Make core::ops::Place an unsafe trait #47299
Conversation
|
r? @KodrAus (rust_highfive has picked a reviewer for you, use r? to override) |
kennytm
added
T-libs-api
|
I think that's a totally reasonable constraint 👍 If we only require that all returned pointers are non null, what do you think about using the |
|
@KodrAus That does not in guarantee that the pointer can be dereferenced, so it's not enough. |
src/libcore/ops/place.rs
Outdated
| /// Returns the address where the input value will be written. | ||
| /// Note that the data at this address is generally uninitialized, | ||
| /// and thus one should use `ptr::write` for initializing it. | ||
| /// | ||
| /// This function must return a valid (non-zero) pointer to | ||
| /// a location at which a value of type `Data` can be written. |
There was a problem hiding this comment.
To stave off misunderstanding, maybe this should say "must return a valid pointer". Since non-null is not the end of the validity requirements.
There was a problem hiding this comment.
the end of the validity requirements
Are those requirements listed somewhere where we can refer to?
There was a problem hiding this comment.
The wording is actually kind of redundant as-is. The real requirement is "This function must return a pointer that a value of type Data can be written through." The specific requirements regarding aliasing and soundness are sort of floaty without unsafe code guidelines, but there's probably some kind of aliasing requirement in there, too 😄
|
So I think we're all in agreement that there's more to the contract of For the specific guarantees it sounds like we might not be able to get too specific about what a value of What do you all think? |
|
I've pushed an update to the wording of the docs. LMK if there are more changes you'd like to see. |
|
I'm jumping in a bit late here, but it seems like the second paragraph is basically just restating the first paragraph. |
|
@sfackler IMO the first paragraph sounds like it's directed at users of the trait-- it describes suggested usage patterns, while the second paragraph focuses on the invariants that must be upheld by the implementer in order for the |
|
I'm not sure if there's precedent in |
|
@rust-lang/libs Hi could any of you start the FCP process? rfcbot has not caught up with the new members yet (cc rust-lang/rfcbot-rs#176) |
|
@rfcbot fcp merge |
rfcbot
added
the
proposed-final-comment-period
|
Team member @alexcrichton has proposed to merge this. The next step is review by the rest of the tagged teams: No concerns currently listed. Once these reviewers reach consensus, this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
kennytm
added
S-waiting-on-team
|
🔔 This is now entering its final comment period, as per the review above. 🔔 |
rfcbot
added
final-comment-period
|
@bors: r+ |
|
📌 Commit f25f468 has been approved by |
Make core::ops::Place an unsafe trait Consumers of `Place` would reasonably expect that the `pointer` function returns a valid pointer to memory that can actually be written to.
kennytm
added
the
S-waiting-on-bors
kennytm
removed
the
S-waiting-on-team
|
☀️ Test successful - status-appveyor, status-travis |
Consumers of
Placewould reasonably expect that thepointerfunction returns a valid pointer to memory that can actually be written to.