewed
Nov 18, 2025
src/behavior-considered-undefined.md
Outdated
Comment on lines
217
to
224
| r[undefined.validity.const-provenance] | ||
| * **In [const context](const_eval.md#const-context)**: In addition to what is described above, | ||
| further provenance-related requirements apply during const evaluation. | ||
| Any value that holds pure integer data (the `i*`/`u*`/`f*` types as well as `bool` and `char`, enum discriminants, and slice metadata) must not carry any provenance. | ||
| Any value that holds pointer data (references, raw pointers, function pointers, and `dyn Trait` metadata) must either carry no provenance, | ||
| or all bytes must be fragments of the same original pointer value in the correct order. | ||
|
|
||
| This implies that transmuting or otherwise reinterpreting a pointer (reference, raw pointer, or function pointer) into a non-pointer type (such as integers) is Undefined Behavior if the pointer had provenance. |
Contributor
There was a problem hiding this comment.
It'd be good to add an example or two for this section (similar to the examples we looked at on the lang side that motivated the recent changes). That would also help make clear what we mean by a pointer fragment, apropos of the question @ehuss is about to ask.
ehuss
reviewed
Nov 18, 2025
src/behavior-considered-undefined.md
Outdated
| further provenance-related requirements apply during const evaluation. | ||
| Any value that holds pure integer data (the `i*`/`u*`/`f*` types as well as `bool` and `char`, enum discriminants, and slice metadata) must not carry any provenance. | ||
| Any value that holds pointer data (references, raw pointers, function pointers, and `dyn Trait` metadata) must either carry no provenance, | ||
| or all bytes must be fragments of the same original pointer value in the correct order. |
Contributor
There was a problem hiding this comment.
It doesn't seem like "pointer fragments" is defined anywhere. Would it be possible to come up with a definition somewhere?
Member
Author
There was a problem hiding this comment.
That's tricky to define in isolation. Maybe it's better to avoid the term and just say all bytes must "come from" the same original pointer value?
The longer answer is that during const-eval, a byte doesn't look quite like what we have defined in the reference currently. It's more like
enum Byte {
Uninit,
/// Initialized byte without provenance.
Init(u8),
/// Pointer fragment. `idx` is in the range `0..ptr_size`.
PointerFragment { ptr: Pointer, idx: u8 },
}
RalfJung
force-pushed
the
const-eval-provenance-ub
branch
2 times, most recently
from
e8f09a4 to
0cea1ca
Compare
traviscross
force-pushed
the
const-eval-provenance-ub
branch
from
0cea1ca to
140b71e
Compare
This comment has been minimized.
This comment has been minimized.
traviscross
force-pushed
the
const-eval-provenance-ub
branch
from
c4bc204 to
d75b256
Compare
Collaborator
|
This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
traviscross
force-pushed
the
const-eval-provenance-ub
branch
from
d75b256 to
f30a5f5
Compare
traviscross
approved these changes
Dec 9, 2025
rustbot
removed
the
S-waiting-on-review
ehuss
added a commit
to ehuss/rust
that referenced
this pull request
Dec 11, 2025
