Describe pointer fragment restriction in const final values

Let's add examples and explanatory notes to clarify the restriction
that the representation of the final value of a constant or static
initializer must only contain bytes with provenance in whole-pointer
groups.

We'll add a `compile_fail` example demonstrating how storing a pointer
that extends into padding creates pointer fragments in the final
value, causing compilation to fail and show to work around this by
explicitly zeroing the padding bytes.

Let's extend the existing note about uninitialized padding bytes to
provide deeper intuition about this restriction and explain how
constant evaluation makes the details of typed copies
observable (whether field-by-field or memory-block), how these details
are not yet fully specified in Rust, and why the compiler must be
allowed to reject initializers with uninitialized padding bytes to
preserve future flexibility (such as always setting padding to
uninitialized).

Context:

- rust-lang/rust#148470
- rust-lang/rust#148967

Author: traviscross

src/const_eval.md

@@ -237,8 +237,65 @@ r[const-eval.const-expr.if-match]
 r[const-eval.const-expr.final-value-provenance]
 The representation of the final value of a [constant][constant initializer] or [static initializer] must only contain bytes with provenance in whole-pointer groups. If a byte has provenance but is not part of an adjacent group of bytes that form an entire pointer, compilation will fail.
 
+```rust,compile_fail
+# use core::mem::MaybeUninit;
+#
+#[repr(C, align(32))]
+struct Pair {
+    x: u128,             // Offset  0, 16 bytes.
+    y: MaybeUninit<u64>, // Offset 16,  8 bytes.
+                         // Offset 24,  8 bytes of padding.
+}
+
+const C: Pair = unsafe {
+//    ^^^^^^^ ERROR: Partial pointer in final value of constant.
+    let mut m = MaybeUninit::<Pair>::uninit();
+    // Store pointer that extends half-way into trailing padding.
+    m.as_mut_ptr().byte_add(20).cast::<&u8>().write_unaligned(&0);
+    // Initialize fields.
+    (*m.as_mut_ptr()).x = 0;
+    (*m.as_mut_ptr()).y = MaybeUninit::new(0);
+    // Now `m` contains a pointer fragment in the padding.
+    m.assume_init()
+};
+```
+
+> [!NOTE]
+> Manually initializing (e.g., zeroing) the padding bytes ensures the final value is accepted:
+>
+> ```rust
+> # use std::mem::MaybeUninit;
+> # #[repr(C, align(32))]
+> # struct Pair {
+> #     x: u128,             // Offset  0, 16 bytes.
+> #     y: MaybeUninit<u64>, // Offset 16,  8 bytes.
+> #                          // Offset 24,  8 bytes of padding.
+> # }
+> const C: Pair = unsafe {
+>     let mut m = MaybeUninit::<Pair>::uninit();
+>     m.as_mut_ptr().byte_add(20).cast::<&u8>().write_unaligned(&0);
+>     // Explicitly zero the padding.
+>     m.as_mut_ptr().byte_add(24).cast::<u64>().write_unaligned(0);
+>     // As above.
+>     (*m.as_mut_ptr()).x = 0;
+>     (*m.as_mut_ptr()).y = MaybeUninit::new(0);
+>     m.assume_init()
+> };
+> ```
+
 > [!NOTE]
 > If a byte in the representation of the final value is uninitialized, then it *may* end up having provenance, which can cause compilation to fail. `rustc` tries (but does not guarantee) to only actually fail if the initializer copies or overwrites parts of a pointer and those bytes appear in the final value.
+>
+> E.g., `rustc` currently accepts this, even though the padding bytes are uninitialized:
+>
+> ```rust
+> # #[repr(C)]
+> # struct Pair { x: u128, y: u64 }
+> // The padding bytes are uninitialized.
+> const ALLOWED: Pair = Pair { x: 0, y: 0 };
+> ```
+>
+> Constant evaluation makes the details of typed copies observable: depending on whether a copy is performed field-by-field or as a memory-block copy, provenance in padding bytes might be discarded or preserved (both in the source and in the destination). The language allows the compiler to reject any initializer with an uninitialized padding byte to preserve implementation flexibility (e.g., the compiler may in the future always set padding bytes to uninitialized). Determining whether an uninitialized byte contains a pointer fragment would require tracking that is not currently performed.
 
 r[const-eval.const-context]
 ## Const context