implement unsafe pointer methods #43964
Conversation
|
r? @sfackler (rust_highfive has picked a reviewer for you, use r? to override) |
|
Tracking Issue: #43941 |
src/libcore/ptr.rs
Outdated
| /// Behaviour: | ||
| /// | ||
| /// * Both the starting and resulting pointer must be either in bounds or one | ||
| /// byte past the end of an allocated object. |
There was a problem hiding this comment.
the formatting here - byte should be indented.
| /// `isize`. | ||
| /// | ||
| /// * The offset being in bounds cannot rely on "wrapping around" the address | ||
| /// space. That is, the infinite-precision sum, **in bytes** must fit in a usize. |
There was a problem hiding this comment.
this seems unnecessary to state, imo?
There was a problem hiding this comment.
It's possible to construct an offset which wraps around the address space but ends up in bounds, if pointers are modeled as "just" usizes. This would satisfy both previous rules, but fail this one. LLVM explicitly says it's UB to do this with GEP inbounds.
There was a problem hiding this comment.
Yeah, but that assumes the pointers are just usizes. I dunno, maybe I've been smoking the object model for too long.
| /// | ||
| /// Consider using `wrapping_offset` instead if these constraints are | ||
| /// difficult to satisfy. The only advantage of this method is that it | ||
| /// enables more aggressive compiler optimizations. |
There was a problem hiding this comment.
I don't like this paragraph. wrapping_offset is, imo, a kludge that really shouldn't ever be used. Maybe recommend add, and use actual usize pointer arithmetic in add.
There was a problem hiding this comment.
There is no unsigned version of GEP inbounds, it's impossible to ask LLVM to do this without removing the inbounds modifier, which is what wrapping_* does.
| /// | ||
| /// Consider using `wrapping_offset` instead if these constraints are | ||
| /// difficult to satisfy. The only advantage of this method is that it | ||
| /// enables more aggressive compiler optimizations. |
There was a problem hiding this comment.
same complaint as before.
| where T: Sized, | ||
| { | ||
| self.offset(count as isize) | ||
| } |
There was a problem hiding this comment.
This seems like it should use usize based pointer arithmetic, rather than casting to isize.
There was a problem hiding this comment.
As above, there is no such thing in LLVM.
There was a problem hiding this comment.
can I just say that this is so weird to me. Anyways.
There was a problem hiding this comment.
There is a reason I frequently rant about gep
|
Well, you've convinced me. I'm a go. |
| /// that should be dropped. | ||
| /// | ||
| /// Additionally, it does not drop `src`. Semantically, `src` is moved into the | ||
| /// location pointed to by `dst`. |
There was a problem hiding this comment.
src and dst should be val and self
| /// Beyond accepting a raw pointer, this is unsafe because it semantically | ||
| /// moves the value out of `self` without preventing further usage of `self`. | ||
| /// If `T` is not `Copy`, then care must be taken to ensure that the value at | ||
| /// `src` is not used before the data is overwritten again (e.g. with `write`, |
src/libcore/ptr.rs
Outdated
| @@ -555,7 +581,8 @@ impl<T: ?Sized> *const T { | |||
| } | |||
|
|
|||
| /// Calculates the offset from a pointer using wrapping arithmetic. | |||
| /// `count` is in units of T; e.g. a `count` of 3 represents a pointer | |||
| /// | |||
| /// `count` is in units of T; e.g. an `count` of 3 represents a pointer | |||
arielb1
added
the
S-waiting-on-author
|
friendly ping @gankro to keep this on your radar! |
|
All comments addressed, and squashed. One thing I noticed myself: I didn't update *mut's offset docs before. That is now fixed. |
arielb1
added
S-waiting-on-review
|
I've pinged @sfackler on IRC for review. |
src/libcore/ptr.rs
Outdated
| /// # Safety | ||
| /// | ||
| /// If any of the following conditions are violated, the result is Undefined | ||
| /// Behaviour: |
There was a problem hiding this comment.
Nit: I think we lean towards US english spelling in docs?
|
LGTM other than the one spelling nit. |
There was a problem hiding this comment.
It is not clear to me from the documentation whether these methods may or may not be used with unaligned pointers: *offset methods, *add and *sub methods, copy* methods, *_volatile methods, drop_in_place, *_bytes methods, replace, swap.
Should I simply assume that they are safe to use with unaligned pointers, unless explicitly stated?
It'd be nice if the Safety section of every method mentioned whether unaligned pointers are allowed anyway.
Other than that, LGTM.
| } | ||
|
|
||
| /// Swaps the values at two mutable locations of the same type, without | ||
| /// deinitializing either. They may overlap, unlike `mem::swap` which is |
There was a problem hiding this comment.
By 'they may overlap' you mean 'the locations may be equal'?
What happens if you swap the values at, say, two different but overlapping locations (at least one of the pointers will be unaligned)? Is it allowed to call swap with unaligned pointers?
There was a problem hiding this comment.
You don't need alignment issues -- consider x: [u32; 3], where I swap [u32; 2] from x[0] and x[1].
There was a problem hiding this comment.
In this case the final value of x[1] is actually unspecified, but definitely one of the original values of x[0] or x[2].
|
@stjepang Unless explicitly stated otherwise, all functions which take pointers assume that they are aligned. (see |
Gankra
force-pushed
the
unsafe-reform
branch
from
5f4b91a
to
e64b56a
Compare
Gankra
force-pushed
the
unsafe-reform
branch
from
e64b56a
to
4f24507
Compare
|
Made changes to appease american pigs ready to merge |
|
@bors: r=sfackler |
|
📌 Commit 4f24507 has been approved by |
|
⌛ Testing commit 4f24507 with merge bd235a61e5047f090f8a37729145b8e56f290904... |
|
💔 Test failed - status-travis |
|
@bors: retry
|
|
The errors in the documentation I pointed out above are still there. |
implement unsafe pointer methods I also cleaned up some existing documentation a bit here or there since I was doing so much auditing of it. Most notably I significantly rewrote the `offset` docs to clarify safety (`*const` and `*mut`'s offset docs had actually diverged).
|
⌛ Testing commit 4f24507 with merge 6ae1aead5260aadf8598783fe98fb9210487ddbb... |
|
@bors: retry
|
implement unsafe pointer methods I also cleaned up some existing documentation a bit here or there since I was doing so much auditing of it. Most notably I significantly rewrote the `offset` docs to clarify safety (`*const` and `*mut`'s offset docs had actually diverged).
|
☀️ Test successful - status-appveyor, status-travis |
|
Hey @tormol sorry I thought I got everything. Please file an issue for the ones I missed, or a PR to fix it, so we don't forget! |
I also cleaned up some existing documentation a bit here or there since I was doing so much auditing of it. Most notably I significantly rewrote the
offsetdocs to clarify safety (*constand*mut's offset docs had actually diverged).