Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Implement FromZeroes for thin raw pointers #294

Closed
wants to merge 1 commit into from
Closed

Implement FromZeroes for thin raw pointers #294

wants to merge 1 commit into from

Conversation

joshlf
Copy link
Member

@joshlf joshlf commented Aug 29, 2023

Makes progress on #170

@joshlf joshlf requested review from jswrenn and removed request for jswrenn August 29, 2023 04:52
@joshlf joshlf marked this pull request as draft August 29, 2023 04:53
@joshlf joshlf mentioned this pull request Aug 29, 2023
Merged
@joshlf joshlf requested a review from jswrenn August 29, 2023 05:13
@joshlf joshlf marked this pull request as ready for review August 29, 2023 05:14
jswrenn
jswrenn reviewed Aug 29, 2023
View reviewed changes
src/lib.rs
Comment on lines +950 to +951
/// The all-zeroes const and mut raw pointers are valid, and it is sound to
/// materialize them from nothing. The existence of `ptr::null` [1] and
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is it clearly documented anywhere that 0 is a valid value for the null pointer? Infamously, the C standard does not require that null pointers have an all-zero bit-pattern, only that they compare as equal to 0.

src/lib.rs
Comment on lines +979 to +980
unsafe_impl!(T: Sized => FromZeroes for *const T);
unsafe_impl!(T: Sized => FromZeroes for *mut T);
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This snippet from the internals of the standard library gives me pause:

pub const fn invalid<T>(addr: usize) -> *const T {
    // FIXME(strict_provenance_magic): I am magic and should be a compiler intrinsic.
    // We use transmute rather than a cast so tools like Miri can tell that this
    // is *not* the same as from_exposed_addr.
    // SAFETY: every valid integer is also a valid pointer (as long as you don't dereference that
    // pointer).
    unsafe { mem::transmute(addr) }
}

The use of mem::transmute suggests that these sorts of transmutes are fine now, but what about the comment "I am magic and should be a compiler intrinsic"?

@joshlf
Copy link
Member Author

joshlf commented Aug 29, 2023

Current plan is to wait until this change (or something similar) lands so the soundness of this PR is clearly backed by the Rust reference.

@joshlf
Copy link
Member Author

joshlf commented Nov 2, 2023

Closing in favor of #584.

@joshlf joshlf closed this Nov 2, 2023
@joshlf joshlf deleted the from-zeroes-raw-pointers branch March 2, 2024 02:32
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jswrenn jswrenn jswrenn left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@joshlf @jswrenn