Clarify the relationship between `forget()` and `ManuallyDrop`. #69618

hniksic · 2020-03-01T20:43:47Z

As discussed on reddit, this commit addresses two issues with the
documentation of mem::forget():

The documentation of mem::forget() can confuse the reader because of the
discrepancy between usage examples that show correct usage and the
accompanying text which speaks of the possibility of double-free. The
text that says "if the panic occurs before mem::forget was called"
refers to a variant of the second example that was never shown, modified
to use mem::forget instead of ManuallyDrop. Ideally the documentation
should show both variants, so it's clear what it's talking about.

Also, the double free could be fixed just by placing mem::forget(v)
before the construction of s. Since the lifetimes of s and v
wouldn't overlap, there would be no point where panic could cause a double
free. This could be mentioned, and contrasted against the more robust fix
of using ManuallyDrop.
This sentence seems unjustified: "For some types, operations such as
passing ownership (to a funcion like mem::forget) requires them to
actually be fully owned right now [...]". Unlike C++, Rust has no move
constructors, its moves are (possibly elided) bitwise copies. Even if you
pass an invalid object to mem::forget, no harm should come to pass
because mem::forget consumes the object and exists solely to prevent
drop, so there no one left to observe the invalid state state.

rust-highfive · 2020-03-01T20:43:57Z

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @sfackler (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

Centril · 2020-03-01T21:33:30Z

r? @RalfJung

RalfJung · 2020-03-02T13:29:49Z

This sentence seems unjustified: "For some types, operations such as
passing ownership (to a funcion like mem::forget) requires them to
actually be fully owned right now [...]".

I added that sentence because the following is UB:

fn main() { unsafe {
    let x = Box::new(4);
    let x_copy = std::ptr::read(&x);
    drop(x);
    std::mem::forget(x_copy);
} }

Click "Tools - Miri" on playground to see the UB.

In other words, passing invalid object to any function can cause UB (it is "producing an invalid value"). The fact that you seem convinced of the opposite despite the docs stating this makes it even more important to keep this remark, I think. ;) But the remark is probably not very clear, and could be improved. Any suggestions?

hniksic · 2020-03-02T17:06:48Z

@RalfJung Thanks for the clarification and the example. I can't suggest a better wording for that part because I don't yet understand the underlying problem.

Looking at the example, I cannot help but wonder if Miri is being too strict here. For example, changing let x = Box::new(4) to let x = 4 or even let x = Rc::new(4) removes the error from the Miri run. I'm curious in particular what is the difference between Box<i32> and Rc<i32> here - is some box-specific compiler magic going on?

hniksic · 2020-03-02T17:20:46Z

After thinking about this some more, I'm beginning to see your point: passing a dangling Box to any function, including mem::forget, is undefined behavior by definition. Even if it doesn't currently appear to produce a bad outcome, it could do so at any time, and the documentation should warn against it. The wording of the definition makes it apparent why let x = 4 is accepted by Miri, but the box is not - destroying 4 doesn't produce an invalid integer (no integer is invalid, although a bool or an enum can be), but deallocating the box does produce a very invalid box.

It is curious that the definition explicitly includes a dangling Box, but doesn't (explicitly) cover other types of smart pointers, such as Rc and Arc. Is that an oversight in the definition or the result of more subtle reasons why one is ok while the others are not?

RalfJung · 2020-03-04T20:00:48Z

I'm curious in particular what is the difference between Box and Rc here - is some box-specific compiler magic going on?

Box is in some sense a primitive type that is recognized and treated specially by the compiler. It knows that it is a valid pointer that can be dereferenced etc. Rc, at least currently, does not get such a treatment. But I wouldn't rely on that... that's why I phrased the warning more generally.

At least right now, you are correct that Box is the only type hat has non-trivial drop that gets that treatment. The other types the compiler tracks like that are the reference types. However, references wrapped in a newtype might eventually also get that treatment, and those could have drop glue as well.

passing a dangling Box to any function, including mem::forget, is undefined behavior by definition. Even if it doesn't currently appear to produce a bad outcome, it could do so at any time, and the documentation should warn against it.

Exactly.

Generally, ManuallyDrop is preferred over mem::forget. As usual, type-based approaches just work better. :)

hniksic · 2020-03-04T21:17:05Z

@RalfJung I've now pushed a change that restores the warning against producing invalid values, only reworded in a way that (hopefully) clarifies the issue.

src/libcore/mem/mod.rs

RalfJung · 2020-03-05T09:40:46Z

Honestly I am wondering if it is time to soft-deprecate mem::forget in favor of ManuallyDrop -- given that we seem unable to come up with a good usecase for the former above the latter?

hniksic · 2020-03-05T10:40:08Z

mem::forget is still convenient for safe leaks, e.g. to prevent a File from getting closed in some situations. It could of course be emulated with ManuallyDrop, but mem::forget is much easier to understand and document in such cases.

I'll try to give one more shot at documenting the issues correctly (and fixing the grammar).

RalfJung · 2020-03-05T10:51:01Z

mem::forget is still convenient for safe leaks, e.g. to prevent a File from getting closed in some situations. It could of course be emulated with ManuallyDrop, but mem::forget is much easier to understand and document in such cases.

That is a good point.

bors · 2020-03-08T09:29:33Z

☔ The latest upstream changes (presumably #69804) made this pull request unmergeable. Please resolve the merge conflicts.

hniksic · 2020-03-14T11:49:42Z

I believe I've now fixed the issues raised in the review:

the "example" of mem::forget usage is marked as erroneous, with the accompanying text explaining why;
the merge conflict is fixed.

Additionally, the whole relationship with ManuallyDrop is moved to a separate section for clarity.

