Document lack of panic safety guarantees of Clone::clone_from
#98461
Conversation
rustbot
added
the
T-libs
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
|
r? @kennytm (rust-highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
|
r? @m-ou-se |
m-ou-se
added
I-libs-api-nominated
joshtriplett
removed
the
I-libs-api-nominated
|
Team member @joshtriplett has proposed to merge this. The next step is review by the rest of the tagged team members: Concerns: Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
proposed-final-comment-period
|
The term "panic safe" generally refers to ensure unsafe code remains sound in the face of panics. Its use here is not completely accurate: |
library/core/src/clone.rs
Outdated
| /// ```no_run | ||
| /// use std::sync::atomic::{AtomicBool, Ordering}; | ||
| /// | ||
| /// // Ensure that static vector accessed only once | ||
| /// static WAS_CALLED: AtomicBool = AtomicBool::new(false); | ||
| /// if WAS_CALLED.fetch_or(true, Ordering::Acquire){ | ||
| /// return; | ||
| /// } | ||
| /// | ||
| /// #[derive(PartialEq, Eq, Debug)] | ||
| /// struct IAmPanicDuringClone; | ||
| /// | ||
| /// impl Clone for IAmPanicDuringClone { | ||
| /// fn clone(&self) -> Self { | ||
| /// panic!() | ||
| /// } | ||
| /// } | ||
| /// | ||
| /// // Here little complicated | ||
| /// // because we need to pass it through panic boundary for demo purposes. | ||
| /// // Hacky and improper way to do this is usage of static variable. | ||
| /// // Don't write like that in production. | ||
| /// static mut A: Vec<IAmPanicDuringClone> = Vec::new(); | ||
| /// let a = unsafe{ | ||
| /// // Safe because we have AtomicBool check before. | ||
| /// &mut A | ||
| /// }; | ||
| /// | ||
| /// *a = vec![ | ||
| /// IAmPanicDuringClone, | ||
| /// IAmPanicDuringClone, | ||
| /// IAmPanicDuringClone, | ||
| /// ]; | ||
| /// let b = vec![ | ||
| /// IAmPanicDuringClone, | ||
| /// IAmPanicDuringClone, | ||
| /// IAmPanicDuringClone, | ||
| /// ]; | ||
| /// let c = vec![IAmPanicDuringClone, IAmPanicDuringClone]; | ||
| /// | ||
| /// // This succeedes. | ||
| /// assert_eq!(a, &b); | ||
| /// std::panic::catch_unwind(|| { | ||
| /// unsafe { A.clone_from(&c) }; | ||
| /// }).expect_err("Must panic"); | ||
| /// | ||
| /// // This fails at Rust 1.61. | ||
| /// assert_eq!(unsafe { &A }, &b); | ||
| /// ``` |
There was a problem hiding this comment.
I'm not comfortable with using this as an example (it feels a bit contrived), how do you feel about using this version instead?
There was a problem hiding this comment.
Absolutely agree, your version is much more cleaner and has less noise in it.
Would fix PR later.
m-ou-se
added
S-waiting-on-author
AngelicosPhosphoros
force-pushed
the
document_panic_safety_of_clone_from
branch
from
c51267f to
67251ab
Compare
It isn't panic safe de-facto (e.g. for `Vec`) so I just document current behaviour. Panic safety was mentioned by @scottmcm when discussing [PR with deriving clone_from](rust-lang#98445 (comment)). Co-authored-by: Jane Losare-Lusby <[email protected]>
AngelicosPhosphoros
force-pushed
the
document_panic_safety_of_clone_from
branch
from
67251ab to
d665f28
Compare
rustbot
added
S-waiting-on-review
JohnCSimon
removed
the
S-waiting-on-review
JohnCSimon
added
the
S-waiting-on-review
| /// let dest = Mutex::new(vec![]); | ||
| /// | ||
| /// // clone from src into dest | ||
| /// std::panic::catch_unwind(|| { |
There was a problem hiding this comment.
Instead of a Mutex, you can use catch_unwind(AssertUnwindSafe(..)).
| /// // dest is left in an incomplete state with only half of the clone having | ||
| /// // completed successfully | ||
| /// assert_eq!(vec![PanicAtTheClone(false)], *guard); |
There was a problem hiding this comment.
Maybe change this to just assert_ne!(src, dest);, since we don't want to make promises about the resulting state.
| /// so it cannot preserve old data stored in those resources. | ||
| /// | ||
| /// That example shows one case of such behaviour: | ||
| /// ```no_run |
|
ping @joshtriplett for your rfcbot concern. |
KittyBorgX
added
S-waiting-on-author
|
@AngelicosPhosphoros any updates on this? thanks |
|
@rfcbot resolve reword Sorry to have missed the ping here. |
rfcbot
added
final-comment-period
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
| /// | ||
| /// # Panic behaviour | ||
| /// | ||
| /// Due to it's nature, this method cannot guarantee that it would be transactional. |
There was a problem hiding this comment.
Tiny grammar nit: This should read "Due to its" (not "it's" with an apostrophe)
| /// # Panic behaviour | ||
| /// | ||
| /// Due to it's nature, this method cannot guarantee that it would be transactional. | ||
| /// If call panics, `self` can be left in inconsistent state. |
There was a problem hiding this comment.
Tiny nit: "If a call panics"
| /// `clone_from` is intended to preserve resources owned by `self` | ||
| /// so it cannot preserve old data stored in those resources. | ||
| /// | ||
| /// That example shows one case of such behaviour: |
| /// `a.clone_from(&b)` is equivalent to `a = b.clone()` in functionality except cases | ||
| /// when it panics in the middle of operation. It can be overridden to reuse the resources |
There was a problem hiding this comment.
I think this sentence could be readily misinterpreted as “clone_from is equivalent to clone except that in some cases it may panic”, since this is the first mention of panicking in the text. I'm not sure exactly what to do about that, but how about "…in functionality (except in the event of a panic).” which emphasizes that it's about the consequences of a panic, not causing a panic. The “in the middle” is explained below so it doesn't need to be brought up here.
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
JohnCSimon
added
S-waiting-on-author
|
@AngelicosPhosphoros seems this PR needs a tiny bit of polish and then it's gold. Any capacity to drive this to the finish line? (No pressure, just asking as part of the periodic reviews we do on pending contributions). Thanks 🙂 |
|
Author hasn't responded in months... Ping from triage: I'm closing this due to inactivity, Please reopen when you are ready to continue with this. @rustbot label: +S-inactive |
rustbot
added
the
S-inactive
It isn't panic safe de-facto (e.g. for
Vec) so I just document current behaviour.Panic safety was mentioned by @scottmcm when discussing PR with deriving clone_from.