clarify that addr_of creates read-only pointers #129653
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
|
Cc @rust-lang/opsem |
|
This note is definitely useful when interpreting the docs of |
13 tasks
Darksonn
reviewed
Aug 27, 2024
library/core/src/ptr/mod.rs
Outdated
Comment on lines
2288
to
2290
| /// It is still an open question whether writing through an `addr_of!`-created pointer is permitted | ||
| /// or not. Until that is decided, the same rules as for shared references apply: it is UB to write | ||
| /// through a pointer created with this operation, except for bytes located inside an `UnsafeCell`. |
There was a problem hiding this comment.
This wording sounds like taking a raw pointer raw_ptr and transforming it using addr_of!((*raw_ptr).field) results in a pointer that only has read-only permissions, even if raw_ptr has read/write permissions. Is that intended?
There was a problem hiding this comment.
Hm... that is currently not the case, but given that this is all undecided, maybe we should say that indeed this makes a read-only pointer? If there's a good reason to be more fine-grained here I am open to that, the only concern here is that it makes it much harder to say what is and isn't read-only.
There was a problem hiding this comment.
Uh ... I think that would be problematic. I would think that many people, like me, go around and assume that as long as you stay in raw pointer land, you never give up permissions on your pointers.
There was a problem hiding this comment.
Yeah, addr_of! would be a bit of a pitfall, but given the wording I would have expected that.
Do we want an addr_of_const! instead, and tell people to use that unless you are very careful with addr_of!?
There was a problem hiding this comment.
I'm not sure a third macro makes sense. I think addr_of! should guarantee that if both the input and output types are raw pointers, then permissions are preserved and the behavior is identical to using ptr::offset. It's very useful for teaching if I can say that the only thing that matters for the permissions of raw pointers is where it originally comes from. Adding exceptions to that general rule is counterproductive.
In the same vein, the usual motivation for not roundtripping through &T is that doing so gives up permissions to write. The entire point of addr_of! is that it does not roundtrip through &T.
When doing addr_of!(MY_STATIC) you are creating the raw pointer, so it is consistent with the above rule that the resulting pointer is read-only. In this case, the addr_of! is where the raw pointer originally came from, so this decides its permissions.
There was a problem hiding this comment.
both the input and output types are raw pointers
The thing is, the input is a place, it's not raw or anything. So we have to distinguish on "what is the place based on". It's annoying. But more UB is also annoying so I'll give it a shot.
Darksonn
reviewed
Aug 27, 2024
library/core/src/ptr/mod.rs
Outdated
Comment on lines
2288
to
2293
| /// It is still an open question whether writing through an `addr_of!`-created pointer is permitted | ||
| /// or not. Until that is decided, the same rules as for shared references apply: it is UB to write | ||
| /// through a pointer created with this operation, except for bytes located inside an `UnsafeCell`. | ||
| /// or not. Specifically, if the place `expr` evaluates to is based on a raw pointer, then the | ||
| /// result of `addr_of!` inherits all permissions from that raw pointer. However, if the place is | ||
| /// based on a reference, local variable, or `static`, then until all details are decided, the same | ||
| /// rules as for shared references apply: it is UB to write through a pointer created with this | ||
| /// operation, except for bytes located inside an `UnsafeCell`. |
There was a problem hiding this comment.
Maybe it would make more sense to just state "the rules today are so and so, the pointer is always read-only unless the input is a raw pointer in which case permissions are preserved". And then say that these rules could be relaxed in the future.
There was a problem hiding this comment.
Not sure what that would improve, sounds equivalent.
est31
reviewed
Aug 27, 2024
traviscross
added
the
T-lang
|
cc @rust-lang/lang |
rustbot
added
the
I-lang-nominated
RalfJung
force-pushed
the
addr-of-read-only
branch
from
a14b1db to
5d995d5
Compare
RalfJung
force-pushed
the
addr-of-read-only
branch
from
5d995d5 to
b5bd0fe
Compare
scottmcm
approved these changes
Aug 31, 2024
There was a problem hiding this comment.
