Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Tracking Issue for Transmutability Trait: #[transmutability] #99571

Open
3 of 7 tasks
jswrenn opened this issue Jul 21, 2022 · 0 comments
Open
3 of 7 tasks

Tracking Issue for Transmutability Trait: #[transmutability] #99571

jswrenn opened this issue Jul 21, 2022 · 0 comments
Labels
C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC F-transmutability `#![feature(transmutability)]` T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.

Comments

@jswrenn
Copy link
Member

jswrenn commented Jul 21, 2022

Feature gate: #![feature(transmutability)]

This is a tracking issue for MCP411: Lang Item for Transmutability. The MCP defines an experimental, compiler-implemented trait that can be used to audit whether a particular transmutation (or other form of bit-reinterpretation cast) is safe.

At this time, this feature is NOT on track to stabilization. It has been specified in an MCP, not an RFC, and will likely require an RFC to be tracked for stabilization.

Public API

The public API of this feature (which may have evolved since this issue's last update), is roughly as follows:

pub unsafe trait TransmuteFrom<Src, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{
    unsafe fn transmute(src: Src) -> Self
    where
        Src: Sized,
        Self: Sized,
    {
        ...
    }
}

#[derive(PartialEq, Eq, Clone, Copy, Debug)]
pub struct Assume {
    pub alignment: bool,
    pub lifetimes: bool,
    pub safety: bool,
    pub validity: bool,
}

impl Assume {
    pub const NOTHING: Self =
        Self { alignment: false, lifetimes: false, safety: false, validity: false };

    pub const ALIGNMENT: Self = Self { alignment: true, ..Self::NOTHING };
    pub const LIFETIMES: Self = Self { lifetimes: true, ..Self::NOTHING };
    pub const SAFETY: Self = Self { safety: true, ..Self::NOTHING };
    pub const VALIDITY: Self = Self { validity: true, ..Self::NOTHING };

    pub const fn and(self, other_assumptions: Self) -> Self { ... }
    pub const fn but_not(self, other_assumptions: Self) -> Self { ... }
}

Steps / History

Unresolved Questions

Virtually all aspects of this experimental feature are unresolved.

Footnotes

  1. https://std-dev-guide.rust-lang.org/feature-lifecycle/stabilization.html

@jswrenn jswrenn added C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. labels Jul 21, 2022
jswrenn added a commit to jswrenn/rust that referenced this issue Aug 22, 2022
This was left as a TODO in rust-lang#92268, and brings the trait more in
line with what was defined in MCP411.

`Assume::visibility` has been renamed to `Assume::safety`, as
library safety is what's actually being assumed; visibility is
just the mechanism by which it is currently checked (this may
change).

ref: rust-lang/compiler-team#411
ref: rust-lang#99571
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Sep 3, 2022
safe transmute: use `Assume` struct to provide analysis options

This task was left as a TODO in rust-lang#92268; resolving it brings [`BikeshedIntrinsicFrom`](https://doc.rust-lang.org/nightly/core/mem/trait.BikeshedIntrinsicFrom.html) more in line with the API defined in [MCP411](rust-lang/compiler-team#411).

**Before:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<
    Src,
    Context,
    const ASSUME_ALIGNMENT: bool,
    const ASSUME_LIFETIMES: bool,
    const ASSUME_VALIDITY: bool,
    const ASSUME_VISIBILITY: bool,
> where
    Src: ?Sized,
{}
```
**After:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<Src, Context, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{}
```

`Assume::visibility` has also been renamed to `Assume::safety`, as library safety invariants are what's actually being assumed; visibility is just the mechanism by which it is currently checked (and that may change).

r? `@oli-obk`

---

Related:
- rust-lang/compiler-team#411
- rust-lang#99571
bors added a commit to rust-lang-ci/rust that referenced this issue Sep 4, 2022
safe transmute: use `Assume` struct to provide analysis options

This task was left as a TODO in rust-lang#92268; resolving it brings [`BikeshedIntrinsicFrom`](https://doc.rust-lang.org/nightly/core/mem/trait.BikeshedIntrinsicFrom.html) more in line with the API defined in [MCP411](rust-lang/compiler-team#411).

**Before:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<
    Src,
    Context,
    const ASSUME_ALIGNMENT: bool,
    const ASSUME_LIFETIMES: bool,
    const ASSUME_VALIDITY: bool,
    const ASSUME_VISIBILITY: bool,
> where
    Src: ?Sized,
{}
```
**After:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<Src, Context, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{}
```

`Assume::visibility` has also been renamed to `Assume::safety`, as library safety invariants are what's actually being assumed; visibility is just the mechanism by which it is currently checked (and that may change).

r? `@oli-obk`

---

Related:
- rust-lang/compiler-team#411
- rust-lang#99571
workingjubilee pushed a commit to tcdi/postgrestd that referenced this issue Sep 15, 2022
This was left as a TODO in #92268, and brings the trait more in
line with what was defined in MCP411.

