-
Notifications
You must be signed in to change notification settings - Fork 457
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
elaborate on slice wide pointer metadata #1499
base: master
Are you sure you want to change the base?
Conversation
src/behavior-considered-undefined.md
Outdated
* `dyn Trait` metadata is invalid if it is not a pointer to a vtable for | ||
`Trait` that matches the actual dynamic trait the pointer or reference points to. | ||
`Trait` that matches the actual dynamic type the pointer or reference points to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Preexisting but how can this be a requirement for wide pointers, whose data portion is allowed to dangle, I assume?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hm... yeah the actually implemented requirement is that the trait
matches the trait given in the pointer type, i.e. a *const dyn Debug
that points to a vtable for Display
is UB.
@rust-lang/opsem / @RalfJung: In looking carefully at this on the rustdocs call, we realized it might be helpful, both to us and when the lang teams takes this up, if someone might be able annotate the changes here (e.g. using the GH review features), with some explanation for each of these (e.g. "this was incorrect because...", "this was already true because we had said...", "we're adding this guarantee here because..."). |
46bcc6c
to
091b2f2
Compare
src/behavior-considered-undefined.md
Outdated
* Invalid metadata in a wide reference, `Box<T>`, or raw pointer: | ||
* A reference or `Box<T>` that is [dangling], misaligned, or points to an invalid value | ||
(using the actual dynamic type of the pointee as determined by the vtable in | ||
the metadata in case of dynamically sized types). |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This does not change anything, it clarifies what the pointed-to value is in case of e.g. &dyn Trait
.
(using the actual dynamic type of the pointee as determined by the vtable in | ||
the metadata in case of dynamically sized types). | ||
* Invalid metadata in a wide reference, `Box<T>`, or raw pointer. The requirement | ||
for the metadata is determined by the type of the unsized tail: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Another piece of clarification, previously we were not very clear on what the metadata requirements are for types like (u32, [u32])
: we spoke about "slice metadata" and the fact that this covered all types whose unsized tail is a slice was left implicit. Now it is explicit.
* A reference or `Box<T>` that is [dangling], misaligned, or points to an invalid value. | ||
* Invalid metadata in a wide reference, `Box<T>`, or raw pointer: | ||
* `dyn Trait` metadata is invalid if it is not a pointer to a vtable for | ||
`Trait` that matches the actual dynamic trait the pointer or reference points to. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"that matches the actual dynamic trait" was clearly nonsense. Also this is now moved to the "points to an invalid value" point since it's not about the metadata, it's about using the metadata to keep going recursively through the reference.
(i.e., it must not be read from uninitialized memory). | ||
Furthermore, for wide references and `Box<T>`, slice metadata is invalid | ||
if it makes the total size of the pointed-to value bigger than `isize::MAX`. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the only actual change, decided in rust-lang/unsafe-code-guidelines#510.
Note that the PR has two commits; it may help to consider them separately. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
+1
Starting a lang RFC so it's officially approved, and we can use that to update docs elsewhere following this. @rfcbot fcp merge |
Team member @scottmcm has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
@rfcbot reviewed |
🔔 This is now entering its final comment period, as per the review above. 🔔 psst @scottmcm, I wasn't able to add the |
@rustbot labels -I-lang-nominated +final-comment-period This is now in FCP so we can unnominate. |
As decided in rust-lang/unsafe-code-guidelines#510