This updates to mdbook 0.5.2 from mdbook 0.4.52. A primary aspect of this change is that it splits the `mdbook` crate into multiple crates, and various API changes and cleanup. There's full release notes and a migration guide at https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-050. This also includes submodule updates: ## book 8 commits in f660f341887c8bbcd6c24fbfdf5d2a262f523965..9c9104e8a82430f97f42e738051bda718919211c 2025-10-27 21:41:51 -0400 to 2025-12-10 11:33:49 -0500 - Update to mdbook 0.5 - Update ch07-02-defining-modules-to-control-scope-and-privacy.md - use AND for search terms - Consistently use let...else - Merge branch 'main' into fix-typo-17-02 - Fix typo in section 17.2 - Revert "Fix typo in section 17.2" - Fix typo in section 17.2 ## edition-guide 2 commits in 5c621253d8f2a5a4adb64a6365905db67dffe3a2..c3c0f0b3da26610138b7ba7663f60cd2c68cf184 2025-10-23 14:13:01 +0000 to 2025-11-28 18:54:18 +0000 - Update to mdbook 0.5 (rust-lang/edition-guide#381) - Link to 1.56.0 and 1.85.0 blog posts (rust-lang/edition-guide#380) ## nomicon 6 commits in 60f0b30d8ec1c9eb5c2582f2ec55f1094b0f8c42..9fe8fa599ad228dda74f240cc32b54bc5c1aa3e6 2025-10-20 13:05:39 +0000 to 2025-12-03 11:54:04 +0000 - Remove references to outdated unsafe code guidelines (rust-lang/nomicon#512) - Update to mdbook 0.5 (rust-lang/nomicon#511) - Fix grammar in ffi.md (rust-lang/nomicon#510) - Add CITATION.cff (rust-lang/nomicon#507) - Use the newest Layout::array size checks for vec-alloc (rust-lang/nomicon#508) - review comment: dropck analysis is *not* trivial (rust-lang/nomicon#498) ## reference 17 commits in e122eefff3fef362eb7e0c08fb7ffbf5f9461905..50c5de90487b68d429a30cc9466dc8f5b410128f 2025-10-28 20:52:27 +0000 to 2025-12-09 22:19:05 +0000 - UB: update the extra clause for provenance UB during const evaluation (rust-lang/reference#2091) - Remove `[no-mentions]` handler in our triagebot config (rust-lang/reference#2102) - Clarify that omitting `nostack` is a promise from the compiler to the programmer (rust-lang/reference#1999) - Specify that range patterns must be nonempty. (rust-lang/reference#2093) - Update to mdbook 0.5 (rust-lang/reference#2096) - get rid of const.no-mut-refs (rust-lang/reference#2080) - use oxford comma (rust-lang/reference#2099) - document `cfg` conditions on inline assembly templates and operands (rust-lang/reference#2063) - remove unused "link reference definitions" (rust-lang/reference#2092) - Add review process overview to review-policy.md (rust-lang/reference#2088) - Remove restriction on dereferencing pointers in const (rust-lang/reference#2090) - add 'system' to variadic ABIs (rust-lang/reference#2069) - Guarantee the binary representation of `isize` explicitly (rust-lang/reference#2064) - Update `no_implicit_prelude` to use the attribute template (rust-lang/reference#1914) - Update `no_std` to use the attribute template (rust-lang/reference#1913) - const_eval.md: be more clear where link leads to (rust-lang/reference#2083) - specify s390x target features (rust-lang/reference#1972) ## rust-by-example 7 commits in 160e6bbca70b0c01aa4de88d19db7fc5ff8447c3..7d21279e40e8f0e91c2a22c5148dd2d745aef8b6 2025-11-03 09:26:45 -0300 to 2025-12-01 15:02:09 -0300 - Update to mdbook 0.5 (rust-lang/rust-by-example#1977) - Use `From::from` fn pointer to convert to boxed errors (rust-lang/rust-by-example#1906) - link the _tuple_ page instead "TupleStruct" (rust-lang/rust-by-example#1909) - enum_use.md: avoid an uncommon term (rust-lang/rust-by-example#1976) - make search less surprising (rust-lang/rust-by-example#1975) - Update documentation for `any` function in iter_any.md (rust-lang/rust-by-example#1973) - Revise `Path` type documentation for clarity (rust-lang/rust-by-example#1972)
ehuss
added a commit
to ehuss/rust
that referenced
this pull request
Dec 11, 2025
