-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
rename ptr::invalid -> ptr::without_provenance #117658
Conversation
r? @m-ou-se (rustbot has picked a reviewer for you, use r? to override) |
This comment has been minimized.
This comment has been minimized.
Bikeshed: I might expect that Not that I have a better name in mind. |
I agree that I agree that By analogy with And just as a note, calling the function |
CI failure is that hashbrown ( |
My plan was to fix hashbrown before landing this: rust-lang/hashbrown#481 |
Regarding the name: yes the inconsistency with NonNull::dangling being nullary is a bit annoying. But I thought this wouldn't actually be confusing enough to justify picking a different name; the compiler will easily point out when there are too many / too few arguments. If we don't want to overload |
avoid using unstable ptr::invalid_mut I want to rename that function in rust-lang/rust#117658, but currently the build fails because hashbrown uses it.
How about |
That sounds like a pointer one could use to access any allocated object. Which is not what this is. |
FWIW I've turned around and like |
I was considering adding Let's see what t-libs-api says. |
Based on t-libs-api feedback, let's stick to @Amanieu this is now blocked on a hashbrown release. |
☔ The latest upstream changes (presumably #118232) made this pull request unmergeable. Please resolve the merge conflicts. |
@Amanieu would be nice to get a new release of hashbrown that includes rust-lang/hashbrown#481 so that this PR can move to the next stage. :) |
We discussed this in last week's libs-api meeting, but didn't reach a conclusion yet. It'd be useful to know the common use cases for this function. Some things that came up in the meeting:
|
I'll note that the methods to go from a pointer to a usize are called Purely by looking at these names, That's not very clear though, which might suggest that (Edit March 2024: I now think |
Yeah, To me it seems more important to warn about the fact that this pointer cannot be used to access any memory than to be consistent with the inverse function -- ideally we'd do both but I can't think of a way to do that. |
👍 to this. I share the sentiment of not feeling great about either of Ralf's comment in rust-lang/unsafe-code-guidelines#478 (comment) caught my eye: I sometimes call them "(raw) integer pointers", but that doesn't really fit the pattern here. I wonder if there is a way to lean into the interpretation of these being integers dressed as pointers, not so much pointers referring to some (invalid/dangling) "address". What I mean is going even further than pub mod ptr {
pub fn pointy_integer<T>(value: usize) - > *const T;
pub fn pointy_integer_mut<T>(value: usize) - > *mut T;
} The thing to figure out would be whether a "pointy integer" is the thing you get back from |
|
This comment has been minimized.
This comment has been minimized.
💔 Test failed - checks-actions |
also introduce ptr::dangling matching NonNull::dangling
ed5be93
to
b58f647
Compare
@bors r=m-ou-se |
☀️ Test successful - checks-actions |
Finished benchmarking commit (3406ada): comparison URL. Overall result: no relevant changes - no action needed@rustbot label: -perf-regression Instruction countThis benchmark run did not return any relevant results for this metric. Max RSS (memory usage)ResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
CyclesThis benchmark run did not return any relevant results for this metric. Binary sizeResultsThis is a less reliable metric that may be of interest but was not used to determine the overall result at the top of this comment.
Bootstrap: 649.698s -> 651.719s (0.31%) |
rename ptr::invalid -> ptr::without_provenance It has long bothered me that `ptr::invalid` returns a pointer that is actually valid for zero-sized memory accesses. In general, it doesn't even make sense to ask "is this pointer valid", you have to ask "is this pointer valid for a given memory access". We could say that a pointer is invalid if it is not valid for *any* memory access, but [the way this FCP is going](rust-lang/unsafe-code-guidelines#472), it looks like *all* pointers will be valid for zero-sized memory accesses. Two possible alternative names emerged as people's favorites: 1. Something involving `dangling`, in analogy to `NonNull::dangling`. To avoid inconsistency with the `NonNull` method, the address-taking method could be called `dangling_at(addr: usize) -> *const T`. 2. `without_provenance`, to be symmetric with the inverse operation `ptr.addr_without_provenance()` (currently still called `ptr.addr()` but probably going to be renamed) I have no idea which one of these is better. I read [this comment](rust-lang/rust#117658 (comment)) as expressing a slight preference for something like the second option, so I went for that. I'm happy to go with `dangling_at` as well. Cc `@rust-lang/opsem`
Upgrades the Rust toolchain to `nightly-2024-02-25`. The Rust compiler PRs that triggered changes in this upgrades are: * rust-lang/rust#121209 * rust-lang/rust#121309 * rust-lang/rust#120863 * rust-lang/rust#117772 * rust-lang/rust#117658 With rust-lang/rust#121309 some intrinsics became inlineable so their names became qualified. This made our `match` on the intrinsic name to fail in those cases, leaving them as unsupported constructs as in this example: ``` warning: Found the following unsupported constructs: - _RNvNtCscyGW2MM2t5j_4core10intrinsics8unlikelyCs1eohKeNmpdS_5arith (3) - caller_location (1) - foreign function (1) Verification will fail if one or more of these constructs is reachable. See https://model-checking.github.io/kani/rust-feature-support.html for more details. [...] Failed Checks: _RNvNtCscyGW2MM2t5j_4core10intrinsics8unlikelyCs1eohKeNmpdS_5arith is not currently supported by Kani. Please post your example at https://github.com/model-checking/kani/issues/new/choose File: "/home/ubuntu/.rustup/toolchains/nightly-2024-02-18-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/num/mod.rs", line 25, in core::num::<impl i8>::checked_add ``` We use `trimmed_name()` to work around this, but that may include type arguments if the intrinsic is defined on generics. So in those cases, we just take the first part of the name so we can keep the rest as before. Resolves #3044
It has long bothered me that
ptr::invalid
returns a pointer that is actually valid for zero-sized memory accesses. In general, it doesn't even make sense to ask "is this pointer valid", you have to ask "is this pointer valid for a given memory access". We could say that a pointer is invalid if it is not valid for any memory access, but the way this FCP is going, it looks like all pointers will be valid for zero-sized memory accesses.Two possible alternative names emerged as people's favorites:
dangling
, in analogy toNonNull::dangling
. To avoid inconsistency with theNonNull
method, the address-taking method could be calleddangling_at(addr: usize) -> *const T
.without_provenance
, to be symmetric with the inverse operationptr.addr_without_provenance()
(currently still calledptr.addr()
but probably going to be renamed)I have no idea which one of these is better. I read this comment as expressing a slight preference for something like the second option, so I went for that. I'm happy to go with
dangling_at
as well.Cc @rust-lang/opsem