Make Copy unsafe to implement for ADTs with unsafe fields
#134008
Merged
+166
−54
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy |
This comment has been minimized.
This comment has been minimized.
jswrenn
force-pushed
the
unsafe-fields-copy
branch
from
c19cba7 to
d66fa52
Compare
This comment has been minimized.
This comment has been minimized.
jswrenn
force-pushed
the
unsafe-fields-copy
branch
from
d66fa52 to
96fc9a9
Compare
compiler-errors
requested changes
Dec 7, 2024
| match (trait_def.safety, unsafe_attr, trait_header.safety, trait_header.polarity) { | ||
| let is_copy = tcx.is_lang_item(trait_def.def_id, LangItem::Copy); | ||
| let trait_def_safety = if is_copy { | ||
| use rustc_type_ir::inherent::*; |
There was a problem hiding this comment.
inherent is only for the solver
There was a problem hiding this comment.
What's your recommendation? The intent of this PR is to implement the suggestion in the RFC discussion that Misunderstood what you were commenting on.Copy is conditionally (un)safe to implement depending on whether the Self type has unsafe fields. Is there a better way to achieve this?
There was a problem hiding this comment.
just duplicate the method on ty or whatever
There was a problem hiding this comment.
I import inherent::Ty here because it provides the has_unsafe_fields helper. Should I also add that function as an inherent method on rustc_middle::ty::Ty?
rustbot
added
S-waiting-on-author
jswrenn
force-pushed
the
unsafe-fields-copy
branch
from
96fc9a9 to
47454f3
Compare
This comment has been minimized.
This comment has been minimized.
jswrenn
force-pushed
the
unsafe-fields-copy
branch
from
47454f3 to
ae4c896
Compare
|
Some changes occurred in compiler/rustc_codegen_cranelift cc @bjorn3 |
jswrenn
commented
Dec 7, 2024
Comment on lines
57
to
+77
| #[lang = "copy"] | ||
| pub unsafe trait Copy {} | ||
|
|
||
| unsafe impl Copy for bool {} | ||
| unsafe impl Copy for u8 {} | ||
| unsafe impl Copy for u16 {} | ||
| unsafe impl Copy for u32 {} | ||
| unsafe impl Copy for u64 {} | ||
| unsafe impl Copy for u128 {} | ||
| unsafe impl Copy for usize {} | ||
| unsafe impl Copy for i8 {} | ||
| unsafe impl Copy for i16 {} | ||
| unsafe impl Copy for i32 {} | ||
| unsafe impl Copy for isize {} | ||
| unsafe impl Copy for f32 {} | ||
| unsafe impl Copy for f64 {} | ||
| unsafe impl Copy for char {} | ||
| unsafe impl<'a, T: ?Sized> Copy for &'a T {} | ||
| unsafe impl<T: ?Sized> Copy for *const T {} | ||
| unsafe impl<T: ?Sized> Copy for *mut T {} | ||
| unsafe impl<T: Copy> Copy for Option<T> {} | ||
| pub trait Copy {} | ||
|
|
||
| impl Copy for bool {} | ||
| impl Copy for u8 {} | ||
| impl Copy for u16 {} | ||
| impl Copy for u32 {} | ||
| impl Copy for u64 {} | ||
| impl Copy for u128 {} | ||
| impl Copy for usize {} | ||
| impl Copy for i8 {} | ||
| impl Copy for i16 {} | ||
| impl Copy for i32 {} | ||
| impl Copy for isize {} | ||
| impl Copy for f32 {} | ||
| impl Copy for f64 {} | ||
| impl Copy for char {} | ||
| impl<'a, T: ?Sized> Copy for &'a T {} | ||
| impl<T: ?Sized> Copy for *const T {} | ||
| impl<T: ?Sized> Copy for *mut T {} | ||
| impl<T: Copy> Copy for Option<T> {} |
There was a problem hiding this comment.
I presume we don't have an obligation to support #[lang = "copy"] unsafe trait Copy {}, since no_core and lang_items are unstable.
This comment has been minimized.
This comment has been minimized.
