clarify how write_bytes can lead to UB due to invalid values #99084
Conversation
|
r? @m-ou-se (rust-highfive has picked a reviewer for you, use r? to override) |
rustbot
added
the
T-libs
|
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
rust-highfive
added
the
S-waiting-on-review
|
I'd include a code sample as well, personally. let mut value: u8 = 0;
let ptr: *mut bool = &mut value as *mut u8 as *mut bool;
ptr.write_bytes(42, 1);Something like that. Not sure. And/or
That might be too redundant, but it is more explicit. |
This comment was marked as outdated.
This comment was marked as outdated.
That's fair, I was just lazy...
I agree with that comment but I have no idea if you are suggesting any docs change here. |
Was replying to a deleted comment, I'll hide it. |
|
Ah... yeah @eggyal please don't delete comments, it's just confusing. |
|
Apologies. I posted my comment before I saw #99084 (comment), which had already answered it; and then deleted within seconds not realising a reply was already being written... hadn't intended to cause all this confusion! |
|
Does this also close #84184 ? Or will that issue just need an update? |
|
I think that issue is basically rust-lang/unsafe-code-guidelines#84, so I don't think it is entirely resolved by this PR. This PR carefully uses a local variable of type |
|
You commented before that:
So I don't understand how if the example that already exists is on shaky ground, we can justify adding a second one. I can never tell if the docs are normative or not, but if they are we've already got the cart miles ahead of the horse here. What is the point of an RFC or a lang-team decision if this pattern is already enshrined as valid because it is in the docs? |
|
The docs I am adding here do not use the potentially bad pattern. |
|
As far as I can tell the question that's up in the air in rust-lang/unsafe-code-guidelines#84 is: Even if you don't "use" it, is setting a value to an invalid bit pattern in itself UB? If the docs are normative, this has already been decided and the answer is no. Also, I'm not sure what it means to "use" a value. The reference defines "producing" a value but that's not the term you're using here and also that page in the reference has a big red warning that is is not exhaustive. Does taking a reference to a value use the value? It seems like the answer to that is already "no"... because the docs do it. Even though there has been a lot of discussion about this recently. I understand what you intend for this example in the docs. My concern is that these docs already suggest that a whole bunch which seems to me is not settled has actually been decided, and this PR is adding to that situation. |
Which part of the existing docs are you referring to? And which part of my PR makes any commitments regarding rust-lang/unsafe-code-guidelines#84? All I want to do here is answer rust-lang/unsafe-code-guidelines#330 (comment) without making any other commitments. You seem to be saying that is not possible? I don't understand why, since rust-lang/unsafe-code-guidelines#330 (comment) is independent of rust-lang/unsafe-code-guidelines#84. |
|
Okay, phew. I think I've poorly communicated my concern here and I'm also re-familiarizing myself with the context. Sorry about that.
rust/library/core/src/intrinsics.rs Lines 2580 to 2608 in 268be96
I do not think this PR makes any additional commitments. Sorry if I suggested that. I think we are already more committed by the example I linked above. I'm concerned about the net effect of adding more documentation and more examples to If I had my way, we'd delete the existing example that I linked, and just have the one you are trying to add with this PR. |
Ah, I see. I think it was actually meant to demonstrate the part of the docs this is editing, and that the UB is indeed delayed, not at the time of the write. |
|
Yeah, I think that box example should go, it looks to be mostly answering the question of rust-lang/unsafe-code-guidelines#84 rather than showing how to zero some memory. 84 should be answered in the docs when it's resolved, but I don't think it needs to be answered here. (I'd probably put it under |
|
We haven't heard from @m-ou-se , so maybe let's re-roll the reviewer dice. r? rust-lang/T-libs-api |
|
Oh, did the syntax change? |
|
Yet another attempt at guessing the right syntax |
|
Do you think this needs API review? If so, filing an issue on https://github.com/rust-lang/libs-team/ is the best way to do that now. Otherwise I'll take a look later today, at a glance it doesn't look like it changes API contracts, but I mention it just cuz you tried to reroll for libs-api first. |
|
Filing an issue elsewhere to request review for a rustc PR? I am confused.^^ This changes the doc comment of a stdlib function. It doesn't change the syntax or types of any public API, but it changes / clarifies its contract. I'll leave it to you to decide what kind of review that needs. |
|
If it changes the contract you should make an ACP about it. If you want, you can wait until I review and I can tell you if I think this is needed, though. |
|
Oh. If that much process is needed for this kind of PR nowadays I will probably have to reduce the amount of those PRs I write. I often notice small-ish issues in our unsafe API documentation, and like to write quick clarifications. But I don't have the time for extra paperwork here -- sorry. I could file issues rather than submit PRs, but in my experience these either never get fixed, or end up need a few rounds of review due to a lot of subtle issues at play -- which takes a lot more time than writing a PR myself. Also that says ACP is for changes to unstable APIs. This is a change to the documentation of a stable API (like most of my stdlib documentation PRs). |
Right, I guess the assumption is that we don't make changes to stable APIs. Either way, this doesn't actually seem to change anything. This is a clarification of an existing API, and this was already UB in the same way, no? |
|
We change the documentation of unsafe stable APIs all the time. It's very hard to get the wording just right, so this is a continuous process.
Whether or not this changes anything depends on how you interpret the documentation. ;) My interpretation is that this just says, in a clearer way, what we already meant before. |
I agree. The other option would be T-libs-API FCP, but I don't think this is needed (if someone disagrees they can r- or back it out) -- It's not identical to what was promised before, but I think the previous one meant to say something closer to this. I don't think that needs signoff, at least not in this case. @bors r+ rollup |
bors
added
S-waiting-on-bors
clarify how write_bytes can lead to UB due to invalid values Fixes rust-lang/unsafe-code-guidelines#330 Cc `@5225225`
Rollup of 9 pull requests Successful merges: - rust-lang#92390 (Constify a few `(Partial)Ord` impls) - rust-lang#97077 (Simplify some code that depend on Deref) - rust-lang#98710 (correct the output of a `capacity` method example) - rust-lang#99084 (clarify how write_bytes can lead to UB due to invalid values) - rust-lang#99178 (Lighten up const_prop_lint, reusing const_prop) - rust-lang#99673 (don't ICE on invalid dyn calls) - rust-lang#99703 (Expose size_hint() for TokenStream's iterator) - rust-lang#99709 (`Inherited` always has `TypeckResults` available) - rust-lang#99713 (Fix sidebar background) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
Fixes rust-lang/unsafe-code-guidelines#330
Cc @5225225