Move PhantomData<T> from Shared<T> to users of both Shared and #[may_dangle] #46749
Conversation
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @joshtriplett (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
|
The code as written looks to me like a correct implementation of the change the commit message describes. For the actual question of whether the change the commit message describes seems reasonable, could I get some additional confirmation from @nikomatsakis or @aturon? Apart from that, the Travis build seems to have failed. Looks like the tidy check failed? @SimonSapin, can you please take a look at that and make sure it passes? |
|
(on phone) So our meeting with @arielby boiled down to the following: PhantomData does 3 things:
If you make If you use *mut T, you get invariance and opt out of all autotraits. Safe, good! But you don’t get owns. If you opt to do *const and then cast to mut, then you get covariance but this is so very unergenomic that the only reason to do this is to explicitly get covariance. So that’s fine. In either case you get no warning to use PhantomData. So dropck is fundamentally very easy to get wrong while also being incredibly obscure. However this unsafety has been temporarily resolved by the fact that the non-parametric dropck rfc moved to safe defaults, where the presence of a generic argument implies “owns T”. And there’s no way to sneak in interesting lifetimes without being generic over them! Now “owns T” only matters if you use the unsafe eyepatch, which is a great place to teach the user “hey if you do this, you should add a bunch of “owns” annotations. So Shared owning T potentially blocks using it with the eyepatch (or its replacement) and shared not owning T isn’t really a major footgun. All that remained was to agree that we weren’t willing to take a 5th shot at trying to make a “smart and safe” dropck. Everyone in the meeting agreed it was time to give up on such an endeavour. |
…dangle] After discussing [1] today with @pnkfelix and @gankro, we concluded that it’s ok for drop checking not to be much smarter than the current `#[may_dangle]` design which requires an explicit unsafe opt-in. [1] rust-lang#27730 (comment)
|
“Eyepatch” refers to the Thanks @joshtriplett, I pushed an amended commit that should fix the build. |
kennytm
added
S-waiting-on-review
|
I find this logic persuasive. It'd be nice if we could have it documented somewhere very central. |
|
@bors r+ I'm not sure what level of "governance r+" is needed here, but given that this is an unstable feature, it seems like relatively minimal, and I think all the key stakeholders have been involved here. I'll r+ -- if anyone objects, we could do some sort of FCP period I suppose. |
|
📌 Commit 60dc104 has been approved by |
Move PhantomData<T> from Shared<T> to users of both Shared and #[may_dangle] After discussing #27730 (comment) today with @pnkfelix and @gankro, we concluded that it’s ok for drop checking not to be much smarter than the current `#[may_dangle]` design which requires an explicit unsafe opt-in.
|
☀️ Test successful - status-appveyor, status-travis |
After discussing #27730 (comment) today with @pnkfelix and @gankro, we concluded that it’s ok for drop checking not to be much smarter than the current
#[may_dangle]design which requires an explicit unsafe opt-in.See reasoning below: #46749 (comment)