Skip to content

Commit

Permalink
Relax UnsafeCell safety precondition of Ptr to live refs
Browse files Browse the repository at this point in the history 
We relax the `UnsafeCel` safety precondition on `Ptr` to apply to
only live references.

We then relax the `UnsafeCell` safety conditions on `cast_unsized`
and `project` for exclusively-aliased pointers. This paves the way
for removing the `NoCell` bound the `TryFromBytes` derive on unions,
and from `try_cast_into`, `try_cast_into_no_leftover`, and finally
`TryFromBytes::try_from_mut`.
  • Loading branch information
@jswrenn
jswrenn committed Mar 4, 2024
1 parent 184dedf commit ceb631d
Showing 1 changed file with 14 additions and 10 deletions.
24 changes: 14 additions & 10 deletions src/pointer/ptr.rs
View file
Original file line number Diff line number Diff line change
Expand Up @@ -63,9 +63,9 @@ mod def {
/// 10. During the lifetime 'a, no code will load or store this memory
/// region treating `UnsafeCell`s as existing at different ranges
/// than they exist in `T`.
/// 11. During the lifetime 'a, no reference will exist to this memory
/// which treats `UnsafeCell`s as existing at different ranges than
/// they exist in `T`.
/// 11. During the lifetime 'a, no live reference will exist to this
/// memory which treats `UnsafeCell`s as existing at different
/// ranges than they exist in `T`.
// SAFETY: `NonNull<T>` is covariant over `T` [1].
//
// [1]: https://doc.rust-lang.org/std/ptr/struct.NonNull.html
Expand Down Expand Up @@ -918,8 +918,8 @@ mod _casts {
/// For all kinds of casts, the caller must promise that:
/// - the the size of the object referenced by the resulting pointer is
/// less than or equal to the size of the object referenced by `self`.
/// - `UnsafeCell`s in `U` exist at ranges identical to those at which
/// `UnsafeCell`s exist in `T`.
/// - if the aliasing is shared, that `UnsafeCell`s in `U` exist at
/// ranges identical to those at which `UnsafeCell`s exist in `T`.
///
/// For pointer-to-pointer casts, it suffices for the caller to
/// additionally promise that `cast(p)` is implemented as:
Expand Down Expand Up @@ -983,7 +983,10 @@ mod _casts {
// store this memory region treating `UnsafeCell`s as existing at
// different ranges than they exist in `U`. This is true by
// invariant on Ptr<'a, T, I>, and preserved through the cast to
// `U` by contract on the caller.
// `U` by contract on the caller:
// - If `ptr` is exclusively aliased, no other references exist.
// - If `ptr` has shared aliasing, the caller has promised that
// `T` and `U` have `UnsafeCell`s at exactly the same ranges.
// 10. See 9.
unsafe { Ptr::new(ptr) }
}
Expand Down Expand Up @@ -1244,10 +1247,11 @@ mod _project {
/// `self` casted to a raw pointer. The pointer it returns must
/// reference only a subset of `self`'s bytes.
/// - `T` is a struct or union type.
/// - The projected pointer contains `UnsafeCell`s at exactly the same
/// ranges at which `UnsafeCell`s appear in the projected-from type.
/// This is necessarily true for projections of struct fields, but not
/// for all projections of union fields.
/// - If `self` is shared-aliased, projected pointer must contain
/// `UnsafeCell`s at exactly the same ranges at which `UnsafeCell`s
/// appear in the projected-from type. This is necessarily true for
/// projections of struct fields, but not for all projections of union
/// fields.
///
/// ## Postconditions
///
Expand Down

0 comments on commit ceb631d

Please sign in to comment.