-
Notifications
You must be signed in to change notification settings - Fork 105
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Relax safety precondition of Ptr::cast_unsized
#999
Conversation
ceb631d
to
dac2194
Compare
src/pointer/ptr.rs
Outdated
/// ranges at which `UnsafeCell`s appear in the projected-from type. | ||
/// This is necessarily true for projections of struct fields, but not | ||
/// for all projections of union fields. | ||
/// - If the aliasing of `self` is Shared, projected pointer must |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/// - If the aliasing of `self` is Shared, projected pointer must | |
/// - If the aliasing of `self` is not `Exclusive`, projected pointer must |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
src/pointer/ptr.rs
Outdated
@@ -918,8 +918,9 @@ mod _casts { | |||
/// For all kinds of casts, the caller must promise that: | |||
/// - the the size of the object referenced by the resulting pointer is | |||
/// less than or equal to the size of the object referenced by `self`. | |||
/// - `UnsafeCell`s in `U` exist at ranges identical to those at which | |||
/// `UnsafeCell`s exist in `T`. | |||
/// - if the aliasing of `self` is Shared, that `UnsafeCell`s in `U` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/// - if the aliasing of `self` is Shared, that `UnsafeCell`s in `U` | |
/// - if the aliasing of `self` is not `Exclusive`, that `UnsafeCell`s in `U` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
src/pointer/ptr.rs
Outdated
@@ -983,7 +984,10 @@ mod _casts { | |||
// store this memory region treating `UnsafeCell`s as existing at | |||
// different ranges than they exist in `U`. This is true by | |||
// invariant on Ptr<'a, T, I>, and preserved through the cast to | |||
// `U` by contract on the caller. | |||
// `U` by contract on the caller: | |||
// - If `ptr` is exclusively aliased, no other references exist. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
// - If `ptr` is exclusively aliased, no other references exist. | |
// - If `ptr` is exclusively aliased, no other live references exist. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
src/pointer/ptr.rs
Outdated
/// 11. During the lifetime 'a, no reference will exist to this memory | ||
/// which treats `UnsafeCell`s as existing at different ranges than | ||
/// they exist in `T`. | ||
/// 11. During the lifetime 'a, no live reference will exist to this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
/// 11. During the lifetime 'a, no live reference will exist to this | |
/// 11. During the lifetime 'a, no live reference and no live `Ptr` will exist to this |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
We relax the `UnsafeCel` safety precondition on `Ptr` to apply to only live references. We then relax the `UnsafeCell` safety conditions on `cast_unsized` and `project` for exclusively-aliased pointers. This paves the way for removing the `NoCell` bound the `TryFromBytes` derive on unions, and from `try_cast_into`, `try_cast_into_no_leftover`, and finally `TryFromBytes::try_from_mut`.
dac2194
to
5c9afdf
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Anywhere that we reason about UnsafeCell
non-overlap being okay in virtue of exclusive aliasing, we should add:
// TODO(#896), TODO(https://github.com/rust-lang/unsafe-code-guidelines/issues/495): Blah
// blah blah before the next stable release.
Superseded by #1211. |
We relax the
UnsafeCell
safety conditions oncast_unsized
for exclusively-aliased pointers. This paves the way for removing theNoCell
bound fromtry_cast_into
,try_cast_into_no_leftover
, and finally fromTryFromBytes::try_from_mut
.I think this is sound; putting this PR up so we can discuss @joshlf.