WIP

Author: traviscross

src/const_eval.md

@@ -237,8 +237,63 @@ r[const-eval.const-expr.if-match]
 r[const-eval.const-expr.final-value-provenance]
 The representation of the final value of a [constant][constant initializer] or [static initializer] must only contain bytes with provenance in whole-pointer groups. If a byte has provenance but is not part of an adjacent group of bytes that form an entire pointer, compilation will fail.
 
+```rust,compile_fail
+# use core::mem::MaybeUninit;
+#
+#[repr(C)]
+struct Pair {
+    x: u128,
+    y: MaybeUninit<u64>,
+    // 8 bytes of padding at offset 24.
+}
+
+const C: Pair = unsafe {
+    let mut m = MaybeUninit::<Pair>::uninit();
+    // Store pointer that extends half-way into trailing padding.
+    m.as_mut_ptr().byte_add(20).cast::<&u8>().write_unaligned(&0);
+    // Initialize fields.
+    (*m.as_mut_ptr()).x = 0;
+    (*m.as_mut_ptr()).y = MaybeUninit::new(0);
+    // Now `m` contains a pointer fragment in the padding.
+    m.assume_init()
+};
+```
+
+> [!NOTE]
+> Manually initializing (e.g., zeroing) the padding bytes ensures the final value is accepted:
+>
+> ```rust
+# use std::mem::MaybeUninit;
+# #[repr(C)]
+# struct Pair {
+#     x: u128,
+#     y: MaybeUninit<u64>,
+# }
+const C: Pair = unsafe {
+    let mut m = MaybeUninit::<Pair>::uninit();
+    m.as_mut_ptr().byte_add(20).cast::<&u8>().write_unaligned(&0);
+    // Explicitly zero the padding.
+    m.as_mut_ptr().byte_add(24).cast::<u64>().write_unaligned(0);
+    // As above.
+    (*m.as_mut_ptr()).x = 0;
+    (*m.as_mut_ptr()).y = MaybeUninit::new(0);
+    m.assume_init()
+};
+> ```
+
 > [!NOTE]
 > If a byte in the representation of the final value is uninitialized, then it *may* end up having provenance, which can cause compilation to fail. `rustc` tries (but does not guarantee) to only actually fail if the initializer copies or overwrites parts of a pointer and those bytes appear in the final value.
+>
+> E.g., `rustc` currently accepts this, even though the padding bytes are uninitialized:
+>
+> ```rust
+> # #[repr(C)]
+> # struct Pair { x: u128, y: u64 }
+> // The padding bytes are uninitialized.
+> const ALLOWED: Pair = Pair { x: 0, y: 0 };
+> ```
+>
+> Constant evaluation makes the details of typed copies observable: depending on whether a copy is performed field-by-field or as a memory-block copy, provenance in padding bytes might be discarded or preserved (both in the source and in the destination). Because the semantics of typed copies are not yet fully defined in Rust --- and to preserve the ability to change how they work in the future (for example, to always set the padding bytes to uninitialized) --- the language allows the compiler to reject any initializer with an uninitialized padding byte. Since the compiler cannot currently guarantee that an uninitialized byte does not contain a pointer fragment without a full model of typed copies, this allowance is necessary to avoid relying on underspecified details of the language.
 
 r[const-eval.const-context]
 ## Const context