Taking a raw ref (&raw (const|mut)) of a deref of pointer (*ptr) is always safe
#129248
+46
−52
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
r? @nnethercote rustbot has assigned @nnethercote. Use |
rustbot
added
S-waiting-on-review
|
Seems more like a lang question to me than an opsem question -- from an opsem side, the relevant question is whether there is UB, and the answer is "no". But from a lang perspective, it may seem odd to have Also note that due to #117288, sometimes we do have UB just from constructing a place. That's a MIR building bug but we should probably fix it before accepting such code as safe. (Sorry I didn't remember this when we spoke earlier.) |
|
👍 yep, this could be blocked on #117288 then. I think we can probably T-lang-nominate this regardless for discussion. |
compiler-errors
added
T-lang
|
The code changes seem fine, so r=me on them if/when lang/opsem are happy with this. |
|
Thinking about the |
rustbot
removed
the
I-lang-nominated
bors
added
S-waiting-on-bors
bors
added
S-waiting-on-author
compiler-errors
added
S-blocked
|
Good catch. Thanks. |
compiler-errors
force-pushed
the
raw-ref-deref
branch
from
25d617f to
f3b3e4b
Compare
This comment has been minimized.
This comment has been minimized.
Truly?! |
|
Yes, truly. :) |
|
So That does seem a bit inconsistent. It doesn't seem super useful to write code like that, but then it doesn't seem super useful to write |
|
@RalfJung: No, that would need to have another special case in the THIR. |
4 tasks
|
☔ The latest upstream changes (presumably #130390) made this pull request unmergeable. Please resolve the merge conflicts. |
🤷 I'd still like to fix it, regardless, I think, especially now that #117288 is closed. I'd also like if |
compiler-errors
force-pushed
the
raw-ref-deref
branch
from
f3b3e4b to
367183b
Compare
I mean, we intentionally changed it to require being in an |
|
Because it was unsound? Could you provide some context? |
|
also this is @rustbot ready :D |
rustbot
added
S-waiting-on-review
|
Procedurally it has been approved by t-lang. I'm not very familiar with THIR so it's hard for me to say whether the implementation matches the intent. We don't have a dedicated test for the cases that should be rejected, but tests/ui/lint/lint-deref-nullptr.rs and tests/ui/static/raw-ref-deref-without-unsafe.rs to cover the most important cases I can think of. |
|
I think this has waited long enough. @bors r+ |
bors
added
S-waiting-on-bors
RalfJung
added
the
relnotes
3 tasks
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Oct 24, 2024
…iaskrgr Rollup of 5 pull requests Successful merges: - rust-lang#129248 (Taking a raw ref (`&raw (const|mut)`) of a deref of pointer (`*ptr`) is always safe) - rust-lang#131906 (rustdoc: adjust spacing and typography in header) - rust-lang#132084 (Consider param-env candidates even if they have errors) - rust-lang#132096 (Replace an FTP link in comments with an equivalent HTTPS link) - rust-lang#132098 (rustc_feature::Features: explain what that 'Option<Symbol>' is about) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Oct 24, 2024
Rollup merge of rust-lang#129248 - compiler-errors:raw-ref-deref, r=nnethercote Taking a raw ref (`&raw (const|mut)`) of a deref of pointer (`*ptr`) is always safe T-opsem decided in rust-lang/reference#1387 that `*ptr` is only unsafe if the place is accessed. This means that taking a raw ref of a deref expr is always safe, since it doesn't constitute a read. This also relaxes the `DEREF_NULLPTR` lint to stop warning in the case of raw ref of a deref'd nullptr, and updates its docs to reflect that change in the UB specification. This does not change the behavior of `addr_of!((*ptr).field)`, since field projections still require the projection is in-bounds. I'm on the fence whether this requires an FCP, since it's something that is guaranteed by the reference you could ostensibly call this a bugfix since we were counting truly safe operations as unsafe. Perhaps someone on opsem has a strong opinion? cc `@rust-lang/opsem`
tmeijn
pushed a commit
to tmeijn/dotfiles
that referenced
this pull request
Jan 22, 2025
