UnsafePinned: also include the effects of UnsafeCell #140638
Merged
+142
−22
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
|
The Miri subtree was changed cc @rust-lang/miri |
This comment has been minimized.
This comment has been minimized.
Sky9x
approved these changes
May 4, 2025
RalfJung
added
the
I-lang-nominated
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
b08491e to
66ca017
Compare
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
66ca017 to
bc8609c
Compare
traviscross
reviewed
May 5, 2025
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
bc8609c to
d87cf5a
Compare
9 tasks
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
d87cf5a to
405c954
Compare
Sky9x
reviewed
May 5, 2025
|
@rustbot labels -I-lang-nominated +I-lang-radar We talked about this in the lang call today with 2/5 present. We felt it indeed made sense, given what we've found, for |
rustbot
added
I-lang-radar
|
@WaffleLapkin @tgross35 could one of you review this? |
|
After 3 weeks without a review, I'll reassign. |
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
405c954 to
259d6f4
Compare
|
Soundness fix. Well, pre-fix. Code looks fine to me. Approving. @bors r+ rollup |
bors
added
S-waiting-on-bors
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jun 5, 2025
…sed, r=workingjubilee UnsafePinned: also include the effects of UnsafeCell This tackles rust-lang#137750 by including an `UnsafeCell` in `UnsafePinned`, thus imbuing it with all the usual properties of interior mutability (no `noalias` nor `dereferenceable` on shared refs, special treatment by Miri's aliasing model). The soundness issue is not fixed yet because coroutine lowering does not use `UnsafePinned`. The RFC said that `UnsafePinned` would not permit mutability on shared references, but since then, rust-lang#137750 has demonstrated that this is not tenable. In the face of those examples, I propose that we do the "obvious" thing and permit shared mutable state inside `UnsafePinned`. This seems loosely consistent with the fact that we allow going from `Pin<&mut T>` to `&T` (where the former can be aliased with other pointers that perform mutation, and hence the same goes for the latter) -- but the `as_ref` example shows that we in fact would need to add this `UnsafeCell` even if we didn't have a safe conversion to `&T`, since for the compiler and Miri, `&T` and `Pin<&T>` are basically the same type. To make this possible, I had to remove the `Copy` and `Clone` impls for `UnsafePinned`. Tracking issue: rust-lang#125735 Cc `@rust-lang/lang` `@rust-lang/opsem` `@Sky9x` I don't think this needs FCP since the type is still unstable -- we'll finally decide whether we like this approach when `UnsafePinned` is moved towards stabilization (IOW, this PR is reversible). However, I'd still like to make sure that the lang team is okay with the direction I am proposing here.
bors
added a commit
that referenced
this pull request
Jun 5, 2025
Rollup of 8 pull requests Successful merges: - #140638 (UnsafePinned: also include the effects of UnsafeCell) - #141272 (modularize the config module bootstrap) - #141777 (Do not run PGO/BOLT in x64 Linux alt builds) - #141870 (Fix broken link to rustc_type_ir module in serialization docs) - #141938 (update rust offload bootstrap) - #141962 (rustc-dev-guide subtree update) - #141965 (`tests/ui`: A New Order [3/N]) - #141970 (implement new `x` flag: `--skip-std-check-if-no-download-rustc`) r? `@ghost` `@rustbot` modify labels: rollup
bors
added a commit
that referenced
this pull request
Jun 5, 2025
Rollup of 6 pull requests Successful merges: - #140638 (UnsafePinned: also include the effects of UnsafeCell) - #141777 (Do not run PGO/BOLT in x64 Linux alt builds) - #141938 (update rust offload bootstrap) - #141962 (rustc-dev-guide subtree update) - #141965 (`tests/ui`: A New Order [3/N]) - #141970 (implement new `x` flag: `--skip-std-check-if-no-download-rustc`) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
that referenced
this pull request
Jun 5, 2025
Rollup merge of #140638 - RalfJung:unsafe-pinned-shared-aliased, r=workingjubilee UnsafePinned: also include the effects of UnsafeCell This tackles #137750 by including an `UnsafeCell` in `UnsafePinned`, thus imbuing it with all the usual properties of interior mutability (no `noalias` nor `dereferenceable` on shared refs, special treatment by Miri's aliasing model). The soundness issue is not fixed yet because coroutine lowering does not use `UnsafePinned`. The RFC said that `UnsafePinned` would not permit mutability on shared references, but since then, #137750 has demonstrated that this is not tenable. In the face of those examples, I propose that we do the "obvious" thing and permit shared mutable state inside `UnsafePinned`. This seems loosely consistent with the fact that we allow going from `Pin<&mut T>` to `&T` (where the former can be aliased with other pointers that perform mutation, and hence the same goes for the latter) -- but the `as_ref` example shows that we in fact would need to add this `UnsafeCell` even if we didn't have a safe conversion to `&T`, since for the compiler and Miri, `&T` and `Pin<&T>` are basically the same type. To make this possible, I had to remove the `Copy` and `Clone` impls for `UnsafePinned`. Tracking issue: #125735 Cc ``@rust-lang/lang`` ``@rust-lang/opsem`` ``@Sky9x`` I don't think this needs FCP since the type is still unstable -- we'll finally decide whether we like this approach when `UnsafePinned` is moved towards stabilization (IOW, this PR is reversible). However, I'd still like to make sure that the lang team is okay with the direction I am proposing here.
github-actions bot
pushed a commit
to rust-lang/miri
that referenced
this pull request
Jun 6, 2025
Rollup of 6 pull requests Successful merges: - rust-lang/rust#140638 (UnsafePinned: also include the effects of UnsafeCell) - rust-lang/rust#141777 (Do not run PGO/BOLT in x64 Linux alt builds) - rust-lang/rust#141938 (update rust offload bootstrap) - rust-lang/rust#141962 (rustc-dev-guide subtree update) - rust-lang/rust#141965 (`tests/ui`: A New Order [3/N]) - rust-lang/rust#141970 (implement new `x` flag: `--skip-std-check-if-no-download-rustc`) r? `@ghost` `@rustbot` modify labels: rollup
|
@RalfJung This PR missed changing the comment and doctest on rust/library/core/src/pin/unsafe_pinned.rs Lines 91 to 107 in 321dde1 |
|
Good point, I filed a follow-up at #142162. |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This tackles #137750 by including an
UnsafeCellinUnsafePinned, thus imbuing it with all the usual properties of interior mutability (nonoaliasnordereferenceableon shared refs, special treatment by Miri's aliasing model). The soundness issue is not fixed yet because coroutine lowering does not useUnsafePinned.The RFC said that
UnsafePinnedwould not permit mutability on shared references, but since then, #137750 has demonstrated that this is not tenable. In the face of those examples, I propose that we do the "obvious" thing and permit shared mutable state insideUnsafePinned. This seems loosely consistent with the fact that we allow going fromPin<&mut T>to&T(where the former can be aliased with other pointers that perform mutation, and hence the same goes for the latter) -- but theas_refexample shows that we in fact would need to add thisUnsafeCelleven if we didn't have a safe conversion to&T, since for the compiler and Miri,&TandPin<&T>are basically the same type.To make this possible, I had to remove the
CopyandCloneimpls forUnsafePinned.Tracking issue: #125735
Cc @rust-lang/lang @rust-lang/opsem @Sky9x
I don't think this needs FCP since the type is still unstable -- we'll finally decide whether we like this approach when
UnsafePinnedis moved towards stabilization (IOW, this PR is reversible). However, I'd still like to make sure that the lang team is okay with the direction I am proposing here.