From 00b13b0ef23de4b49d23b9444ee12db0205e8e06 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sat, 3 Apr 2021 12:50:06 +0200 Subject: [PATCH 1/3] clarify UB for raw ptr deref --- src/behavior-considered-undefined.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index 1cc7966bf..21a473dff 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -23,7 +23,8 @@ code. * Data races. -* Dereferencing (using the `*` operator on) a dangling or unaligned raw pointer. +* Evaluating a dereference [place expression] (`*expr`) on a raw pointer that is + [dangling] or unaligned. * Breaking the [pointer aliasing rules]. `&mut T` and `&T` follow LLVM’s scoped [noalias] model, except if the `&T` contains an [`UnsafeCell`]. * Mutating immutable data. All data inside a [`const`] item is immutable. Moreover, all @@ -45,7 +46,7 @@ code. * A `!` (all values are invalid for this type). * An integer (`i*`/`u*`), floating point value (`f*`), or raw pointer obtained from [uninitialized memory][undef], or uninitialized memory in a `str`. - * A reference or `Box` that is dangling, unaligned, or points to an invalid value. + * A reference or `Box` that is [dangling], unaligned, or points to an invalid value. * Invalid metadata in a wide reference, `Box`, or raw pointer: * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for `Trait` that matches the actual dynamic trait the pointer or reference points to. @@ -62,6 +63,17 @@ a restricted set of valid values. In other words, the only cases in which reading uninitialized memory is permitted are inside `union`s and in "padding" (the gaps between the fields/elements of a type). +> **Note**: Undefined behavior affects the entire program. For example, calling +> a function in C that exhibits undefined behavior of C means your entire +> program contains undefined behaviour that can also affect the Rust code. And +> vice versa, undefined behavior in Rust can cause adverse affects on code +> executed by any FFI calls to other languages. + +[place expression]: expressions.md#place-expressions-and-value-expressions + +### Dangling pointers +[dangling]: #dangling-pointers + A reference/pointer is "dangling" if it is null or not all of the bytes it points to are part of the same allocation (so in particular they all have to be part of *some* allocation). The span of bytes it points to is determined by the @@ -71,12 +83,6 @@ that slices and strings point to their entire range, so it is important that the metadata is never too large. In particular, allocations and therefore slices and strings cannot be bigger than `isize::MAX` bytes. -> **Note**: Undefined behavior affects the entire program. For example, calling -> a function in C that exhibits undefined behavior of C means your entire -> program contains undefined behaviour that can also affect the Rust code. And -> vice versa, undefined behavior in Rust can cause adverse affects on code -> executed by any FFI calls to other languages. - [`bool`]: types/boolean.md [`const`]: items/constant-items.md [noalias]: http://llvm.org/docs/LangRef.html#noalias From c644a95c8b665b7c58c651a03369a6ccf46cc9f3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 6 Apr 2021 11:07:58 +0200 Subject: [PATCH 2/3] move link def.n --- src/behavior-considered-undefined.md | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index 21a473dff..ee8788e0f 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -69,8 +69,6 @@ reading uninitialized memory is permitted are inside `union`s and in "padding" > vice versa, undefined behavior in Rust can cause adverse affects on code > executed by any FFI calls to other languages. -[place expression]: expressions.md#place-expressions-and-value-expressions - ### Dangling pointers [dangling]: #dangling-pointers @@ -93,3 +91,4 @@ cannot be bigger than `isize::MAX` bytes. [Rustonomicon]: ../nomicon/index.html [`NonNull`]: ../core/ptr/struct.NonNull.html [`NonZero*`]: ../core/num/index.html +[place expression]: expressions.md#place-expressions-and-value-expressions From 5524a17a22c94ad21ab28d545c316909ebda0e31 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 7 Apr 2021 10:19:30 +0200 Subject: [PATCH 3/3] adjust wording --- src/behavior-considered-undefined.md | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index ee8788e0f..5af4a4bef 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -23,8 +23,9 @@ code. * Data races. -* Evaluating a dereference [place expression] (`*expr`) on a raw pointer that is - [dangling] or unaligned. +* Evaluating a [dereference expression] (`*expr`) on a raw pointer that is + [dangling] or unaligned, even in [place expression context] + (e.g. `addr_of!(&*expr)`). * Breaking the [pointer aliasing rules]. `&mut T` and `&T` follow LLVM’s scoped [noalias] model, except if the `&T` contains an [`UnsafeCell`]. * Mutating immutable data. All data inside a [`const`] item is immutable. Moreover, all @@ -91,4 +92,5 @@ cannot be bigger than `isize::MAX` bytes. [Rustonomicon]: ../nomicon/index.html [`NonNull`]: ../core/ptr/struct.NonNull.html [`NonZero*`]: ../core/num/index.html -[place expression]: expressions.md#place-expressions-and-value-expressions +[dereference expression]: expressions/operator-expr.md#the-dereference-operator +[place expression context]: expressions.md#place-expressions-and-value-expressions