Implement the unsafe-fields RFC.

[veluca93]

RFC: rust-lang/rfcs#3458

Tracking:

• Tracking issue for RFC 3458: Unsafe fields #132922

r? jswrenn

[rustbot]

Some changes occurred in src/tools/rustfmt

cc @rust-lang/rustfmt

[rustbot]

Changes to the size of AST and/or HIR nodes.

cc @nnethercote

[jswrenn]

Thanks for implementing this! Here's a first round of comments. :-)

[jswrenn]

@bors try @rust-timer queue

[bors]

⌛ Trying commit db32d80 with merge ce25ffa...

[bors]

☀️ Try build successful - checks-actions
Build commit: ce25ffa (ce25ffa95be3a8577d9d1ff09eafe449df2dcfc3)

[rust-timer]

Finished benchmarking commit (ce25ffa): comparison URL.

Overall result: ❌✅ regressions and improvements - no action needed

Benchmarking this pull request likely means that it is perf-sensitive, so we're automatically marking it as not fit for rolling up. While you can manually mark this PR as fit for rollup, we strongly recommend not doing so since this PR may lead to changes in compiler perf.

@bors rollup=never
@rustbot label: -S-waiting-on-perf -perf-regression

Instruction count

This is the most reliable metric that we have; it was used to determine the overall result at the top of this comment. However, even this metric can sometimes exhibit noise.

	mean	range	count
Regressions ❌ (primary)	-	-	0
Regressions ❌ (secondary)	0.0%	[0.0%, 0.0%]	1
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-1.2%	[-1.2%, -1.2%]	1
All ❌✅ (primary)	-	-	0

Max RSS (memory usage)

Results (primary -0.7%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	1.8%	[1.8%, 1.8%]	1
Regressions ❌ (secondary)	-	-	0
Improvements ✅ (primary)	-3.1%	[-3.1%, -3.1%]	1
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	-0.7%	[-3.1%, 1.8%]	2

Cycles

Results (secondary 1.7%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	-	-	0
Regressions ❌ (secondary)	1.7%	[1.7%, 1.7%]	1
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	-	-	0

Binary size

Results (primary 0.2%, secondary 0.3%)

This is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.

	mean	range	count
Regressions ❌ (primary)	0.2%	[0.0%, 0.5%]	128
Regressions ❌ (secondary)	0.3%	[0.0%, 0.5%]	29
Improvements ✅ (primary)	-	-	0
Improvements ✅ (secondary)	-	-	0
All ❌✅ (primary)	0.2%	[0.0%, 0.5%]	128

Bootstrap: 787.726s -> 783.8s (-0.50%)
Artifact size: 335.35 MiB -> 335.31 MiB (-0.01%)

[jswrenn]

The UI testing checklist I'd like to see completed before we merge this:

• if feature(unsafe_fields):
  • the 'incomplete features' warning is emitted
  • unsafe can be applied to the fields of struct-like variant fields of structs, enums and unions
    • the unsafe field's type must be Copy or ManuallyDrop
  • unsafe cannot be applied to tuple-like struct fields
  • unsafe cannot be applied to tuple-like enum fields
• if not feature(unsafe_fields), even in cfg'd-out code:
  • unsafe cannot be applied to the fields of struct-like struct fields
  • unsafe cannot be applied to the fields of struct-like enum fields
  • unsafe cannot be applied to the fields of struct-like (i.e., all) unions
• even if not feature(unsafe_fields):
  • initializing, destructuring, referencing, reading, and writing the unsafe fields of a struct/enum/union can only occur in an unsafe context (see these tests as a rough point of reference)
  • initializing, destructuring, referencing, reading, and writing the safe fields of a struct/enum/union (even one that that has other unsafe fields) does not require unsafe

[rustbot]

Changes to the size of AST and/or HIR nodes.

cc @nnethercote

[bors]

☔ The latest upstream changes (presumably #133212) made this pull request unmergeable. Please resolve the merge conflicts.

[bors]

☔ The latest upstream changes (presumably #133280) made this pull request unmergeable. Please resolve the merge conflicts.

[jswrenn]

This is looking pretty good. Be sure to update the commit message, too! It's no longer a draft implementation — it's just an implementation. :-)

[jswrenn]

Can you add a test tracking the behavior of this:

&raw const self.unsafe_field

I think (but am not completely certain) it's safe, but we should probably require unsafe in the initial implementation.

[veluca93]

I think I would prefer this to be unsafe -- of course, to do something with the result of this that could possibly cause problems requires some other form of unsafe somewhere else (I think...), but making this unsafe is IMO nice because it improves locality-of-safety:

let ptr = &raw const self.unsafe_field;

// lots of code

unsafe { do_something_with_ptr }

I think it'd be nice to have some sign somewhere that ptr actually comes from an unsafe field.

[compiler-errors]

I think (but am not completely certain) it's safe

It's not safe. All field accesses are "inbounds", so they need to point to valid memory to even take the offset.

See rust-lang/opsem-team#10

[compiler-errors]

Generally looks okay. I've got some minor comments about style and code deduplication.

[compiler-errors]

Why are you gating the uninterpolated span? Everywhere else in the parser seems to gate on prev_token.span.

[compiler-errors]

I think you should use non_enum_variant here:

Suggested change

	if adt_def.variants().iter().next().unwrap().fields[*field].safety
	if adt_def.non_enum_variant().fields[*field].safety

I don't think(?) we use PatKind::Leaf for enums ever.

[compiler-errors]

Why are you taking a ref of a FieldIdx, just to deref it below?

[compiler-errors]

Just inline this into the .fields[&pat.field] below.

[compiler-errors]

record!(self.tables.safety[field.did] <- field.safety);

[compiler-errors]

This can be a single for loop with def.all_fields().

[compiler-errors]

tiny nit: always pass tcx as the first field

[compiler-errors]

This comment doesn't really make sense. This isn't a "MIR" field, it's just the middle typing layer.

I think this can be simplified to field.did.expect_local(), though, no need for the match.

[compiler-errors]

union -> unsafe?

[compiler-errors]

also, this could perhaps be moved into allowed_union_or_unsafe_field to deduplicate this logic further.

[compiler-errors]

no need to pass the def span of the def id we're already passing in.