Integer-to-pointer casts + use NonNull for MMIO constructor

[mkroening]

Running cargo +nightly clippy --all-targets -- -Wfuzzy_provenance_casts gives:

warning: strict provenance disallows casting integer `usize` to pointer `*mut u8`
   --> src/lib.rs:966:62
    |
966 |             assert2::assert!(let Ok(_) = Uart16550::new_mmio(0x1000 as *mut _, 1));
    |                                                              ^^^^^^^^^^^^^^^^
    |
    = help: if you can't comply with strict provenance and don't have a pointer with the correct provenance you can use `std::ptr::with_exposed_provenance()` instead
    = note: requested on the command line with `-W fuzzy-provenance-casts`
help: use `.with_addr()` to adjust a valid pointer in the same allocation, to this address
    |
966 -             assert2::assert!(let Ok(_) = Uart16550::new_mmio(0x1000 as *mut _, 1));
966 +             assert2::assert!(let Ok(_) = Uart16550::new_mmio((...).with_addr(0x1000), 1));
    |

Running cargo +nightly miri test gives:

test tests::constructors ... warning: integer-to-pointer cast
   --> src/lib.rs:968:62
    |
968 |             assert2::assert!(let Ok(_) = Uart16550::new_mmio(0x1000 as *mut _, 1));
    |                                                              ^^^^^^^^^^^^^^^^ integer-to-pointer cast
    |
    = help: this program is using integer-to-pointer casts or (equivalently) `ptr::with_exposed_provenance`, which means that Miri might miss pointer bugs in this program
    = help: see https://doc.rust-lang.org/nightly/std/ptr/fn.with_exposed_provenance.html for more details on that operation
    = help: to ensure that Miri does not miss bugs in your program, use Strict Provenance APIs (https://doc.rust-lang.org/nightly/std/ptr/index.html#strict-provenance, https://crates.io/crates/sptr) instead
    = help: you can then set `MIRIFLAGS=-Zmiri-strict-provenance` to ensure you are not relying on `with_exposed_provenance` semantics
    = help: alternatively, `MIRIFLAGS=-Zmiri-permissive-provenance` disables this warning
    = note: this is on thread `tests::constructors`
    = note: stack backtrace:
            0: tests::constructors
                at src/lib.rs:968:62: 968:78
            1: tests::constructors::{closure#0}
                at src/lib.rs:955:22: 955:22

It might make sense to either make the examples use existing pointers or be explicit about external provenance:

let ptr = ptr::with_exposed_provenance_mut::<u8>(0x1000);
unsafe { Uart16550::new_mmio(ptr, 1) }

[phip1611]

Interesting: Is ptr::with_exposed_provenance_mut the final solution Rust has agreed on for external MMIO addresses?

[mkroening]

There is no normative documentation about provenance yet (rust-lang/rust#121243), but RFC 3559 has been merged and the corresponding APIs have been stabilized (rust-lang/rust#130350).

with_exposed_provenance_mut is fully equivalent to addr as *mut T according to its docs. It might be best practice to use it, though, to make the relevance of provenance explicit.

That said, though, it might be easiest to sidestep the issue by just using existing pointers for the examples. These might come from the paging subsystem of the OS, for example.

[phip1611]

thank you very much! opened a PR