-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Document unsafe blocks in core::{cell, str, sync} #66564
Document unsafe blocks in core::{cell, str, sync} #66564
Conversation
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @RalfJung (or someone else) soon. If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes. Please see the contribution instructions for more information. |
Cc @rust-lang/wg-unsafe-code-guidelines |
There are also still some open comments at #66506 |
Ping from triage |
Pinging again from triage: |
@JohnCSimon I've addressed the comments as much as I can without further comments from the reviewer. |
Ping from triage: |
My status is that I still don't know when I will have the time to look at this -- sorry. With the holidays coming up, my free time has diminished to basically zero. |
src/libcore/cell.rs
Outdated
@@ -369,6 +367,7 @@ impl<T> Cell<T> { | |||
if ptr::eq(self, other) { | |||
return; | |||
} | |||
// SAFETY: not threadsafe, but it's OK since we know `Cell` isn't threadsafe |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Besides data races, a major concern here is invalidating pointers. The reason this is safe is that Cell
rules out interior pointers -- there can be nothing pointing into either of these Cell
, so we can swap out their content just fine.
This applies to the other unsafe blocks in this file as well.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Also, "not threadsafe is okay" is negative reasoning, that's somewhat backwards. What we need here is positive evidence that there cannot be a race, and that evidence is that Cell
is !Sync
. I think that's what you mean by your second use of the word "threadsafe" but it's not entirely clear.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
So sorry for the long delay. I expected this to be huge amounts of work so I pushed it back again and again to start the review... turns out I hardly know most of this code so I can't intelligently review it anyway. :/
This mostly looks good to me, modulo the comments I left. However I had to skip most of the str
module as I am entirely unfamiliar with that code. Could someone from @rust-lang/libs check that part?
src/libcore/str/mod.rs
Outdated
@@ -1538,6 +1548,9 @@ fn run_utf8_validation(v: &[u8]) -> Result<(), Utf8Error> { | |||
if align != usize::max_value() && align.wrapping_sub(index) % usize_bytes == 0 { | |||
let ptr = v.as_ptr(); | |||
while index < blocks_end { | |||
// SAFETY: since `align - index` and `ascii_block_size` are multiples of | |||
// `usize_bytes`, `ptr.add(index)` is always aligned with a `usize` so we | |||
// may cast directly to a `const` pointer. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Casting to a raw const ptr is always possible so I a somewhat puzzled by this comment. Also, why does this implication hold? Not sure how you are going from align-index
to `ptr.add(index)´.
And it's not really align-index
anyway, it's wrapping_sub
, but add
must not overflow. So why does this all fit together?^^ (Probably this should be reviewed by someone who has seen this code before...)
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, this is one part where I'm still unsure that it's correct, even after reading through the code a dozen times. I'd appreciate hearing why this works from someone who's familiar with the code, too.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This took me a while to understand, but basically:
align
is an offset in the string at which pointptr.add(align)
is guaranteed to be usize-aligned.- If
align - index
is a multiple ofusize_bytes
thenptr.add(index)
is usize-aligned.
☔ The latest upstream changes (presumably #67540) made this pull request unmergeable. Please resolve the merge conflicts. |
5e02e58
to
9f4f19a
Compare
Picking a @rust-lang/libs reviewer (not sure if team pings are checked by anyone)... r? @Amanieu. See #66564 (review) for my own review results. |
This looks good to me (minus that one comment), but needs to be rebased. |
@foeb can you rebase this? thanks |
Co-Authored-By: Ralf Jung <post@ralfj.de>
9f4f19a
to
c103c28
Compare
The job Click to expand the log.
I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
@Dylan-DPC Thanks for the ping! I've rebased the branch and it should be ready to be merged. |
@bors r=Amanieu |
📌 Commit 022a7de has been approved by |
⌛ Testing commit 022a7de with merge 2ea51420ade2ad385c4950a1faa919da73f0a812... |
@bors retry (doing this to yield to a rollup retry ) |
…l-str, r=Amanieu Document unsafe blocks in core::{cell, str, sync} Split from rust-lang#66506 (issue rust-lang#66219). Hopefully doing a chunk at a time is more manageable! r? @RalfJung
…l-str, r=Amanieu Document unsafe blocks in core::{cell, str, sync} Split from rust-lang#66506 (issue rust-lang#66219). Hopefully doing a chunk at a time is more manageable! r? @RalfJung
Rollup of 4 pull requests Successful merges: - #66564 (Document unsafe blocks in core::{cell, str, sync}) - #67791 (Implement Lift using interners instead of in_arena) - #68278 ([self-profiler] Add example to `-Z help` to turn on query key recording) - #68300 (Allow added string.insert benchmarks to compile) Failed merges: r? @ghost
@@ -17,6 +15,7 @@ impl Utf8Lossy { | |||
} | |||
|
|||
pub fn from_bytes(bytes: &[u8]) -> &Utf8Lossy { | |||
// SAFETY: Both use the same memory layout, and UTF-8 correctness isn't required. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
FWIW, they actually are not guaranteed to use the same memory layout -- Utf8Lossy
has no repr
annotations, so layout is unspecified. In this case I think adding repr(transparent)
to Utf8Lossy
is enough.
If you know of more such cases, it would be great if you could add them in rust-lang/unsafe-code-guidelines#90. :)
Correct safety reasoning in `str::make_ascii_{lower,upper}case()` I don't understand why the previous comment was used (it was inserted in rust-lang#66564), but it doesn't explain why these functions are safe, only why `str::as_bytes{_mut}()` are safe. If someone thinks they make perfect sense, I'm fine with closing this PR.
Split from #66506 (issue #66219). Hopefully doing a chunk at a time is more manageable!
r? @RalfJung