-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Taking a raw ref (&raw (const|mut)
) of a deref of pointer (*ptr
) is always safe
#129248
Conversation
r? @nnethercote rustbot has assigned @nnethercote. Use |
Seems more like a lang question to me than an opsem question -- from an opsem side, the relevant question is whether there is UB, and the answer is "no". But from a lang perspective, it may seem odd to have Also note that due to #117288, sometimes we do have UB just from constructing a place. That's a MIR building bug but we should probably fix it before accepting such code as safe. (Sorry I didn't remember this when we spoke earlier.) |
👍 yep, this could be blocked on #117288 then. I think we can probably T-lang-nominate this regardless for discussion. |
The code changes seem fine, so r=me on them if/when lang/opsem are happy with this. |
Thinking about the |
Good catch. Thanks. |
25d617f
to
f3b3e4b
Compare
This comment has been minimized.
This comment has been minimized.
Truly?! |
Yes, truly. :) |
So That does seem a bit inconsistent. It doesn't seem super useful to write code like that, but then it doesn't seem super useful to write |
@RalfJung: No, that would need to have another special case in the THIR. |
☔ The latest upstream changes (presumably #130390) made this pull request unmergeable. Please resolve the merge conflicts. |
🤷 I'd still like to fix it, regardless, I think, especially now that #117288 is closed. I'd also like if |
f3b3e4b
to
367183b
Compare
I mean, we intentionally changed it to require being in an |
Because it was unsound? Could you provide some context? |
also this is @rustbot ready :D |
Procedurally it has been approved by t-lang. I'm not very familiar with THIR so it's hard for me to say whether the implementation matches the intent. We don't have a dedicated test for the cases that should be rejected, but tests/ui/lint/lint-deref-nullptr.rs and tests/ui/static/raw-ref-deref-without-unsafe.rs to cover the most important cases I can think of. |
I think this has waited long enough. @bors r+ |
…iaskrgr Rollup of 5 pull requests Successful merges: - rust-lang#129248 (Taking a raw ref (`&raw (const|mut)`) of a deref of pointer (`*ptr`) is always safe) - rust-lang#131906 (rustdoc: adjust spacing and typography in header) - rust-lang#132084 (Consider param-env candidates even if they have errors) - rust-lang#132096 (Replace an FTP link in comments with an equivalent HTTPS link) - rust-lang#132098 (rustc_feature::Features: explain what that 'Option<Symbol>' is about) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#129248 - compiler-errors:raw-ref-deref, r=nnethercote Taking a raw ref (`&raw (const|mut)`) of a deref of pointer (`*ptr`) is always safe T-opsem decided in rust-lang/reference#1387 that `*ptr` is only unsafe if the place is accessed. This means that taking a raw ref of a deref expr is always safe, since it doesn't constitute a read. This also relaxes the `DEREF_NULLPTR` lint to stop warning in the case of raw ref of a deref'd nullptr, and updates its docs to reflect that change in the UB specification. This does not change the behavior of `addr_of!((*ptr).field)`, since field projections still require the projection is in-bounds. I'm on the fence whether this requires an FCP, since it's something that is guaranteed by the reference you could ostensibly call this a bugfix since we were counting truly safe operations as unsafe. Perhaps someone on opsem has a strong opinion? cc `@rust-lang/opsem`
T-opsem decided in rust-lang/reference#1387 that
*ptr
is only unsafe if the place is accessed. This means that taking a raw ref of a deref expr is always safe, since it doesn't constitute a read.This also relaxes the
DEREF_NULLPTR
lint to stop warning in the case of raw ref of a deref'd nullptr, and updates its docs to reflect that change in the UB specification.This does not change the behavior of
addr_of!((*ptr).field)
, since field projections still require the projection is in-bounds.I'm on the fence whether this requires an FCP, since it's something that is guaranteed by the reference you could ostensibly call this a bugfix since we were counting truly safe operations as unsafe. Perhaps someone on opsem has a strong opinion? cc @rust-lang/opsem