diff --git a/src/liballoc/lib.rs b/src/liballoc/lib.rs index 41c2b221704e6..ed3b09bae0540 100644 --- a/src/liballoc/lib.rs +++ b/src/liballoc/lib.rs @@ -100,6 +100,7 @@ #![feature(fundamental)] #![feature(internal_uninit_const)] #![feature(lang_items)] +#![feature(layout_for_ptr)] #![feature(libc)] #![feature(negative_impls)] #![feature(new_uninit)] @@ -109,6 +110,7 @@ #![feature(pattern)] #![feature(ptr_internals)] #![feature(ptr_offset_from)] +#![feature(raw_ref_op)] #![feature(rustc_attrs)] #![feature(receiver_trait)] #![feature(min_specialization)] diff --git a/src/liballoc/rc.rs b/src/liballoc/rc.rs index 4d50ae9efca95..fccdfa0dca92a 100644 --- a/src/liballoc/rc.rs +++ b/src/liballoc/rc.rs @@ -245,7 +245,7 @@ use core::hash::{Hash, Hasher}; use core::intrinsics::abort; use core::iter; use core::marker::{self, PhantomData, Unpin, Unsize}; -use core::mem::{self, align_of, align_of_val, forget, size_of_val}; +use core::mem::{self, align_of_val_raw, forget, size_of_val}; use core::ops::{CoerceUnsized, Deref, DispatchFromDyn, Receiver}; use core::pin::Pin; use core::ptr::{self, NonNull}; @@ -591,17 +591,11 @@ impl Rc { #[stable(feature = "weak_into_raw", since = "1.45.0")] pub fn as_ptr(this: &Self) -> *const T { let ptr: *mut RcBox = NonNull::as_ptr(this.ptr); - let fake_ptr = ptr as *mut T; - // SAFETY: This cannot go through Deref::deref. - // Instead, we manually offset the pointer rather than manifesting a reference. - // This is so that the returned pointer retains the same provenance as our pointer. - // This is required so that e.g. `get_mut` can write through the pointer - // after the Rc is recovered through `from_raw`. - unsafe { - let offset = data_offset(&(*ptr).value); - set_data_ptr(fake_ptr, (ptr as *mut u8).offset(offset)) - } + // SAFETY: This cannot go through Deref::deref or Rc::inner because + // this is required to retain raw/mut provenance such that e.g. `get_mut` can + // write through the pointer after the Rc is recovered through `from_raw`. + unsafe { &raw const (*ptr).value } } /// Constructs an `Rc` from a raw pointer. @@ -1647,6 +1641,7 @@ pub struct Weak { // `Weak::new` sets this to `usize::MAX` so that it doesn’t need // to allocate space on the heap. That's not a value a real pointer // will ever have because RcBox has alignment at least 2. + // This is only possible when `T: Sized`; unsized `T` never dangle. ptr: NonNull>, } @@ -1708,9 +1703,18 @@ impl Weak { /// [`null`]: ../../std/ptr/fn.null.html #[stable(feature = "weak_into_raw", since = "1.45.0")] pub fn as_ptr(&self) -> *const T { - let offset = data_offset_sized::(); - let ptr = self.ptr.cast::().as_ptr().wrapping_offset(offset); - ptr as *const T + let ptr: *mut RcBox = NonNull::as_ptr(self.ptr); + + // SAFETY: we must offset the pointer manually, and said pointer may be + // a dangling weak (usize::MAX) if T is sized. data_offset is safe to call, + // because we know that a pointer to unsized T was derived from a real + // unsized T, as dangling weaks are only created for sized T. wrapping_offset + // is used so that we can use the same code path for the non-dangling + // unsized case and the potentially dangling sized case. + unsafe { + let offset = data_offset(ptr as *mut T); + set_data_ptr(ptr as *mut T, (ptr as *mut u8).wrapping_offset(offset)) + } } /// Consumes the `Weak` and turns it into a raw pointer. @@ -2113,19 +2117,22 @@ impl AsRef for Rc { #[stable(feature = "pin", since = "1.33.0")] impl Unpin for Rc {} +/// Get the offset within an `ArcInner` for +/// a payload of type described by a pointer. +/// +/// # Safety +/// +/// This has the same safety requirements as `align_of_val_raw`. In effect: +/// +/// - This function is safe for any argument if `T` is sized, and +/// - if `T` is unsized, the pointer must have appropriate pointer metadata +/// aquired from the real instance that you are getting this offset for. unsafe fn data_offset(ptr: *const T) -> isize { // Align the unsized value to the end of the `RcBox`. // Because it is ?Sized, it will always be the last field in memory. // Note: This is a detail of the current implementation of the compiler, // and is not a guaranteed language detail. Do not rely on it outside of std. - unsafe { data_offset_align(align_of_val(&*ptr)) } -} - -/// Computes the offset of the data field within `RcBox`. -/// -/// Unlike [`data_offset`], this doesn't need the pointer, but it works only on `T: Sized`. -fn data_offset_sized() -> isize { - data_offset_align(align_of::()) + unsafe { data_offset_align(align_of_val_raw(ptr)) } } #[inline] diff --git a/src/liballoc/sync.rs b/src/liballoc/sync.rs index 826f0c8fa833f..ac3ce2255c89b 100644 --- a/src/liballoc/sync.rs +++ b/src/liballoc/sync.rs @@ -16,7 +16,7 @@ use core::hash::{Hash, Hasher}; use core::intrinsics::abort; use core::iter; use core::marker::{PhantomData, Unpin, Unsize}; -use core::mem::{self, align_of, align_of_val, size_of_val}; +use core::mem::{self, align_of_val, size_of_val}; use core::ops::{CoerceUnsized, Deref, DispatchFromDyn, Receiver}; use core::pin::Pin; use core::ptr::{self, NonNull}; @@ -267,6 +267,7 @@ pub struct Weak { // `Weak::new` sets this to `usize::MAX` so that it doesn’t need // to allocate space on the heap. That's not a value a real pointer // will ever have because RcBox has alignment at least 2. + // This is only possible when `T: Sized`; unsized `T` never dangle. ptr: NonNull>, } @@ -590,17 +591,11 @@ impl Arc { #[stable(feature = "weak_into_raw", since = "1.45.0")] pub fn as_ptr(this: &Self) -> *const T { let ptr: *mut ArcInner = NonNull::as_ptr(this.ptr); - let fake_ptr = ptr as *mut T; - // SAFETY: This cannot go through Deref::deref. - // Instead, we manually offset the pointer rather than manifesting a reference. - // This is so that the returned pointer retains the same provenance as our pointer. - // This is required so that e.g. `get_mut` can write through the pointer - // after the Arc is recovered through `from_raw`. - unsafe { - let offset = data_offset(&(*ptr).data); - set_data_ptr(fake_ptr, (ptr as *mut u8).offset(offset)) - } + // SAFETY: This cannot go through Deref::deref or RcBoxPtr::inner because + // this is required to retain raw/mut provenance such that e.g. `get_mut` can + // write through the pointer after the Rc is recovered through `from_raw`. + unsafe { &raw const (*ptr).data } } /// Constructs an `Arc` from a raw pointer. @@ -1476,9 +1471,18 @@ impl Weak { /// [`null`]: ../../std/ptr/fn.null.html #[stable(feature = "weak_into_raw", since = "1.45.0")] pub fn as_ptr(&self) -> *const T { - let offset = data_offset_sized::(); - let ptr = self.ptr.cast::().as_ptr().wrapping_offset(offset); - ptr as *const T + let ptr: *mut ArcInner = NonNull::as_ptr(self.ptr); + + // SAFETY: we must offset the pointer manually, and said pointer may be + // a dangling weak (usize::MAX) if T is sized. data_offset is safe to call, + // because we know that a pointer to unsized T was derived from a real + // unsized T, as dangling weaks are only created for sized T. wrapping_offset + // is used so that we can use the same code path for the non-dangling + // unsized case and the potentially dangling sized case. + unsafe { + let offset = data_offset(ptr as *mut T); + set_data_ptr(ptr as *mut T, (ptr as *mut u8).wrapping_offset(offset)) + } } /// Consumes the `Weak` and turns it into a raw pointer. @@ -2270,7 +2274,16 @@ impl AsRef for Arc { #[stable(feature = "pin", since = "1.33.0")] impl Unpin for Arc {} -/// Computes the offset of the data field within `ArcInner`. +/// Get the offset within an `ArcInner` for +/// a payload of type described by a pointer. +/// +/// # Safety +/// +/// This has the same safety requirements as `align_of_val_raw`. In effect: +/// +/// - This function is safe for any argument if `T` is sized, and +/// - if `T` is unsized, the pointer must have appropriate pointer metadata +/// aquired from the real instance that you are getting this offset for. unsafe fn data_offset(ptr: *const T) -> isize { // Align the unsized value to the end of the `ArcInner`. // Because it is `?Sized`, it will always be the last field in memory. @@ -2279,13 +2292,6 @@ unsafe fn data_offset(ptr: *const T) -> isize { unsafe { data_offset_align(align_of_val(&*ptr)) } } -/// Computes the offset of the data field within `ArcInner`. -/// -/// Unlike [`data_offset`], this doesn't need the pointer, but it works only on `T: Sized`. -fn data_offset_sized() -> isize { - data_offset_align(align_of::()) -} - #[inline] fn data_offset_align(align: usize) -> isize { let layout = Layout::new::>();