"Dangling" means multiple things

[Manishearth]

In the C++ world, typically, a "dangling" pointer is one to memory that was previously allocated and subsequently deallocated. Let's call these freed-dangling. These are just bad, period.

In Rust, APIs like NonNull::dangling()` produce pointers that were not ever allocated, primarily constructed to be "aligned but not null".. Let's call these align-dangling. It's good practice to use align-dangling pointers when working with collections or ZSTs.

We tend to use these meanings interchangeably. They are largely the same when it comes to the validity of pointer accesses, except around zero-sized types: zero-sized reads are not valid when reading from freed memory, unless the pointer was obtained as a direct cast from an integer literal (presumably these get normalized to align-dangling pointers).

This can lead to some confusion around terminology, for example with this code (credit @kupiakos), where we have both a freed-dangling and an align-dangling NonNull::dangling() pointer, and miri complains about the former, but says "out-of-bounds pointer use: alloc921 has been freed, so this pointer is dangling", implicitly calling it "dangling".

We should potentially pin down what meaning of "dangling" we intend everywhere, use it consistently, and update the docs of NonNull::dangling() to reference ZST validity. We don't necessarily need to split these meanings as long as we're clear about it; splitting the meanings may cause more confusion than it's worth.

[RalfJung]

I consider there to be three kinds of "dangling" pointers:

• pointers with no provenance whatsoever -- that's what you call "align-dangling", but it has nothing to do with alignment so I'd rather avoid that term; this is what ptr::invalid (maybe to be renamed) creates
• pointers with provenance of some allocation that has been freed -- that's what you call "freed-dangling"
• pointers with provenance of some allocation that is still live but the pointer is out-of-bounds of that allocation -- we might call this "oob/out-of-bounds-dangling"

In C and C++, creating the latter kind of pointer is not possible (it's UB), but in Rust it's possible and they should be considered "dangling" as well IMO.

I agree it'd be good to clean up the terminology here. Relatedly, the term "dereferenceable" also needs clarification.

[Manishearth]

but it has nothing to do with alignment so I'd rather avoid that term

Yeah it's typically just used in a case where you want something aligned. I don't have a better term for it, page0-dangling perhaps.

[RalfJung]

They can point to literally any address though, ptr::invalid takes a usize. I sometimes call them "(raw) integer pointers", but that doesn't really fit the pattern here.

[digama0]

They are largely the same when it comes to the validity of pointer accesses, except around zero-sized types: zero-sized reads are not valid when reading from freed memory, unless the pointer was obtained as a direct cast from an integer literal (presumably these get normalized to align-dangling pointers).

I believe this is no longer true as of the recent FCP: zero sized reads from any pointer are now valid, so AFAIK freed-dangling pointers are indistinguishable from align-dangling (which I would call no-provenance / null-provenance pointers). The linked documentation is out of date.

[RalfJung]

rust-lang/rust#117945 is tracking implementing that FCP.