-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Dangling" means multiple things #478
Comments
I consider there to be three kinds of "dangling" pointers:
In C and C++, creating the latter kind of pointer is not possible (it's UB), but in Rust it's possible and they should be considered "dangling" as well IMO. I agree it'd be good to clean up the terminology here. Relatedly, the term "dereferenceable" also needs clarification. |
Yeah it's typically just used in a case where you want something aligned. I don't have a better term for it, page0-dangling perhaps. |
They can point to literally any address though, |
I believe this is no longer true as of the recent FCP: zero sized reads from any pointer are now valid, so AFAIK freed-dangling pointers are indistinguishable from align-dangling (which I would call no-provenance / null-provenance pointers). The linked documentation is out of date. |
rust-lang/rust#117945 is tracking implementing that FCP. |
In the C++ world, typically, a "dangling" pointer is one to memory that was previously allocated and subsequently deallocated. Let's call these freed-dangling. These are just bad, period.
In Rust, APIs like
NonNull::dangling()
` produce pointers that were not ever allocated, primarily constructed to be "aligned but not null".. Let's call these align-dangling. It's good practice to use align-dangling pointers when working with collections or ZSTs.We tend to use these meanings interchangeably. They are largely the same when it comes to the validity of pointer accesses, except around zero-sized types: zero-sized reads are not valid when reading from freed memory, unless the pointer was obtained as a direct cast from an integer literal (presumably these get normalized to align-dangling pointers).
This can lead to some confusion around terminology, for example with this code (credit @kupiakos), where we have both a freed-dangling and an align-dangling
NonNull::dangling()
pointer, and miri complains about the former, but says "out-of-bounds pointer use: alloc921 has been freed, so this pointer is dangling", implicitly calling it "dangling".We should potentially pin down what meaning of "dangling" we intend everywhere, use it consistently, and update the docs of
NonNull::dangling()
to reference ZST validity. We don't necessarily need to split these meanings as long as we're clear about it; splitting the meanings may cause more confusion than it's worth.The text was updated successfully, but these errors were encountered: