-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mutable Pointer Aliasing Rules are Unclear for Unsafe Code #19733
Comments
Nominating, because we need to either specify this for 1.0 or we need to take the Go route and say that all usage of |
The aliasing model is essentially the same as |
I realize that pointer aliasing is not easy to grasp and that the documentation doesn't attempt to teach this, but that doesn't make it a backwards compatibility issue. The unsafe documentation just needs to clarify that the scoped noalias model (same as |
P-high. Would be nice. |
Mostly that solves it, but there are still problems with "implicit accesses" (e.g. (f), which may be a problem if for some reason the compiler loads |
@steveklabnik Sorry but that really doesn't resolve the issue at hand. In particular it's an issue about how |
Can you give me the specific, exact details that you want, then? |
@steveklabnik This isn't a documentation problem per-se. It's more of a well-defined/concensus problem. I'm fairly certain there is no concensus on exactly what the rules are for what you're allowed to do with a Although perhaps you've managed to obtain some level of concensus? |
This was previously described as a doc bug. If it's not, then it's not a big deal to me, at the moment. |
@gankro is this still unclear today? it's been a while |
Abso-lutely. Nothing has been done in this space, and there's nothing on the horizon that will change this fact. |
Closing in favor of rust-lang/rfcs#1447 |
As I rub against the boundaries of unsafe and undefined behaviour more and more It's becoming less "obvious" to me what is or isn't allowed. To demonstrate this I've whipped up a few examples of safe and unsafe code that does basically the same thing. Some of them are clearly defined or clearly undefined in my mental model, but I really have no idea at this point.
a
is clearly defined, as it uses no unsafe code. We re-loan a mutable reference to a different variable temporarily. At any given point there's clear ownership of the value.b
does the exact same thing, but through a*mut
instead of an&mut
. Ownership is still "clear" to the compiler, but we mutate through the*mut
, and then later through the&mut
. It wouldn't be unreasonable to consider this undefined behaviour. We mutated something "owned" by an&mut
through something other than that&mut
, and then worked with the value through the&mut
.c
does the exact same things asb
, but explicitly constructs an &'static mut to mutate through unsafely. Here we have created two &mut's to the same value, which in my mental mode is clearly invoking undefined behaviour as I understand it. You cannot have two &mut's to the same value.d
is basically the same asa
, but we've added a box in the way. This adds a rawptr between the&mut
and the actual data. Semantically the data is still "owned" by the&mut
, but is the*mut
in-between important or just an implementation detail? Regardless this is all safe, so this must be defined.e
is the same asd
, but we've added a*mut
again. This time we mutate the data inside the box while the box is owned. However the box is a*mut
, so really we've just mutated data behind a rawptr with another rawptr. Now it really matters if the box's representation is defined or not! Critically I believe that the defined-ness of this case effects whether DList is sound or not. It mixes boxes,*mut
s, and&mut
s pretty freely. What is or isn't allowed is important.Finally
f
is a special case of unsafe mutable aliasing. Here we construct a*mut
to a subfield of a composite structure. Then we capture the whole structure with an&mut
. We mutate the subfield while the whole struct is owned, but then only use the ownership to mutate a different subfield. At no point do we read the "unsafely" mutated field. Then we relinquish ownership to the "parent" owner which, presumably, must assume that all fields may have been mutated since it loaned the structure out. Is this defined behaviour? I honestly have no clue.The text was updated successfully, but these errors were encountered: