Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Clarify semantics of wrapping_offset when leaving object bounds #45719

Closed
RalfJung opened this issue Nov 2, 2017 · 3 comments
Closed

Clarify semantics of wrapping_offset when leaving object bounds #45719

RalfJung opened this issue Nov 2, 2017 · 3 comments
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.

Comments

@RalfJung
Copy link
Member

RalfJung commented Nov 2, 2017
edited
Loading

The documentation of wrapping_offset should clarify whether it is legal to use this function to move from one object to another. Concretely, is the following a "safe" function in the sense that it is safe to call by any safe client?

fn is_this_safe(x: &mut i32, y: &mut i32) {
    let x_ptr = x as *mut _; drop({x});
    let y_ptr = y as *mut _; drop({y});
    let diff  = x_ptr.offset_to(y_ptr).unwrap();
    let x_alias = x_ptr.wrapping_offset(diff);
    unsafe { *x_alias = 42; }
}

(The funny drop just make sure that the original x and y are gone, side-stepping some memory model questions.)

I see two possible options:

  • We say this is safe. Then we have to change the implementation of wrapping_offset; currently, it compiles to a getelementptr which (even without inbounds) is documented to possibly return a pointer that cannot be dereferenced even if it is equal to a valid pointer. The intention behind this is probably for getelementptr to preserve aliasing information. As a consequence, getelementptr cannot cross object boundaries.
  • We say this is not safe. Then the documentation of wrapping_offset should get a big fat warning saying so.

Given that wrapping_offset is a safe function, I think I would prefer the least surprising option, which is to make this safe. One possible implementation would be to cast the pointer to an integer, do the arithmetic there, and cast back.

Cc @eddyb @arielb1 @gankro
@eddyb
Copy link
Member

eddyb commented Nov 2, 2017

cc @ubsan @nikomatsakis

@strega-nil
Copy link
Contributor

don't cc me on rust issues anymore.

@RalfJung RalfJung mentioned this issue Nov 9, 2017
Closed
@RalfJung
Copy link
Member Author

It seems this is now getting discussed at #45839 (comment).

@pietroalbini pietroalbini added C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue. labels Jan 23, 2018
@RalfJung RalfJung mentioned this issue Jul 24, 2018
Merged
@RalfJung RalfJung mentioned this issue Sep 11, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
C-enhancement Category: An issue proposing an enhancement or a PR with one. T-libs-api Relevant to the library API team, which will review and decide on the PR/issue.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@eddyb @RalfJung @pietroalbini @strega-nil