Potential soundness issue (stacked borrows): Is alloc_fast_path persisting borrows too long? #62
Comments
Manishearth
changed the title
|
Well I guess one safe way to do this is to only store raw pointers, but that does kinda suck |
|
Also opened a zulip thread to get feedback from people who understand these rules better than I do. |
|
I think |
|
@thomcc it does because (this kind of thing is exactly why |
|
However, AIUI UCG does not want types like Vec to be special here, so maybe this is still fine and the stacked borrow does not poke through the vec. |
|
the |
|
Yeah, I'm convinced. We're fine as long as Vec isn't special and so far I have mostly heard noises that Vec is not special. |
|
Also relevant, from Ralf:
|
|
|
Ah, thanks, I was going to go digging for that in a bit 😄 |
|
Opened rust-lang/rust#113859 upstream to document the common-sense-but-not-guaranteed invariant that this code relies on. |
…orrow, r=dtolnay Add note that Vec::as_mut_ptr() does not materialize a reference to the internal buffer See discussion on thomcc/rust-typed-arena#62 and [t-opsem](https://rust-lang.zulipchat.com/#narrow/stream/136281-t-opsem/topic/is.20this.20typed_arena.20code.20sound.20under.20stacked.2Ftree.20borrows.3F) This method already does the correct thing here, but it is worth guaranteeing that it does so it can be used more freely in unsafe code without having to worry about potential Stacked/Tree Borrows violations. This moves one more unsafe usage pattern from the "very likely sound but technically not fully defined" box into "definitely sound", and currently our surface area of the latter is woefully small. I'm not sure how best to word this, opening this PR as a way to start discussion.
…dtolnay Add note that Vec::as_mut_ptr() does not materialize a reference to the internal buffer See discussion on thomcc/rust-typed-arena#62 and [t-opsem](https://rust-lang.zulipchat.com/#narrow/stream/136281-t-opsem/topic/is.20this.20typed_arena.20code.20sound.20under.20stacked.2Ftree.20borrows.3F) This method already does the correct thing here, but it is worth guaranteeing that it does so it can be used more freely in unsafe code without having to worry about potential Stacked/Tree Borrows violations. This moves one more unsafe usage pattern from the "very likely sound but technically not fully defined" box into "definitely sound", and currently our surface area of the latter is woefully small. I'm not sure how best to word this, opening this PR as a way to start discussion.
…dtolnay Add note that Vec::as_mut_ptr() does not materialize a reference to the internal buffer See discussion on thomcc/rust-typed-arena#62 and [t-opsem](https://rust-lang.zulipchat.com/#narrow/stream/136281-t-opsem/topic/is.20this.20typed_arena.20code.20sound.20under.20stacked.2Ftree.20borrows.3F) This method already does the correct thing here, but it is worth guaranteeing that it does so it can be used more freely in unsafe code without having to worry about potential Stacked/Tree Borrows violations. This moves one more unsafe usage pattern from the "very likely sound but technically not fully defined" box into "definitely sound", and currently our surface area of the latter is woefully small. I'm not sure how best to word this, opening this PR as a way to start discussion.
…dtolnay Add note that Vec::as_mut_ptr() does not materialize a reference to the internal buffer See discussion on thomcc/rust-typed-arena#62 and [t-opsem](https://rust-lang.zulipchat.com/#narrow/stream/136281-t-opsem/topic/is.20this.20typed_arena.20code.20sound.20under.20stacked.2Ftree.20borrows.3F) This method already does the correct thing here, but it is worth guaranteeing that it does so it can be used more freely in unsafe code without having to worry about potential Stacked/Tree Borrows violations. This moves one more unsafe usage pattern from the "very likely sound but technically not fully defined" box into "definitely sound", and currently our surface area of the latter is woefully small. I'm not sure how best to word this, opening this PR as a way to start discussion.
rust-typed-arena/src/lib.rs
Lines 193 to 205 in f1f26c3
It's unclear to me if this is sound under stacked/tree borrows.
Essentially, the lifetime of the
*chunksmutable place is less than that of the function, and when we callchunks.current.as_mut_ptr()we materialize an&mut Vec<T>for the receiver, but then we return a reference within there that lives longer.My understanding of how these things interact with cells is that from the purposes of these rules cell types behind references can do things that would not be allowed from the general rules of working with a reference, but that doesn't apply to references obtained from within a cell, which is what's happening here.
As far as I can see there's no actual safe way to do this currently (but it is absolutely something that ought to be safe): we need a way to get the ptr behind a vector without materializing a reference to it, and there is currently no
self: *mut SelfVec API for this. (We essentially need the equivalent ofaddr_of!()but for vector fields). So personally this does not worry me too much since "this is unsafe according to currently-in-flux rules but there is no safe way to handle this use case" to me means that we should raise the use case with the folks making the rules and wait for the right APIs.I also understand that UCG has been trying to figure out the balance on recursive validity and stuff, and Miri does not currently complain on this.
So this might be fine in the end, but I do think we should talk about it and raise this use case with UCG so we can get a ruling and folks can ensure the stdlib gets the appropriate APIs as needed.
The text was updated successfully, but these errors were encountered: