as_ptr returns a read-only pointer #60443
Conversation
|
r? @Kimundi (rust_highfive has picked a reviewer for you, use r? to override) |
rust-highfive
added
the
S-waiting-on-review
I believe the correct way is to use However, it seems to me this would not know the right length of the allocation to free, no? That doesn't matter for system |
|
|
src/libcore/slice/mod.rs
Outdated
| @@ -359,6 +359,10 @@ impl<T> [T] { | |||
| /// The caller must ensure that the slice outlives the pointer this | |||
| /// function returns, or else it will end up pointing to garbage. | |||
| /// | |||
| /// The caller must also ensure that the memory the pointer (non-transitively) points to | |||
| /// is never written to (except inside an `UnsafeCell`). If you need to mutate | |||
There was a problem hiding this comment.
Unsure if this qualifies as too pedantic or not, but "is never written to" sounds like it'd include the time after you stop using this pointer and any (raw?) reborrows thereof, the same way that (iiuc) constructing a Pin must guarantee the underlying value is never moved again for the rest of the program including after the Pin itself goes away.
Would "is never written to using this pointer" be better, or wrong in other ways?
There was a problem hiding this comment.
Would "is never written to using this pointer" be better, or wrong in other ways?
"using this pointer or any pointer derived from it" would be correct and should cover your case?
OK... but I expect the most common reason to want |
|
How would anyone ever think they can perform length-changing changes in-place? (And the fact that this is in-place should be quite clear with a slice.) But anyway, this PR does not even propose to add an |
|
You asked if you should add |
|
Fair. :) |
|
Cc @rust-lang/libs -- needs someone to review. |
|
It feels sort of bad to say “don’t do this” in the |
|
Well, this PR just documents the already existing reality. ;) So are you saying we should also have |
|
( Documenting the existing reality sounds good, I just wonder how often this is misused in the wild. Maybe someone more familar with C API conventions can comment: how uncommon is it to write to a caller-allocated, null-terminated buffer? In the mean time: @bors r+ |
|
📌 Commit 30cf0e4 has been approved by |
bors
added
S-waiting-on-bors
as_ptr returns a read-only pointer Add comments to `as_ptr` methods to warn that these are read-only pointers, and writing to them is UB. [It was pointed out](https://internals.rust-lang.org/t/as-ptr-vs-as-mut-ptr/9940) that `CStr` does not even have an `as_mut_ptr`. I originally was going to add one, but there is no method at all that would mutate a `CStr`. Was that a deliberate choice or should I add an `as_mut_ptr` (similar to [what I did for `str`](rust-lang#58200))?
Rollup of 9 pull requests Successful merges: - #60130 (Add implementations of last in terms of next_back on a bunch of DoubleEndedIterators) - #60443 (as_ptr returns a read-only pointer) - #60444 (forego caching for all participants in cycles, apart from root node) - #60719 (Allow subdirectories to be tested by x.py test) - #60780 (fix Miri) - #60788 (default to $ARCH-apple-macosx10.7.0 LLVM triple for darwin targets) - #60799 (Allow late-bound regions in existential types) - #60808 (Improve the "must use" lint for `Future`) - #60819 (submodules: update clippy from 3710ec5 to ad3269c) Failed merges: r? @ghost
Add comments to
as_ptrmethods to warn that these are read-only pointers, and writing to them is UB.It was pointed out that
CStrdoes not even have anas_mut_ptr. I originally was going to add one, but there is no method at all that would mutate aCStr. Was that a deliberate choice or should I add anas_mut_ptr(similar to what I did forstr)?