I think this makes good sense to me. Clarifying that this is already how things are working seems like an improvement to do now regardless of whether we want to change things in the future. (And those future changes could easily end up tied up in things like whether we should have a const/mut-agnostic pointer type that a addr_of_flexible!(MY_STATIC) could return.)
So I'll plan to r+ this unless there's opposition in the meeting on Wed -- I don't think a warning about current behaviour needs an FCP.
saethlin
added
S-waiting-on-team
scottmcm
removed
the
S-waiting-on-team
|
This was raised briefly in the lang triage meeting today, and nobody had objection to documenting the open question here. Thanks for writing it! @bors r+ rollup |
bors
added
the
S-waiting-on-bors
scottmcm
removed
the
I-lang-nominated
tgross35
added a commit
to tgross35/rust
that referenced
this pull request
Sep 5, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Sep 5, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Sep 5, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 12 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129471 ([rustdoc] Sort impl associated items by kinds and then by appearance) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129940 (s390x: Fix a regression related to backchain feature) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 12 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129471 ([rustdoc] Sort impl associated items by kinds and then by appearance) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129940 (s390x: Fix a regression related to backchain feature) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) r? `@ghost` `@rustbot` modify labels: rollup
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Sep 5, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 12 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129940 (s390x: Fix a regression related to backchain feature) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) Failed merges: - rust-lang#129471 ([rustdoc] Sort impl associated items by kinds and then by appearance) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 12 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129940 (s390x: Fix a regression related to backchain feature) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) Failed merges: - rust-lang#129471 ([rustdoc] Sort impl associated items by kinds and then by appearance) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 12 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129940 (s390x: Fix a regression related to backchain feature) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) Failed merges: - rust-lang#129471 ([rustdoc] Sort impl associated items by kinds and then by appearance) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 5, 2024
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) r? `@ghost` `@rustbot` modify labels: rollup
workingjubilee
added a commit
to workingjubilee/rustc
that referenced
this pull request
Sep 6, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
workingjubilee
added a commit
to workingjubilee/rustc
that referenced
this pull request
Sep 6, 2024
…tmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 6, 2024
…iaskrgr Rollup of 11 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129943 (use the bootstrapped compiler for `test-float-parse` test) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 6, 2024
…kingjubilee Rollup of 14 pull requests Successful merges: - rust-lang#128919 (Add an internal lint that warns when accessing untracked data) - rust-lang#129021 (Check WF of source type's signature on fn pointer cast) - rust-lang#129472 (fix ICE when `asm_const` and `const_refs_to_static` are combined) - rust-lang#129653 (clarify that addr_of creates read-only pointers) - rust-lang#129775 (bootstrap: Try to track down why `initial_libdir` sometimes fails) - rust-lang#129781 (Make `./x.py <cmd> compiler/<crate>` aware of the crate's features) - rust-lang#129939 (explain why Rvalue::Len still exists) - rust-lang#129942 (copy rustc rustlib artifacts from ci-rustc) - rust-lang#129944 (Add compat note for trait solver change) - rust-lang#129947 (Add digit separators in `Duration` examples) - rust-lang#129955 (Temporarily remove fmease from the review rotation) - rust-lang#129957 (forward linker option to lint-docs) - rust-lang#129969 (Make `Ty::boxed_ty` return an `Option`) - rust-lang#129995 (Remove wasm32-wasip2's tier 2 status from release notes) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Sep 6, 2024
Rollup merge of rust-lang#129653 - RalfJung:addr-of-read-only, r=scottmcm clarify that addr_of creates read-only pointers Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with rust-lang#56604 and other UCG discussions. Also see [this collection of links](Rust-for-Linux/linux#950 (comment)) where rustc treats `addr_of!` as a "non-mutating use". So, let's better be careful for now.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Stacked Borrows does make this UB, but Tree Borrows does not. This is tied up with #56604 and other UCG discussions. Also see this collection of links where rustc treats
addr_of!as a "non-mutating use".So, let's better be careful for now.