@@ -169,11 +169,29 @@ impl fmt::Display for MiriMemoryKind {
169169/// Pointer provenance.
170170#[ derive( Clone , Copy ) ]
171171pub enum Provenance {
172+ /// For pointers with concrete provenance. we exactly know which allocation they are attached to
173+ /// and what their borrow tag is.
172174Concrete {
173175 alloc_id : AllocId ,
174176 /// Borrow Tracker tag.
175177tag : BorTag ,
176178 } ,
179+ /// Pointers with wildcard provenance are created on int-to-ptr casts. According to the
180+ /// specification, we should at that point angelically "guess" a provenance that will make all
181+ /// future uses of this pointer work, if at all possible. Of course such a semantics cannot be
182+ /// actually implemented in Miri. So instead, we approximate this, erroring on the side of
183+ /// accepting too much code rather than rejecting correct code: a pointer with wildcard
184+ /// provenance "acts like" any previously exposed pointer. Each time it is used, we check
185+ /// whether *some* exposed pointer could have done what we want to do, and if the answer is yes
186+ /// then we allow the access. This allows too much code in two ways:
187+ /// - The same wildcard pointer can "take the role" of multiple different exposed pointers on
188+ /// subsequenct memory accesses.
189+ /// - In the aliasing model, we don't just have to know the borrow tag of the pointer used for
190+ /// the access, we also have to update the aliasing state -- and that update can be very
191+ /// different depending on which borrow tag we pick! Stacked Borrows has support for this by
192+ /// switching to a stack that is only approximately known, i.e. we overapproximate the effect
193+ /// of using *any* exposed pointer for this access, and only keep information about the borrow
194+ /// stack that would be true with all possible choices.
177195Wildcard ,
178196}
179197
0 commit comments