`Assume::visibility` has been renamed to `Assume::safety`, as
library safety is what's actually being assumed; visibility is
just the mechanism by which it is currently checked (this may
change).

ref: rust-lang/compiler-team#411
ref: rust-lang/rust#99571
workingjubilee pushed a commit to tcdi/postgrestd that referenced this issue Sep 15, 2022
safe transmute: use `Assume` struct to provide analysis options

This task was left as a TODO in #92268; resolving it brings [`BikeshedIntrinsicFrom`](https://doc.rust-lang.org/nightly/core/mem/trait.BikeshedIntrinsicFrom.html) more in line with the API defined in [MCP411](rust-lang/compiler-team#411).

**Before:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<
    Src,
    Context,
    const ASSUME_ALIGNMENT: bool,
    const ASSUME_LIFETIMES: bool,
    const ASSUME_VALIDITY: bool,
    const ASSUME_VISIBILITY: bool,
> where
    Src: ?Sized,
{}
```
**After:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<Src, Context, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{}
```

`Assume::visibility` has also been renamed to `Assume::safety`, as library safety invariants are what's actually being assumed; visibility is just the mechanism by which it is currently checked (and that may change).

r? `@oli-obk`

---

Related:
- rust-lang/compiler-team#411
- rust-lang/rust#99571
@saethlin saethlin added the F-transmutability `#![feature(transmutability)]` label Dec 12, 2023
RalfJung pushed a commit to RalfJung/rust-analyzer that referenced this issue Apr 20, 2024
safe transmute: use `Assume` struct to provide analysis options

This task was left as a TODO in #92268; resolving it brings [`BikeshedIntrinsicFrom`](https://doc.rust-lang.org/nightly/core/mem/trait.BikeshedIntrinsicFrom.html) more in line with the API defined in [MCP411](rust-lang/compiler-team#411).

**Before:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<
    Src,
    Context,
    const ASSUME_ALIGNMENT: bool,
    const ASSUME_LIFETIMES: bool,
    const ASSUME_VALIDITY: bool,
    const ASSUME_VISIBILITY: bool,
> where
    Src: ?Sized,
{}
```
**After:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<Src, Context, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{}
```

`Assume::visibility` has also been renamed to `Assume::safety`, as library safety invariants are what's actually being assumed; visibility is just the mechanism by which it is currently checked (and that may change).

r? `@oli-obk`

---

Related:
- rust-lang/compiler-team#411
- rust-lang/rust#99571
RalfJung pushed a commit to RalfJung/rust-analyzer that referenced this issue Apr 27, 2024
safe transmute: use `Assume` struct to provide analysis options

This task was left as a TODO in #92268; resolving it brings [`BikeshedIntrinsicFrom`](https://doc.rust-lang.org/nightly/core/mem/trait.BikeshedIntrinsicFrom.html) more in line with the API defined in [MCP411](rust-lang/compiler-team#411).