I believe this improves the current text, for reasons explained in the first bullet point of the PR's description.

The second bullet point of that description is largely invalidated, as the UB is shown to exist. Still, the PR hopefully now provides a more thorough explanation of the issue, especially for readers who (like me previously) think that the fact that Rust's moves are just bitwise copies makes it ok to invoke mem::forget with an invalid value.

hniksic · 2020-03-17T20:55:18Z

@RalfJung Does the S-waiting-on-author label mean that an action is required from my side? If so, what do I need to do?

RalfJung · 2020-03-17T21:27:24Z

No it's just not automatically updated. I have this in my queue and will get around to reviewing it eventually. :)

src/libcore/mem/mod.rs

RalfJung · 2020-03-19T12:59:11Z

Thanks! :)
@bors r+

bors · 2020-03-19T12:59:12Z

📌 Commit 0335c037af4149b392d5782d3bc2e91e13b6d228 has been approved by RalfJung

hniksic · 2020-03-19T13:07:22Z

The len was also hard-coded in the ManuallyDrop example; I've now changed that one as well for consistency.

RalfJung · 2020-03-19T13:31:57Z

Good call.

Could you squash the commits a bit? 13 commits seems excessive for this change.^^

RalfJung · 2020-03-19T13:32:01Z

@bors r-

hniksic · 2020-03-19T13:34:46Z

Could you squash the commits a bit? 13 commits seems excessive for this change.^^

Sure! I kind of assumed you'd squash all of them at merge time, so I didn't bother tidying them up.

Is it ok to also rebase them on current master in order to avoid the bidirectional merge?

RalfJung · 2020-03-19T13:44:11Z

Sure, whatever makes squashing easier for you.

As discussed on reddit, this commit addresses two issues with the documentation of `mem::forget()`: * The documentation of `mem::forget()` can confuse the reader because of the discrepancy between usage examples that show correct usage and the accompanying text which speaks of the possibility of double-free. The text that says "if the panic occurs before `mem::forget` was called" refers to a variant of the second example that was never shown, modified to use `mem::forget` instead of `ManuallyDrop`. Ideally the documentation should show both variants, so it's clear what it's talking about. Also, the double free could be fixed just by placing `mem::forget(v)` before the construction of `s`. Since the lifetimes of `s` and `v` wouldn't overlap, there would be no point where panic could cause a double free. This could be mentioned, and contrasted against the more robust fix of using `ManuallyDrop`. * This sentence seems unjustified: "For some types, operations such as passing ownership (to a funcion like `mem::forget`) requires them to actually be fully owned right now [...]". Unlike C++, Rust has no move constructors, its moves are (possibly elided) bitwise copies. Even if you pass an invalid object to `mem::forget`, no harm should come to pass because `mem::forget` consumes the object and exists solely to prevent drop, so there no one left to observe the invalid state state.

…m::forget. As pointed out by Ralf Jung, dangling references and boxes are undefined behavior as per https://doc.rust-lang.org/reference/behavior-considered-undefined.html and the Miri checker.

Co-Authored-By: Ralf Jung <[email protected]>

Co-Authored-By: lzutao <[email protected]>

hniksic · 2020-03-19T13:51:58Z

I've now rebased the change and reduced the commit count to four, each of which makes logical sense. Feel free to let me know if you want me to cut it further.

RalfJung · 2020-03-19T13:57:10Z

Thanks a lot, that's perfect. :)

@bors r+

bors · 2020-03-19T13:57:11Z

📌 Commit 2bebe8d has been approved by RalfJung

Clarify the relationship between `forget()` and `ManuallyDrop`. As discussed on reddit, this commit addresses two issues with the documentation of `mem::forget()`: * The documentation of `mem::forget()` can confuse the reader because of the discrepancy between usage examples that show correct usage and the accompanying text which speaks of the possibility of double-free. The text that says "if the panic occurs before `mem::forget` was called" refers to a variant of the second example that was never shown, modified to use `mem::forget` instead of `ManuallyDrop`. Ideally the documentation should show both variants, so it's clear what it's talking about. Also, the double free could be fixed just by placing `mem::forget(v)` before the construction of `s`. Since the lifetimes of `s` and `v` wouldn't overlap, there would be no point where panic could cause a double free. This could be mentioned, and contrasted against the more robust fix of using `ManuallyDrop`. * This sentence seems unjustified: "For some types, operations such as passing ownership (to a funcion like `mem::forget`) requires them to actually be fully owned right now [...]". Unlike C++, Rust has no move constructors, its moves are (possibly elided) bitwise copies. Even if you pass an invalid object to `mem::forget`, no harm should come to pass because `mem::forget` consumes the object and exists solely to prevent drop, so there no one left to observe the invalid state state.

@ghost

Rollup of 9 pull requests Successful merges: - rust-lang#69618 (Clarify the relationship between `forget()` and `ManuallyDrop`.) - rust-lang#69768 (Compute the correct layout for variants of uninhabited enums) - rust-lang#69935 (codegen/mir: support polymorphic `InstanceDef`s) - rust-lang#70103 (Clean up E0437 explanation) - rust-lang#70131 (Add regression test for TAIT lifetime inference (issue rust-lang#55099)) - rust-lang#70133 (remove unused imports) - rust-lang#70145 (doc: Add quote to .init_array) - rust-lang#70146 (Clean up e0438 explanation) - rust-lang#70150 (triagebot.toml: accept cleanup-crew) Failed merges: r? @ghost

rust-highfive assigned sfackler Mar 1, 2020

rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Mar 1, 2020

rust-highfive assigned RalfJung and unassigned sfackler Mar 1, 2020

This comment has been minimized.

Sign in to view

RalfJung reviewed Mar 5, 2020

View reviewed changes