This updates to mdbook 0.5.2 from mdbook 0.4.52. A primary aspect of this change is that it splits the `mdbook` crate into multiple crates, and various API changes and cleanup. There's full release notes and a migration guide at https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-050. This also includes submodule updates: ## book 1 commits in 8c0eacd5c4acbb650497454f3a58c9e8083202a4..9c9104e8a82430f97f42e738051bda718919211c 2025-11-18 10:36:41 -0500 to 2025-12-10 11:33:49 -0500 - Update to mdbook 0.5 ## edition-guide 1 commits in 9cf5443d632673c4d41edad5e8ed8be86eeb3b8f..c3c0f0b3da26610138b7ba7663f60cd2c68cf184 2025-11-15 21:51:11 +0000 to 2025-11-28 18:54:18 +0000 - Update to mdbook 0.5 (rust-lang/edition-guide#381) ## nomicon 2 commits in 0fe83ab28985b99aba36a1f0dbde3e08286fefda..9fe8fa599ad228dda74f240cc32b54bc5c1aa3e6 2025-11-15 00:03:14 +0000 to 2025-12-03 11:54:04 +0000 - Remove references to outdated unsafe code guidelines (rust-lang/nomicon#512) - Update to mdbook 0.5 (rust-lang/nomicon#511) ## reference 5 commits in b14b4e40f53ca468beaf2f5d0dfb4f4c4ba6bc7b..50c5de90487b68d429a30cc9466dc8f5b410128f 2025-12-02 21:17:44 +0000 to 2025-12-09 22:19:05 +0000 - UB: update the extra clause for provenance UB during const evaluation (rust-lang/reference#2091) - Remove `[no-mentions]` handler in our triagebot config (rust-lang/reference#2102) - Clarify that omitting `nostack` is a promise from the compiler to the programmer (rust-lang/reference#1999) - Specify that range patterns must be nonempty. (rust-lang/reference#2093) - Update to mdbook 0.5 (rust-lang/reference#2096) ## rust-by-example 1 commits in 111cfae2f9c3a43f7b0ff8fa68c51cc8f930637c..7d21279e40e8f0e91c2a22c5148dd2d745aef8b6 2025-11-27 17:16:42 -0300 to 2025-12-01 15:02:09 -0300 - Update to mdbook 0.5 (rust-lang/rust-by-example#1977)
ehuss
added a commit
to ehuss/rust
that referenced
this pull request
Dec 12, 2025
This updates to mdbook 0.5.2 from mdbook 0.4.52. A primary aspect of this change is that it splits the `mdbook` crate into multiple crates, and various API changes and cleanup. There's full release notes and a migration guide at https://github.com/rust-lang/mdBook/blob/master/CHANGELOG.md#mdbook-050. This also includes submodule updates: ## book 2 commits in 8c0eacd5c4acbb650497454f3a58c9e8083202a4..39aeceaa3aeab845bc4517e7a44e48727d3b9dbe 2025-11-18 10:36:41 -0500 to 2025-12-12 11:02:27 -0500 - Synchronize TrplNote name - Update to mdbook 0.5 ## edition-guide 1 commits in 9cf5443d632673c4d41edad5e8ed8be86eeb3b8f..c3c0f0b3da26610138b7ba7663f60cd2c68cf184 2025-11-15 21:51:11 +0000 to 2025-11-28 18:54:18 +0000 - Update to mdbook 0.5 (rust-lang/edition-guide#381) ## nomicon 2 commits in 0fe83ab28985b99aba36a1f0dbde3e08286fefda..9fe8fa599ad228dda74f240cc32b54bc5c1aa3e6 2025-11-15 00:03:14 +0000 to 2025-12-03 11:54:04 +0000 - Remove references to outdated unsafe code guidelines (rust-lang/nomicon#512) - Update to mdbook 0.5 (rust-lang/nomicon#511) ## reference 5 commits in b14b4e40f53ca468beaf2f5d0dfb4f4c4ba6bc7b..50c5de90487b68d429a30cc9466dc8f5b410128f 2025-12-02 21:17:44 +0000 to 2025-12-09 22:19:05 +0000 - UB: update the extra clause for provenance UB during const evaluation (rust-lang/reference#2091) - Remove `[no-mentions]` handler in our triagebot config (rust-lang/reference#2102) - Clarify that omitting `nostack` is a promise from the compiler to the programmer (rust-lang/reference#1999) - Specify that range patterns must be nonempty. (rust-lang/reference#2093) - Update to mdbook 0.5 (rust-lang/reference#2096) ## rust-by-example 1 commits in 111cfae2f9c3a43f7b0ff8fa68c51cc8f930637c..7d21279e40e8f0e91c2a22c5148dd2d745aef8b6 2025-11-27 17:16:42 -0300 to 2025-12-01 15:02:09 -0300 - Update to mdbook 0.5 (rust-lang/rust-by-example#1977)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The old note didn't make it clear that the transmute is also illegal when it occurs nested inside a field. We already have the framework of "valid values" for this, so let's just use that also for this extra restriction.
Furthermore, there's another way to cause UB with provenance during const evaluation: by having a pointer whose bytes are mixed up.