**Before:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<
    Src,
    Context,
    const ASSUME_ALIGNMENT: bool,
    const ASSUME_LIFETIMES: bool,
    const ASSUME_VALIDITY: bool,
    const ASSUME_VISIBILITY: bool,
> where
    Src: ?Sized,
{}
```
**After:**
```rust
pub unsafe trait BikeshedIntrinsicFrom<Src, Context, const ASSUME: Assume = { Assume::NOTHING }>
where
    Src: ?Sized,
{}
```

`Assume::visibility` has also been renamed to `Assume::safety`, as library safety invariants are what's actually being assumed; visibility is just the mechanism by which it is currently checked (and that may change).

r? `@oli-obk`

---

Related:
- rust-lang/compiler-team#411
- rust-lang/rust#99571
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 19, 2024
…piler-errors

safe transmute: check lifetimes

Modifies `BikeshedIntrinsicFrom` to forbid lifetime extensions on references. This static check can be opted out of with the `Assume::lifetimes` flag.

Fixes rust-lang#129097

Tracking Issue: rust-lang#99571

 r​? `@compiler-errors`
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 19, 2024
Rollup merge of rust-lang#129217 - jswrenn:transmute-lifetimes, r=compiler-errors

safe transmute: check lifetimes

Modifies `BikeshedIntrinsicFrom` to forbid lifetime extensions on references. This static check can be opted out of with the `Assume::lifetimes` flag.

Fixes rust-lang#129097

Tracking Issue: rust-lang#99571

 r​? `@compiler-errors`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 21, 2024
…ompiler-errors

safe transmute: gracefully bubble-up layout errors

Changes `.unwrap()`s to `?` to avoid ICEs. Adds ui tests.

Fixes rust-lang#129327

Tracking Issue: rust-lang#99571

r​? `@compiler-errors`
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 21, 2024
Rollup merge of rust-lang#129364 - jswrenn:transmute-layout-errs, r=compiler-errors

safe transmute: gracefully bubble-up layout errors

Changes `.unwrap()`s to `?` to avoid ICEs. Adds ui tests.

Fixes rust-lang#129327

Tracking Issue: rust-lang#99571

r​? `@compiler-errors`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 26, 2024
…er-errors

Document & implement the transmutation modeled by `BikeshedIntrinsicFrom`

Documents that `BikeshedIntrinsicFrom` models transmute-via-union, which is slightly more expressive than the transmute-via-cast implemented by `transmute_copy`. Additionally, we provide an implementation of transmute-via-union as a method on the `BikeshedIntrinsicFrom` trait with additional documentation on the boundary between trait invariants and caller obligations.

Whether or not transmute-via-union is the right kind of transmute to model remains up for discussion [1]. Regardless, it seems wise to document the present behavior.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20'kind'.20of.20transmute.20to.20model.3F/near/426331967

Tracking Issue: rust-lang#99571

r? `@compiler-errors`

cc `@scottmcm,` `@Lokathor`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 26, 2024
…er-errors

Document & implement the transmutation modeled by `BikeshedIntrinsicFrom`

Documents that `BikeshedIntrinsicFrom` models transmute-via-union, which is slightly more expressive than the transmute-via-cast implemented by `transmute_copy`. Additionally, we provide an implementation of transmute-via-union as a method on the `BikeshedIntrinsicFrom` trait with additional documentation on the boundary between trait invariants and caller obligations.

Whether or not transmute-via-union is the right kind of transmute to model remains up for discussion [1]. Regardless, it seems wise to document the present behavior.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20'kind'.20of.20transmute.20to.20model.3F/near/426331967

Tracking Issue: rust-lang#99571

r? `@compiler-errors`

cc `@scottmcm,` `@Lokathor`
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 27, 2024
Rollup merge of rust-lang#129032 - jswrenn:transmute-method, r=compiler-errors

Document & implement the transmutation modeled by `BikeshedIntrinsicFrom`

Documents that `BikeshedIntrinsicFrom` models transmute-via-union, which is slightly more expressive than the transmute-via-cast implemented by `transmute_copy`. Additionally, we provide an implementation of transmute-via-union as a method on the `BikeshedIntrinsicFrom` trait with additional documentation on the boundary between trait invariants and caller obligations.

Whether or not transmute-via-union is the right kind of transmute to model remains up for discussion [1]. Regardless, it seems wise to document the present behavior.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20'kind'.20of.20transmute.20to.20model.3F/near/426331967

Tracking Issue: rust-lang#99571

r? `@compiler-errors`

cc `@scottmcm,` `@Lokathor`
matthiaskrgr added a commit to matthiaskrgr/rust that referenced this issue Aug 28, 2024
…-errors

Rename `BikeshedIntrinsicFrom` to `TransmuteFrom`

As our implementation of MCP411 nears completion and we begin to solicit testing, it's no longer reasonable to expect testers to type or remember `BikeshedIntrinsicFrom`. The name degrades the ease-of-reading of documentation, and the overall experience of using compiler safe transmute.

Tentatively, we'll instead adopt `TransmuteFrom`.

This name seems to be the one most likely to be stabilized, after discussion on Zulip [1]. We may want to revisit the ordering of `Src` and `Dst` before stabilization, at which point we'd likely consider `TransmuteInto` or `Transmute`.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20should.20.60BikeshedIntrinsicFrom.60.20be.20named.3F

Tracking Issue: rust-lang#99571

r​? `@compiler-errors`
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Aug 28, 2024
Rollup merge of rust-lang#129657 - jswrenn:transmute-name, r=compiler-errors

Rename `BikeshedIntrinsicFrom` to `TransmuteFrom`

As our implementation of MCP411 nears completion and we begin to solicit testing, it's no longer reasonable to expect testers to type or remember `BikeshedIntrinsicFrom`. The name degrades the ease-of-reading of documentation, and the overall experience of using compiler safe transmute.

Tentatively, we'll instead adopt `TransmuteFrom`.

This name seems to be the one most likely to be stabilized, after discussion on Zulip [1]. We may want to revisit the ordering of `Src` and `Dst` before stabilization, at which point we'd likely consider `TransmuteInto` or `Transmute`.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20should.20.60BikeshedIntrinsicFrom.60.20be.20named.3F

Tracking Issue: rust-lang#99571

r​? `@compiler-errors`
github-actions bot pushed a commit to rust-lang/miri that referenced this issue Aug 29, 2024
Rename `BikeshedIntrinsicFrom` to `TransmuteFrom`

As our implementation of MCP411 nears completion and we begin to solicit testing, it's no longer reasonable to expect testers to type or remember `BikeshedIntrinsicFrom`. The name degrades the ease-of-reading of documentation, and the overall experience of using compiler safe transmute.

Tentatively, we'll instead adopt `TransmuteFrom`.

This name seems to be the one most likely to be stabilized, after discussion on Zulip [1]. We may want to revisit the ordering of `Src` and `Dst` before stabilization, at which point we'd likely consider `TransmuteInto` or `Transmute`.

[1] https://rust-lang.zulipchat.com/#narrow/stream/216762-project-safe-transmute/topic/What.20should.20.60BikeshedIntrinsicFrom.60.20be.20named.3F

Tracking Issue: rust-lang/rust#99571

r​? `@compiler-errors`
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
C-tracking-issue Category: An issue tracking the progress of sth. like the implementation of an RFC F-transmutability `#![feature(transmutability)]` T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Development

No branches or pull requests

2 participants