test for upcast detecting bad vtables

RalfJung · RalfJung · commit 1519f04bebdf · 2022-07-20T18:05:59.000-04:00
diff --git a/src/shims/backtrace.rs b/src/shims/backtrace.rs
@@ -123,15 +123,16 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
 
         let ptr = this.read_pointer(ptr)?;
         // Take apart the pointer, we need its pieces. The offset encodes the span.
-        let (alloc_id, offset, _tag) = this.ptr_get_alloc_id(ptr)?;
+        let (alloc_id, offset, _prov) = this.ptr_get_alloc_id(ptr)?;
 
         // This has to be an actual global fn ptr, not a dlsym function.
-        let fn_instance =
-            if let Some(GlobalAlloc::Function(instance)) = this.tcx.try_get_global_alloc(alloc_id) {
-                instance
-            } else {
-                throw_ub_format!("expected static function pointer, found {:?}", ptr);
-            };
+        let fn_instance = if let Some(GlobalAlloc::Function(instance)) =
+            this.tcx.try_get_global_alloc(alloc_id)
+        {
+            instance
+        } else {
+            throw_ub_format!("expected static function pointer, found {:?}", ptr);
+        };
 
         let lo =
             this.tcx.sess.source_map().lookup_char_pos(BytePos(offset.bytes().try_into().unwrap()));
diff --git a/src/stacked_borrows/mod.rs b/src/stacked_borrows/mod.rs
@@ -768,13 +768,13 @@ trait EvalContextPrivExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
             drop(global); // don't hold that reference any longer than we have to
 
             let Some((alloc_id, base_offset, orig_tag)) = loc else {
-                return Ok(());
+                return Ok(())
             };
 
             // The SB history tracking needs a parent tag, so skip if we come from a wildcard.
             let ProvenanceExtra::Concrete(orig_tag) = orig_tag else {
                 // FIXME: should we log this?
-                return Ok(());
+                return Ok(())
             };
 
             let (_size, _align, kind) = this.get_alloc_info(alloc_id);
@@ -1016,17 +1016,16 @@ pub trait EvalContextExt<'mir, 'tcx: 'mir>: crate::MiriEvalContextExt<'mir, 'tcx
         fn qualify(ty: ty::Ty<'_>, kind: RetagKind) -> Option<(RefKind, bool)> {
             match ty.kind() {
                 // References are simple.
-                ty::Ref(_, _, Mutability::Mut) => Some((
-                    RefKind::Unique { two_phase: kind == RetagKind::TwoPhase },
-                    kind == RetagKind::FnEntry,
-                )),
-                ty::Ref(_, _, Mutability::Not) => {
-                    Some((RefKind::Shared, kind == RetagKind::FnEntry))
-                }
+                ty::Ref(_, _, Mutability::Mut) =>
+                    Some((
+                        RefKind::Unique { two_phase: kind == RetagKind::TwoPhase },
+                        kind == RetagKind::FnEntry,
+                    )),
+                ty::Ref(_, _, Mutability::Not) =>
+                    Some((RefKind::Shared, kind == RetagKind::FnEntry)),
                 // Raw pointers need to be enabled.
-                ty::RawPtr(tym) if kind == RetagKind::Raw => {
-                    Some((RefKind::Raw { mutable: tym.mutbl == Mutability::Mut }, false))
-                }
+                ty::RawPtr(tym) if kind == RetagKind::Raw =>
+                    Some((RefKind::Raw { mutable: tym.mutbl == Mutability::Mut }, false)),
                 // Boxes are handled separately due to that allocator situation,
                 // see the visitor below.
                 _ => None,
diff --git a/tests/fail/dyn-upcast-trait-mismatch.rs b/tests/fail/dyn-upcast-trait-mismatch.rs
@@ -0,0 +1,56 @@
+#![feature(trait_upcasting)]
+#![allow(incomplete_features)]
+
+trait Foo: PartialEq<i32> + std::fmt::Debug + Send + Sync {
+    fn a(&self) -> i32 {
+        10
+    }
+
+    fn z(&self) -> i32 {
+        11
+    }
+
+    fn y(&self) -> i32 {
+        12
+    }
+}
+
+trait Bar: Foo {
+    fn b(&self) -> i32 {
+        20
+    }
+
+    fn w(&self) -> i32 {
+        21
+    }
+}
+
+trait Baz: Bar {
+    fn c(&self) -> i32 {
+        30
+    }
+}
+
+impl Foo for i32 {
+    fn a(&self) -> i32 {
+        100
+    }
+}
+
+impl Bar for i32 {
+    fn b(&self) -> i32 {
+        200
+    }
+}
+
+impl Baz for i32 {
+    fn c(&self) -> i32 {
+        300
+    }
+}
+
+fn main() {
+    let baz: &dyn Baz = &1;
+    let baz_fake: &dyn Bar = unsafe { std::mem::transmute(baz) };
+    let _: &dyn std::fmt::Debug = baz_fake; //~ERROR upcast on a pointer whose vtable does not match its type
+}