This MR contains the following updates: | Package | Update | Change | |---|---|---| | [rust](https://github.com/rust-lang/rust) | minor | `1.83.0` -> `1.84.0` | MR created with the help of [el-capitano/tools/renovate-bot](https://gitlab.com/el-capitano/tools/renovate-bot). **Proposed changes to behavior should be submitted there as MRs.** --- ### Release Notes <details> <summary>rust-lang/rust (rust)</summary> ### [`v1.84.0`](https://github.com/rust-lang/rust/blob/HEAD/RELEASES.md#Version-1840-2025-01-09) [Compare Source](rust-lang/rust@1.83.0...1.84.0) \========================== <a id=" Language"></a> ## Language - [Allow `#[deny]` inside `#[forbid]` as a no-op](rust-lang/rust#121560) - [Show a warning when `-Ctarget-feature` is used to toggle features that can lead to unsoundness due to ABI mismatches](rust-lang/rust#129884) - [Use the next-generation trait solver in coherence](rust-lang/rust#130654) - [Allow coercions to drop the principal of trait objects](rust-lang/rust#131857) - [Support `/` as the path separator for `include!()` in all cases on Windows](rust-lang/rust#125205) - [Taking a raw ref (`raw (const|mut)`) of a deref of a pointer (`*ptr`) is now safe](rust-lang/rust#129248) - [Stabilize s390x inline assembly](rust-lang/rust#131258) - [Stabilize Arm64EC inline assembly](rust-lang/rust#131781) - [Lint against creating pointers to immediately dropped temporaries](rust-lang/rust#128985) - [Execute drop glue when unwinding in an `extern "C"` function](rust-lang/rust#129582) <a id="1.84.0-Compiler"></a> ## Compiler - [Add `--print host-tuple` flag to print the host target tuple and affirm the "target tuple" terminology over "target triple"](rust-lang/rust#125579) - [Declaring functions with a calling convention not supported on the current target now triggers a hard error](rust-lang/rust#129935) - [Set up indirect access to external data for `loongarch64-unknown-linux-{musl,ohos}`](rust-lang/rust#131583) - [Enable XRay instrumentation for LoongArch Linux targets](rust-lang/rust#131818) - [Extend the `unexpected_cfgs` lint to also warn in external macros](rust-lang/rust#132577) - [Stabilize WebAssembly `multivalue`, `reference-types`, and `tail-call` target features](rust-lang/rust#131080) - [Added Tier 2 support for the `wasm32v1-none` target](rust-lang/rust#131487) <a id="1.84.0-Libraries"></a> ## Libraries - [Implement `From<&mut {slice}>` for `Box/Rc/Arc<{slice}>`](rust-lang/rust#129329) - [Move `<float>::copysign`, `<float>::abs`, `<float>::signum` to `core`](rust-lang/rust#131304) - [Add `LowerExp` and `UpperExp` implementations to `NonZero`](rust-lang/rust#131377) - [Implement `FromStr` for `CString` and `TryFrom<CString>` for `String`](rust-lang/rust#130608) - [`std::os::darwin` has been made public](rust-lang/rust#123723) <a id="1.84.0-Stabilized-APIs"></a> ## Stabilized APIs - [`Ipv6Addr::is_unique_local`](https://doc.rust-lang.org/stable/core/net/struct.Ipv6Addr.html#method.is_unique_local) - [`Ipv6Addr::is_unicast_link_local`](https://doc.rust-lang.org/stable/core/net/struct.Ipv6Addr.html#method.is_unicast_link_local) - [`core::ptr::with_exposed_provenance`](https://doc.rust-lang.org/stable/core/ptr/fn.with_exposed_provenance.html) - [`core::ptr::with_exposed_provenance_mut`](https://doc.rust-lang.org/stable/core/ptr/fn.with_exposed_provenance_mut.html) - [`<ptr>::addr`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.addr) - [`<ptr>::expose_provenance`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.expose_provenance) - [`<ptr>::with_addr`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.with_addr) - [`<ptr>::map_addr`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.map_addr) - [`<int>::isqrt`](https://doc.rust-lang.org/stable/core/primitive.i32.html#method.isqrt) - [`<int>::checked_isqrt`](https://doc.rust-lang.org/stable/core/primitive.i32.html#method.checked_isqrt) - [`<uint>::isqrt`](https://doc.rust-lang.org/stable/core/primitive.u32.html#method.isqrt) - [`NonZero::isqrt`](https://doc.rust-lang.org/stable/core/num/struct.NonZero.html#impl-NonZero%3Cu128%3E/method.isqrt) - [`core::ptr::without_provenance`](https://doc.rust-lang.org/stable/core/ptr/fn.without_provenance.html) - [`core::ptr::without_provenance_mut`](https://doc.rust-lang.org/stable/core/ptr/fn.without_provenance_mut.html) - [`core::ptr::dangling`](https://doc.rust-lang.org/stable/core/ptr/fn.dangling.html) - [`core::ptr::dangling_mut`](https://doc.rust-lang.org/stable/core/ptr/fn.dangling_mut.html) - [`Pin::as_deref_mut`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.as_deref_mut) These APIs are now stable in const contexts - [`AtomicBool::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicBool.html#method.from_ptr) - [`AtomicPtr::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicPtr.html#method.from_ptr) - [`AtomicU8::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicU8.html#method.from_ptr) - [`AtomicU16::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicU16.html#method.from_ptr) - [`AtomicU32::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicU32.html#method.from_ptr) - [`AtomicU64::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicU64.html#method.from_ptr) - [`AtomicUsize::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicUsize.html#method.from_ptr) - [`AtomicI8::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicI8.html#method.from_ptr) - [`AtomicI16::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicI16.html#method.from_ptr) - [`AtomicI32::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicI32.html#method.from_ptr) - [`AtomicI64::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicI64.html#method.from_ptr) - [`AtomicIsize::from_ptr`](https://doc.rust-lang.org/stable/core/sync/atomic/struct.AtomicIsize.html#method.from_ptr) - [`<ptr>::is_null`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.is_null-1) - [`<ptr>::as_ref`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.as_ref-1) - [`<ptr>::as_mut`](https://doc.rust-lang.org/stable/core/primitive.pointer.html#method.as_mut) - [`Pin::new`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.new) - [`Pin::new_unchecked`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.new_unchecked) - [`Pin::get_ref`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.get_ref) - [`Pin::into_ref`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.into_ref) - [`Pin::get_mut`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.get_mut) - [`Pin::get_unchecked_mut`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.get_unchecked_mut) - [`Pin::static_ref`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.static_ref) - [`Pin::static_mut`](https://doc.rust-lang.org/stable/core/pin/struct.Pin.html#method.static_mut) <a id="1.84.0-Cargo"></a> ## Cargo - [Stabilize MSRV-aware resolver config](rust-lang/cargo#14639) - [Stabilize resolver v3](rust-lang/cargo#14754) <a id="1.84-Rustdoc"></a> ## Rustdoc - [rustdoc-search: improve type-driven search](rust-lang/rust#127589) <a id="1.84.0-Compatibility-Notes"></a> ## Compatibility Notes - [Enable by default the `LSX` target feature for LoongArch Linux targets](rust-lang/rust#132140) - [The unstable `-Zprofile` flag (“gcov-style” coverage instrumentation) has been removed.](rust-lang/rust#131829) This does not affect the stable flags for coverage instrumentation (`-Cinstrument-coverage`) and profile-guided optimization (`-Cprofile-generate`, `-Cprofile-use`), which are unrelated and remain available. - Support for the target named `wasm32-wasi` has been removed as the target is now named `wasm32-wasip1`. This completes the [transition](rust-lang/compiler-team#607) [plan](rust-lang/compiler-team#695) for this target following [the introduction of `wasm32-wasip1`](rust-lang/rust#120468) in Rust 1.78. Compiler warnings on [use of `wasm32-wasi`](rust-lang/rust#126662) introduced in Rust 1.81 are now gone as well as the target is removed. - [The syntax `&pin (mut|const) T` is now parsed as a type which in theory could affect macro expansion results in some edge cases](rust-lang/rust#130635 (comment)) - [Legacy syntax for calling `std::arch` functions is no longer permitted to declare items or bodies (such as closures, inline consts, or async blocks).](rust-lang/rust#130443 (comment)) - [Declaring functions with a calling convention not supported on the current target now triggers a hard error](rust-lang/rust#129935) - [The next-generation trait solver is now enabled for coherence, fixing multiple soundness issues](rust-lang/rust#130654) </details> --- ### Configuration 📅 **Schedule**: Branch creation - At any time (no schedule defined), Automerge - At any time (no schedule defined). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever MR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this MR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this MR, check this box --- This MR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiIzOS45Ny4wIiwidXBkYXRlZEluVmVyIjoiMzkuMTAwLjEiLCJ0YXJnZXRCcmFuY2giOiJtYWluIiwibGFiZWxzIjpbIlJlbm92YXRlIEJvdCJdfQ==-->
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
T-opsem decided in rust-lang/reference#1387 that
*ptris only unsafe if the place is accessed. This means that taking a raw ref of a deref expr is always safe, since it doesn't constitute a read.This also relaxes the
DEREF_NULLPTRlint to stop warning in the case of raw ref of a deref'd nullptr, and updates its docs to reflect that change in the UB specification.This does not change the behavior of
addr_of!((*ptr).field), since field projections still require the projection is in-bounds.I'm on the fence whether this requires an FCP, since it's something that is guaranteed by the reference you could ostensibly call this a bugfix since we were counting truly safe operations as unsafe. Perhaps someone on opsem has a strong opinion? cc @rust-lang/opsem