fix: add aliasing rules for Box#146870
Conversation
rustbot
added
S-waiting-on-review
|
rustbot has assigned @Mark-Simulacrum. Use |
| /// The ownership of `raw` is effectively transferred to the resulting | ||
| /// `Box<T>` which may then deallocate or change the contents of memory | ||
| /// pointed to by the pointer at will. You must ensure that nothing else uses | ||
| /// the pointer after calling this function. |
There was a problem hiding this comment.
As @RalfJung mentions in the other PR, this is perhaps too strict a condition with regards to forget (or not strict enough).
I'm also not sure if we've settled on this rule -- maybe this should instead link to https://doc.rust-lang.org/nightly/std/boxed/index.html#considerations-for-unsafe-code? That also notes the disclaimer that Box may be less restrictive than this makes it out to be.
There was a problem hiding this comment.
Thanks for the feedback. In fact, the interaction with forget was a key point of uncertainty in my previous changes.
I agree with the method of adding the link to the "considerations for unsafe code" section. But the forget concerns do not seem to be clearly indicated in this link either. Should I also explicitly clarify the rules regarding mem::forget in this PR?
If I do this for Box, should I also update the documentation for APIs like Vec::from_raw_parts for consistency?
There was a problem hiding this comment.
As written, this sentence would rule out code like this which is accepted by Miri:
let ptr = Box::into_raw(Box::new(0));
mem::forget(Box::from_raw(ptr));
drop(Box::from_raw(ptr));Whether we want to allow such code or not is not something we have decided I think. The existing docs already rule out code like this which is accepted by Miri:
let mut a = 0;
mem::forget(Box::from_raw(&raw mut a));That said, the corresponding Vec docs you mention are also quite restrictive here and don't allow anything like that. Vec isn't even subject to aliasing requirements. The docs there are written like this entirely because the destructor frees the memory.
There was a problem hiding this comment.
@RalfJung Thanks for your detailed clarification! I can get your point.
As for the next step, can I add a note to the documentation mentioning that certain uses with mem::forget (like the examples you provided) are allowed? Or do you have a better suggestion for how to address this?
rustbot
added
S-waiting-on-author
|
Hi, ping from triage team. This PR has been inactive for a while. Are there any updates on this? |
This comment has been minimized.
This comment has been minimized.
|
This PR was rebased onto a different main commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
This comment has been minimized.
This comment has been minimized.
|
@rustbot ready |
rustbot
added
S-waiting-on-review
| /// | ||
| /// The safety conditions are described in the [memory layout] section. | ||
| /// Additionally, transferring ownership of the pointer | ||
| /// to the `Box<T>` introduces specific aliasing rules. Please see the |
There was a problem hiding this comment.
Strictly speaking, the ownership transfer is of the "memory", not the pointer (which is Copy).
Maybe we can just say "Note that the [considerations for unsafe code] apply to all Box<T> values"? That seems like it's both sufficient and avoids needing to get into much detail here.
There was a problem hiding this comment.
Oh yeah, that's more straightforward. I'll update it~
rustbot
removed
the
S-waiting-on-review
|
Reminder, once the PR becomes ready for a review, use |
rustbot
added
the
S-waiting-on-author
|
@rustbot ready |
rustbot
added
S-waiting-on-review
|
@bors r+ rollup |
rust-bors
Bot
added
S-waiting-on-bors
…lacrum fix: add aliasing rules for Box This is a new revised version for the PR [139857](rust-lang#139857), sorry for the delayed reply. I've rewritten the sentence to closely mirror the wording from `Vec::from_raw_parts`, which clearly states the transfer of ownership and its consequences. This should make the aliasing requirements much clearer. I opted not to include a note about `mem::forget` by default to keep the documentation focused on the primary contract, similar to `Vec`.
…uwer Rollup of 10 pull requests Successful merges: - #150230 (spec next chunk for trustedlen) - #155284 (net::tcp/udp: fix docs about how set_nonblocking is implemented) - #146870 (fix: add aliasing rules for Box) - #154003 (Make std::fs::File Send on UEFI) - #155187 (std: fix HashMap RNG docs wording) - #155255 (Document why `layout.align() + layout.size()` doesn't overflow) - #155351 (Reorganize tests from `tests/ui/issues/`) - #155406 (std: Update dependency on `wasi` crate) - #155447 (Simplify `parse_limited`) - #155481 (Delete `SizeSkeleton::Generic`)
Rollup merge of #146870 - DiuDiu777:box-doc-fix, r=Mark-Simulacrum fix: add aliasing rules for Box This is a new revised version for the PR [139857](#139857), sorry for the delayed reply. I've rewritten the sentence to closely mirror the wording from `Vec::from_raw_parts`, which clearly states the transfer of ownership and its consequences. This should make the aliasing requirements much clearer. I opted not to include a note about `mem::forget` by default to keep the documentation focused on the primary contract, similar to `Vec`.
6 participants
This is a new revised version for the PR 139857, sorry for the delayed reply. I've rewritten the sentence to closely mirror the wording from
Vec::from_raw_parts, which clearly states the transfer of ownership and its consequences. This should make the aliasing requirements much clearer.I opted not to include a note about
mem::forgetby default to keep the documentation focused on the primary contract, similar toVec.