Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify documentation of traits with behavioral contracts (PartialOrd etc.) #73682

Closed
RalfJung opened this issue Jun 24, 2020 · 3 comments · Fixed by #115607
Closed

Clarify documentation of traits with behavioral contracts (PartialOrd etc.) #73682

RalfJung opened this issue Jun 24, 2020 · 3 comments · Fixed by #115607
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.

Comments

@RalfJung
Copy link
Member

@Qwaz points out that

Rust's Deref documentation says that this trait should never fail. Similarly, documentation of ExactSizeIterator, PartialOrd, and Hash also describe the behavior of implementations with enforcing words such as must and never.

However, all of these are safe traits, so unsafe code must not rely on such properties. If it does, we have a soundness bug.

I don't think Rust has RFC-style standardization of must/should/etc (maybe it should^^), but at least we should clarify these docs here I feel. Also given that safe code can break these promises, I wonder if "must" is appropriate. Maybe a better wording would be something like

implementations should do X (but since safe code can easily violate this property, users of this trait must not rely on implementations being well-behaved)
@jonas-schievink jonas-schievink added C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. labels Jun 24, 2020
@Qwaz
Copy link
Contributor

Qwaz commented Jun 25, 2020

Related closed RFC here: rust-lang/rfcs#956

@Qwaz
Copy link
Contributor

Qwaz commented Jul 9, 2020

I was unsure at first if it will be possible to implement all necessary unsafe operations soundly without relying on these behavioral contracts, but after studying data structures in libstd, it seems quite possible. They use proxy objects with transactional methods that will keep the invariant of the underlying data type in all situations.

I think these design patterns are worth being noted in Rustonomicon.

@RalfJung RalfJung mentioned this issue Jun 20, 2021
Merged
@m-ou-se
Copy link
Member

m-ou-se commented Jun 21, 2021

From my comment here:

We might want to clarify that 'must' in this documentation doesn't mean you get UB otherwise, and that you may not rely on these guarantees in unsafe code.

The HashSet documentation contains:

The behavior resulting from such a logic error is not specified, but will not result in undefined behavior. This could include panics, incorrect results, aborts, memory leaks, and non-termination.

We could add something like that here too.

@RalfJung RalfJung mentioned this issue Sep 6, 2023
Merged
@bors bors closed this as completed in c2f228f Sep 16, 2023
rust-timer added a commit to rust-lang-ci/rust that referenced this issue Sep 16, 2023
@rust-timer
Unrolled build for rust-lang#115607
02a913f 
Rollup merge of rust-lang#115607 - RalfJung:safe-traits-unsafe-code, r=dtolnay

clarify that unsafe code must not rely on our safe traits

This adds a disclaimer to PartialEq, Eq, PartialOrd, Ord, Hash, Deref, DerefMut.

We already have a similar disclaimer in ExactSizeIterator (worded a bit differently):
```
/// Note that this trait is a safe trait and as such does *not* and *cannot*
/// guarantee that the returned length is correct. This means that `unsafe`
/// code **must not** rely on the correctness of [`Iterator::size_hint`]. The
/// unstable and unsafe [`TrustedLen`](super::marker::TrustedLen) trait gives
/// this additional guarantee.
```
If there are any other traits that should carry such a disclaimer, please let me know.

Fixes rust-lang#73682
jmaargh added a commit to jmaargh/rust that referenced this issue Oct 21, 2023
@jmaargh
Add comment addressing Issue rust-lang#73682
e28566d
@jmaargh jmaargh mentioned this issue Oct 21, 2023
Merged
jmaargh added a commit to jmaargh/rust that referenced this issue Nov 4, 2023
@jmaargh
Draft fleshed-out deref docs
7a2f83f 
Re-draft Deref docs

Make general advice more explicit and note the difference between
generic and specific implementations.

Re-draft DerefMut docs in-line with Deref

Fix Deref docs typos

Fix broken links

Clarify advice for specific-over-generic impls

Add comment addressing Issue rust-lang#73682

x fmt

Copy faillibility warning to DerefMut
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

clarify that unsafe code must not rely on our safe traits RalfJung/rust
4 participants
@RalfJung @m-ou-se @jonas-schievink @Qwaz