Relax safety precondition of Ptr::cast_unsized
#999
Closed
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was referenced Mar 4, 2024
jswrenn
force-pushed
the
relax-cast_unsized
branch
3 times, most recently
from
ceb631d to
dac2194
Compare
joshlf
requested changes
Mar 5, 2024
src/pointer/ptr.rs
Outdated
| /// ranges at which `UnsafeCell`s appear in the projected-from type. | ||
| /// This is necessarily true for projections of struct fields, but not | ||
| /// for all projections of union fields. | ||
| /// - If the aliasing of `self` is Shared, projected pointer must |
Member
There was a problem hiding this comment.
Suggested change
| /// - If the aliasing of `self` is Shared, projected pointer must | |
| /// - If the aliasing of `self` is not `Exclusive`, projected pointer must |
src/pointer/ptr.rs
Outdated
| /// less than or equal to the size of the object referenced by `self`. | ||
| /// - `UnsafeCell`s in `U` exist at ranges identical to those at which | ||
| /// `UnsafeCell`s exist in `T`. | ||
| /// - if the aliasing of `self` is Shared, that `UnsafeCell`s in `U` |
Member
There was a problem hiding this comment.
Suggested change
| /// - if the aliasing of `self` is Shared, that `UnsafeCell`s in `U` | |
| /// - if the aliasing of `self` is not `Exclusive`, that `UnsafeCell`s in `U` |
src/pointer/ptr.rs
Outdated
| // invariant on Ptr<'a, T, I>, and preserved through the cast to | ||
| // `U` by contract on the caller. | ||
| // `U` by contract on the caller: | ||
| // - If `ptr` is exclusively aliased, no other references exist. |
Member
There was a problem hiding this comment.
Suggested change
| // - If `ptr` is exclusively aliased, no other references exist. | |
| // - If `ptr` is exclusively aliased, no other live references exist. |
src/pointer/ptr.rs
Outdated
| /// 11. During the lifetime 'a, no reference will exist to this memory | ||
| /// which treats `UnsafeCell`s as existing at different ranges than | ||
| /// they exist in `T`. | ||
| /// 11. During the lifetime 'a, no live reference will exist to this |
Member
There was a problem hiding this comment.
Suggested change
| /// 11. During the lifetime 'a, no live reference will exist to this | |
| /// 11. During the lifetime 'a, no live reference and no live `Ptr` will exist to this |
We relax the `UnsafeCel` safety precondition on `Ptr` to apply to only live references. We then relax the `UnsafeCell` safety conditions on `cast_unsized` and `project` for exclusively-aliased pointers. This paves the way for removing the `NoCell` bound the `TryFromBytes` derive on unions, and from `try_cast_into`, `try_cast_into_no_leftover`, and finally `TryFromBytes::try_from_mut`.
jswrenn
force-pushed
the
relax-cast_unsized
branch
from
dac2194 to
5c9afdf
Compare
joshlf
requested changes
Mar 5, 2024
Member
joshlf
left a comment
joshlf
left a comment
There was a problem hiding this comment.
Anywhere that we reason about UnsafeCell non-overlap being okay in virtue of exclusive aliasing, we should add:
// TODO(#896), TODO(https://github.com/rust-lang/unsafe-code-guidelines/issues/495): Blah
// blah blah before the next stable release.
Collaborator
Author
|
Superseded by #1211. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We relax the
UnsafeCellsafety conditions oncast_unsizedfor exclusively-aliased pointers. This paves the way for removing theNoCellbound fromtry_cast_into,try_cast_into_no_leftover, and finally fromTryFromBytes::try_from_mut.I think this is sound; putting this PR up so we can discuss @joshlf.