As a rule, the application of `unsafe` to a declaration requires that use-sites of that declaration also require `unsafe`. For example, a field declared `unsafe` may only be read in the lexical context of an `unsafe` block. For nearly all safe traits, the safety obligations of fields are explicitly discharged when they are mentioned in method definitions. For example, idiomatically implementing `Clone` (a safe trait) for a type with unsafe fields will require `unsafe` to clone those fields. Prior to this commit, `Copy` violated this rule. The trait is marked safe, and although it has no explicit methods, its implementation permits reads of `Self`. This commit resolves this by making `Copy` conditionally safe to implement. It remains safe to implement for ADTs without unsafe fields, but unsafe to implement for ADTs with unsafe fields. Tracking: rust-lang#132922
jswrenn
force-pushed
the
unsafe-fields-copy
branch
from
ae4c896 to
3ce35a4
Compare
|
Some changes occurred in compiler/rustc_codegen_gcc |
rustbot
added
S-waiting-on-review
compiler-errors
approved these changes
Dec 9, 2024
|
@bors r+ rollup |
bors
added
S-waiting-on-bors
fmease
added a commit
to fmease/rust
that referenced
this pull request
Dec 9, 2024
…iler-errors Make `Copy` unsafe to implement for ADTs with `unsafe` fields As a rule, the application of `unsafe` to a declaration requires that use-sites of that declaration also entail `unsafe`. For example, a field declared `unsafe` may only be read in the lexical context of an `unsafe` block. For nearly all safe traits, the safety obligations of fields are explicitly discharged when they are mentioned in method definitions. For example, idiomatically implementing `Clone` (a safe trait) for a type with unsafe fields will require `unsafe` to clone those fields. Prior to this commit, `Copy` violated this rule. The trait is marked safe, and although it has no explicit methods, its implementation permits reads of `Self`. This commit resolves this by making `Copy` conditionally safe to implement. It remains safe to implement for ADTs without unsafe fields, but unsafe to implement for ADTs with unsafe fields. Tracking: rust-lang#132922 r? `@compiler-errors`
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Dec 10, 2024
Rollup of 9 pull requests Successful merges: - rust-lang#133967 ([AIX] Pass -bnoipath when adding rust upstream dynamic crates) - rust-lang#133970 ([AIX] Replace sa_sigaction with sa_union.__su_sigaction for AIX) - rust-lang#133980 ([AIX] Remove option "-n" from AIX "ln" command) - rust-lang#134008 (Make `Copy` unsafe to implement for ADTs with `unsafe` fields) - rust-lang#134017 (Don't use `AsyncFnOnce::CallOnceFuture` bounds for signature deduction) - rust-lang#134023 (handle cygwin environment in `install::sanitize_sh`) - rust-lang#134041 (Use SourceMap to load debugger visualizer files) - rust-lang#134065 (Move `write_graphviz_results`) - rust-lang#134070 (Some asm! diagnostic adjustments and a papercut fix) r? `@ghost` `@rustbot` modify labels: rollup
fmease
added a commit
to fmease/rust
that referenced
this pull request
Dec 10, 2024
…iler-errors Make `Copy` unsafe to implement for ADTs with `unsafe` fields As a rule, the application of `unsafe` to a declaration requires that use-sites of that declaration also entail `unsafe`. For example, a field declared `unsafe` may only be read in the lexical context of an `unsafe` block. For nearly all safe traits, the safety obligations of fields are explicitly discharged when they are mentioned in method definitions. For example, idiomatically implementing `Clone` (a safe trait) for a type with unsafe fields will require `unsafe` to clone those fields. Prior to this commit, `Copy` violated this rule. The trait is marked safe, and although it has no explicit methods, its implementation permits reads of `Self`. This commit resolves this by making `Copy` conditionally safe to implement. It remains safe to implement for ADTs without unsafe fields, but unsafe to implement for ADTs with unsafe fields. Tracking: rust-lang#132922 r? ``@compiler-errors``
This was referenced Dec 10, 2024
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Dec 10, 2024
Rollup of 11 pull requests Successful merges: - rust-lang#133478 (jsondocck: Parse, don't validate commands.) - rust-lang#133967 ([AIX] Pass -bnoipath when adding rust upstream dynamic crates) - rust-lang#133970 ([AIX] Replace sa_sigaction with sa_union.__su_sigaction for AIX) - rust-lang#133980 ([AIX] Remove option "-n" from AIX "ln" command) - rust-lang#134008 (Make `Copy` unsafe to implement for ADTs with `unsafe` fields) - rust-lang#134017 (Don't use `AsyncFnOnce::CallOnceFuture` bounds for signature deduction) - rust-lang#134023 (handle cygwin environment in `install::sanitize_sh`) - rust-lang#134041 (Use SourceMap to load debugger visualizer files) - rust-lang#134065 (Move `write_graphviz_results`) - rust-lang#134106 (Add compiler-maintainers who requested to be on review rotation) - rust-lang#134123 (bootstrap: Forward cargo JSON output to stdout, not stderr) Failed merges: - rust-lang#134120 (Remove Felix from ping groups and review rotation) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
Dec 10, 2024
Rollup merge of rust-lang#134008 - jswrenn:unsafe-fields-copy, r=compiler-errors Make `Copy` unsafe to implement for ADTs with `unsafe` fields As a rule, the application of `unsafe` to a declaration requires that use-sites of that declaration also entail `unsafe`. For example, a field declared `unsafe` may only be read in the lexical context of an `unsafe` block. For nearly all safe traits, the safety obligations of fields are explicitly discharged when they are mentioned in method definitions. For example, idiomatically implementing `Clone` (a safe trait) for a type with unsafe fields will require `unsafe` to clone those fields. Prior to this commit, `Copy` violated this rule. The trait is marked safe, and although it has no explicit methods, its implementation permits reads of `Self`. This commit resolves this by making `Copy` conditionally safe to implement. It remains safe to implement for ADTs without unsafe fields, but unsafe to implement for ADTs with unsafe fields. Tracking: rust-lang#132922 r? ```@compiler-errors```
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
As a rule, the application of
unsafeto a declaration requires that use-sites of that declaration also entailunsafe. For example, a field declaredunsafemay only be read in the lexical context of anunsafeblock.For nearly all safe traits, the safety obligations of fields are explicitly discharged when they are mentioned in method definitions. For example, idiomatically implementing
Clone(a safe trait) for a type with unsafe fields will requireunsafeto clone those fields.Prior to this commit,
Copyviolated this rule. The trait is marked safe, and although it has no explicit methods, its implementation permits reads ofSelf.This commit resolves this by making
Copyconditionally safe to implement. It remains safe to implement for ADTs without unsafe fields, but unsafe to implement for ADTs with unsafe fields.Tracking: #132922
r? @compiler-errors