-
Notifications
You must be signed in to change notification settings - Fork 12.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
transmute: caution against int2ptr transmutation #122379
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
r=me
@scottmcm should this go through t-lang FCP? |
be28971
to
90a5a6c
Compare
I would prefer to see something here that indicates that it is specifically not possible to round-trip pointers through transmuting to an integer type and back, because that is the pattern that people do in the wild. |
I would consider this an inevitable conclusion from the Provenance RFC's acceptance (i.e. not requiring FCP). |
This is currently implied by:
Are you saying that roundtrips should be mentioned more explicitly? Sure, I can do that. |
90a5a6c
to
d3299af
Compare
We could declare that ptr2int transmute "exposes" the pointer and int2ptr transmute makes it pick up an exposed provenance similar to I'd prefer if we didn't do that, though. |
If "transmute is semantically equivalent to a bitwise move of one type into another", then how would we rationalize the operation being different from a pointer load without changing the definition of transmute? |
We'd rationalize this as a hack in the transmute intrinsic that is intended to keep old code working -- code that made wrong assumptions about the Rust memory model at a time when there were no reliable docs about which assumptions one could make.
|
Ah, we'd burn down the performance of Rust programs because they did undefined behavior! I see, I see. Wait, what? |
I don't think this would impact the performance of any "good" programs. After all with I didn't say it's an option I like, I just said it's a possible option and the docs added here are not an inevitable conclusion of Rust having provenance on pointers but not integers. |
I suppose I can concede that much, and will simply say that I would strongly prefer we not seriously entertain any ideas that are technically valid but involve deeply undermining an understanding of how programs will be compiled. |
I believe Ralf is referring to reverting #121282. Before that PR, |
I brought this up briefly in lang triage today, @RalfJung. Meeting consensus was that we don't need checkboxes for it. If you/opsem are happy with the description, we're happy to land stuff since the RFC about having provenance was approved. |
Okay let's do t-opsem FCP then. @rustbot fcp merge |
Oh, wrong bot. |
Team member @RalfJung has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `@saethlin` `@scottmcm` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 6 pull requests Successful merges: - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122895 (add some ice tests 5xxxx to 9xxxx) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122952 (Miri subtree update) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ``@saethlin`` ``@scottmcm`` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#116016 (Soft-destabilize `RustcEncodable` & `RustcDecodable`, remove from prelude in next edition) - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#116016 (Soft-destabilize `RustcEncodable` & `RustcDecodable`, remove from prelude in next edition) - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ````@saethlin```` ````@scottmcm```` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…kingjubilee Rollup of 13 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#121940 (Mention Register Size in `#[warn(asm_sub_register)]`) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122460 (Rework rmake support library API) - rust-lang#122797 (Fix compile of wasm64-unknown-unknown target) - rust-lang#122875 (CFI: Support self_cell-like recursion) - rust-lang#122879 (CFI: Strip auto traits off Virtual calls) - rust-lang#122895 (add some ice tests 5xxxx to 9xxxx) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122923 (In `pretty_print_type()`, print `async fn` futures' paths instead of spans.) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 9 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122840 (`rustdoc --test`: Prevent reaching the maximum size of command-line by using files for arguments if there are too many) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `````@saethlin````` `````@scottmcm````` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
Rollup merge of rust-lang#122379 - RalfJung:int2ptr-transmute, r=m-ou-se transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 9 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122840 (`rustdoc --test`: Prevent reaching the maximum size of command-line by using files for arguments if there are too many) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
This came up in #121282.
Cc @saethlin @scottmcm
Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.