From 66754d60ef7eedb7c04e83024a1576a40ce4372b Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 31 Oct 2022 11:24:39 +0100 Subject: [PATCH 1/5] update aliasing rules section of the reference --- src/behavior-considered-undefined.md | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index e810e8c0d..baa064562 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -26,8 +26,15 @@ code. * Evaluating a [dereference expression] (`*expr`) on a raw pointer that is [dangling] or unaligned, even in [place expression context] (e.g. `addr_of!(&*expr)`). -* Breaking the [pointer aliasing rules]. `&mut T` and `&T` follow LLVM’s scoped - [noalias] model, except if the `&T` contains an [`UnsafeCell`]. +* Breaking the [pointer aliasing rules]. `Box`, `&mut T` and `&T` follow LLVM’s + scoped noalias model, except if the `&T` contains an [`UnsafeCell`]. + References must not be dangling while they are live. (The exact liveness + duration is not specified, but it is certainly upper-bounded by the syntactic + lifetime assigned by the borrow checker. When a reference is passed to a + function, it is live at least as long as that function call, again except if + the `&T` contains an [`UnsafeCell`].) All this also applies when values of + these types are passed in a (nested) field of a compound type, but not behind + pointer indirections. * Mutating immutable data. All data inside a [`const`] item is immutable. Moreover, all data reached through a shared reference or data owned by an immutable binding is immutable, unless that data is contained within an [`UnsafeCell`]. From 7110c8eb3bbc5ea92f03240aa5a271eec0037bb0 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 31 Oct 2022 19:19:09 +0100 Subject: [PATCH 2/5] add back link --- src/behavior-considered-undefined.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index baa064562..3f4e7d880 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -27,7 +27,7 @@ code. [dangling] or unaligned, even in [place expression context] (e.g. `addr_of!(&*expr)`). * Breaking the [pointer aliasing rules]. `Box`, `&mut T` and `&T` follow LLVM’s - scoped noalias model, except if the `&T` contains an [`UnsafeCell`]. + scoped [noalias] model, except if the `&T` contains an [`UnsafeCell`]. References must not be dangling while they are live. (The exact liveness duration is not specified, but it is certainly upper-bounded by the syntactic lifetime assigned by the borrow checker. When a reference is passed to a From 36579679fe9e959b0f3022c9fb35c9fadfb8df57 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 31 Oct 2022 20:51:54 +0100 Subject: [PATCH 3/5] clarify liveness --- src/behavior-considered-undefined.md | 22 ++++++++++++++-------- 1 file changed, 14 insertions(+), 8 deletions(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index 3f4e7d880..12cbc43bb 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -26,14 +26,20 @@ code. * Evaluating a [dereference expression] (`*expr`) on a raw pointer that is [dangling] or unaligned, even in [place expression context] (e.g. `addr_of!(&*expr)`). -* Breaking the [pointer aliasing rules]. `Box`, `&mut T` and `&T` follow LLVM’s - scoped [noalias] model, except if the `&T` contains an [`UnsafeCell`]. - References must not be dangling while they are live. (The exact liveness - duration is not specified, but it is certainly upper-bounded by the syntactic - lifetime assigned by the borrow checker. When a reference is passed to a - function, it is live at least as long as that function call, again except if - the `&T` contains an [`UnsafeCell`].) All this also applies when values of - these types are passed in a (nested) field of a compound type, but not behind +* Breaking the [pointer aliasing rules]. `Box`, `&mut T` and `&T` follow + LLVM’s scoped [noalias] model, except if the `&T` contains an + [`UnsafeCell`]. References and boxes must not be dangling while they are + live. The exact liveness duration is not specified, but some bounds exist: + * For references, the liveness duration is upper-bounded by the syntactic + lifetime assigned by the borrow checker. + * Each time a reference or box is passed to or returned from a function, it is + considered live. + * When a reference (but not a `Box`!) is passed to a function, it is live at + least as long as that function call, again except if the `&T` contains an + [`UnsafeCell`]. + + All this also applies when values of these + types are passed in a (nested) field of a compound type, but not behind pointer indirections. * Mutating immutable data. All data inside a [`const`] item is immutable. Moreover, all data reached through a shared reference or data owned by an immutable binding From e05229ddadbe233fc9fd1f1e4a32397793243d4e Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 1 Nov 2022 19:52:37 +0100 Subject: [PATCH 4/5] clarify "upper bound" Co-authored-by: Josh Triplett --- src/behavior-considered-undefined.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index 12cbc43bb..6fc96a9e8 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -31,7 +31,8 @@ code. [`UnsafeCell`]. References and boxes must not be dangling while they are live. The exact liveness duration is not specified, but some bounds exist: * For references, the liveness duration is upper-bounded by the syntactic - lifetime assigned by the borrow checker. + lifetime assigned by the borrow checker; it cannot be live any *longer* than + that lifetime. * Each time a reference or box is passed to or returned from a function, it is considered live. * When a reference (but not a `Box`!) is passed to a function, it is live at From 2af818d235b6c39cb76a099b859a84438e3409f2 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 1 Nov 2022 20:06:30 +0100 Subject: [PATCH 5/5] forward reference to 'dangling' --- src/behavior-considered-undefined.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/behavior-considered-undefined.md b/src/behavior-considered-undefined.md index 6fc96a9e8..f8bffd13e 100644 --- a/src/behavior-considered-undefined.md +++ b/src/behavior-considered-undefined.md @@ -28,7 +28,7 @@ code. (e.g. `addr_of!(&*expr)`). * Breaking the [pointer aliasing rules]. `Box`, `&mut T` and `&T` follow LLVM’s scoped [noalias] model, except if the `&T` contains an - [`UnsafeCell`]. References and boxes must not be dangling while they are + [`UnsafeCell`]. References and boxes must not be [dangling] while they are live. The exact liveness duration is not specified, but some bounds exist: * For references, the liveness duration is upper-bounded by the syntactic lifetime assigned by the borrow checker; it cannot be live any *longer* than