Document unsafety in core::ptr #71507
Conversation
Changed raw pointer name from ptr to raw_pointer to avoid confusion with the `use std::ptr` statement a few lines above. This way the crate name and pointer name are well differenciated.
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @steveklabnik (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
rust-highfive
added
the
S-waiting-on-review
There was a problem hiding this comment.
I left other remarks I'm not completely sure about.
I think we should also ping someone from the Libs team, cc @Mark-Simulacrum do you have time for (yet another) review?
src/libcore/ptr/non_null.rs
Outdated
| @@ -69,6 +67,8 @@ impl<T: Sized> NonNull<T> { | |||
| #[rustc_const_stable(feature = "const_nonnull_dangling", since = "1.32.0")] | |||
| #[inline] | |||
| pub const fn dangling() -> Self { | |||
| // SAFETY: mem::align_of() returns a valid, non-null pointer. The | |||
There was a problem hiding this comment.
I'm not sure it would be right to call the pointer returned by mem::align_of "valid". It is still dangling.
There was a problem hiding this comment.
That's a good point. I thought of "valid" as in "non-null" and "usable", but it is in fact dangling and dangerous. We could simply put non-null and remove the "valid" to avoid confusion
| // SAFETY: mem::align_of() returns a valid, non-null pointer. The | |
| // SAFETY: mem::align_of() returns a non-null pointer. The |
There was a problem hiding this comment.
Thanks a lot for all your comments by the way @LeSeulArtichaut
There was a problem hiding this comment.
No problem! I've got some spare time, being locked down at home :P
There was a problem hiding this comment.
mem::align_of doesn't return a pointer, it returns a usize. By casting it to a pointer, you are creating the lowest non-zero *mut T that is properly aligned.
There was a problem hiding this comment.
@ecstatic-morse Changed in 75a73d1
| @@ -213,6 +221,8 @@ impl<T: ?Sized> From<Unique<T>> for NonNull<T> { | |||
| impl<T: ?Sized> From<&mut T> for NonNull<T> { | |||
| #[inline] | |||
| fn from(reference: &mut T) -> Self { | |||
| // SAFETY: A mutable reference cannot be null, so the conditions for | |||
| // new_unchecked() are respected. | |||
| unsafe { NonNull { pointer: reference as *mut T } } | |||
There was a problem hiding this comment.
You refer to new_unchecked in the SAFETY comment, but it's not what's called here. We should always be using new_unchecked to create NonNulls, even internally.
There was a problem hiding this comment.
@ecstatic-morse Do you think I should add it to this PR ? I feel like changing the code is a bit outside of its scope. I'm changing the SAFETY comment
src/libcore/ptr/unique.rs
Outdated
| @@ -176,6 +181,7 @@ impl<T: ?Sized> From<&mut T> for Unique<T> { | |||
| impl<T: ?Sized> From<&T> for Unique<T> { | |||
| #[inline] | |||
| fn from(reference: &T) -> Self { | |||
| // SAFETY: A reference cannot be null | |||
There was a problem hiding this comment.
My understanding is that Unique guarantees that its referent is not aliased. This is not guaranteed by &T, so I think this From impl is unsound. Presumably we justify this because it only becomes UB when we actually create a &mut from a Unique, which is unsafe. cc @rust-lang/libs
It's important to state why all invariants are upheld when annotating these unsafe blocks, not just the one about null pointers.
There was a problem hiding this comment.
@RalfJung I think mentioned recently that while Unique perhaps should provide that guarantee, it does not today.
I agree though that this impl seems very suspicious -- I believe Unique is std-internal today, so we can probably drop this impl?
There was a problem hiding this comment.
In the docs for Unique::new_unchecked , it is only stated that the pointer must be non-null
There was a problem hiding this comment.
I don’t believe Unique has such a language-level guarantee.
What if we just removed it? #71530
There was a problem hiding this comment.
I don’t believe Unique has such a language-level guarantee.
It doesn't right now mostly because we don't know how to exactly phrase the guarantee.
I agree that an instance turning a shared reference into Unique sounds wrong, and should be removed.
There was a problem hiding this comment.
The instance was added in #42959. Not sure why noone complained back then.
There was a problem hiding this comment.
I think this is outside the scope of this pull request, which aims at commenting some unsafe blocks. I removed it.
rust-lang#71507 (comment) discusses whether `Unique` not actually being unique is UB. `Unique` has very limited use over `NonNull`, so it doesn’t seem worth spending a lot of effort defining an abstraction and coming up with rules about what uses of it are or aren’t sound.
|
Thanks! Can you squash this down to one commit? With that I think we'll be ready to go. |
CohenArthur
force-pushed
the
document-unsafe-libcore-ptr
branch
from
33c4981
to
8558ccd
Compare
|
@Mark-Simulacrum Thanks, I squashed it |
Add documentation example to slice_from_raw_parts_mut() Add SAFETY explanations to some unsafe blocks in libcore/ptr * libcore/ptr/mod.rs * libcore/ptr/unique.rs * libcore/ptr/non_null.rs safety-mod.rs: Add SAFETY to slice_from_raw_parts(), slice_from_raw_parts_mut() slice_from_raw_parts_mut: Add documentation example safety-ptr-unique.rs: Add SAFETY to new() and cast() safety-ptr-non_null.rs: Add SAFETY to new() safety-ptr-non_null.rs: Add SAFETY to cast() safety-ptr-non_null.rs: Add SAFETY to from() impls safety-ptr-unique.rs: Add SAFETY to from() impls safety-ptr-non_null.rs: Add SAFETY to new() safety-ptr-unique.rs: Add SAFETY to new() safety-ptr-mod.rs: Fix safety explanation rust-lang#71507 (comment) safety-prt-non_null.rs: Fix SAFETY comment syntax safety-ptr-unique.rs: Fix syntax for empty() safety-ptr-non_null.rs: Fix misuse of non-null for align_of() safety-ptr-non_null.rs: Remove incorrect SAFETY comment safety-ptr-unique.rs: Remove unsound SAFETY comment safety-ptr-mod.rs: Add std comment on slice_from_raw_parts guarantee safety-ptr-unique.rs: Remove incorrect safety comment Creating a Unique from a NonNull has strict guarantees that the current implementation does not guarantee rust-lang#71507 (comment) safety-ptr: Re-adding ignore-tidy directive
|
@bors r+ rollup |
|
📌 Commit 8558ccd has been approved by |
bors
added
S-waiting-on-bors
…-ptr, r=Mark-Simulacrum Document unsafety in core::ptr Contributes to rust-lang#66219 I have yet to document all the `unsafe` blocks in the lib and would like to know if I'm headed in the right direction r? @steveklabnik
Rollup of 6 pull requests Successful merges: - rust-lang#71507 (Document unsafety in core::ptr) - rust-lang#71572 (test iterator chain type length blowup) - rust-lang#71617 (Suggest `into` instead of `try_into` if possible with int types) - rust-lang#71627 (Fix wrong argument in autoderef process) - rust-lang#71678 (Add an index page for nightly rustc docs.) - rust-lang#71680 (Fix doc link to Eq trait from PartialEq trait) Failed merges: - rust-lang#71597 (Rename Unique::empty() -> Unique::dangling()) r? @ghost
Contributes to #66219
I have yet to document all the
unsafeblocks in the lib and would like to know if I'm headed in the right directionr? @steveklabnik