Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Update ReadDir::next in std::sys::pal::unix::fs to use &raw const (*p).field instead of p.byte_offset().cast() #134678

Open
wants to merge 2 commits into
base: master
Choose a base branch
from

Conversation

zachs18
Copy link
Contributor

@zachs18 zachs18 commented Dec 23, 2024

Since rust-lang/reference#1387 and #117572, &raw mut (*p).field/addr_of!((*p).field) is defined to have the same inbounds preconditions as ptr::offset/ptr::byte_offset. I.e. &raw const (*p).field does not require that p: *const T point to a full size_of::<T>() bytes of memory, only that p.byte_add(offset_of!(T, field)) is defined.

The old comment "[...] we don't even get to use &raw const (*entry_ptr).d_name because that operation requires the full extent of *entry_ptr to be in bounds of the same allocation, which is not necessarily the case here [...]" is now outdated, and the code can be simplified to use &raw const (*entry_ptr).field.


There should be no behavior differences from this PR.

The : *const dirent64 on line 716 and the const _: usize = mem::offset_of!(dirent64, $field); and comment on lines 749-751 are just sanity checks and should not affect semantics.

Since the offset_ptr! macro is only called three times, and all with the same local variable entry_ptr, I just used the local variable directly in the macro instead of taking it as an input, and renamed the macro to entry_field_ptr!.

The whole macro could also be removed and replaced with just using &raw const (*entry_ptr).field in the three places, but the comments on the macro seemed worthwhile to keep.

…ptr).field` instead of `ptr.offset(...).cast()`.

Also, the macro is only called three times, and all with the same local variable entry_ptr, so just use the local variable directly,
and rename the macro to entry_field_ptr.
@rustbot
Copy link
Collaborator

rustbot commented Dec 23, 2024

r? @tgross35

rustbot has assigned @tgross35.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot rustbot added O-unix Operating system: Unix-like S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Dec 23, 2024
d_ino: *offset_ptr!(entry_ptr, d_ino) as u64,
d_ino: *entry_field_ptr!(d_ino) as u64,
#[cfg(not(any(
target_os = "solaris",
target_os = "illumos",
target_os = "aix",
target_os = "nto",
)))]
d_type: *offset_ptr!(entry_ptr, d_type) as u8,
d_type: *entry_field_ptr!(d_type) as u8,
Copy link
Contributor

@tgross35 tgross35 Dec 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't know why the as casts are there, no. dirent64 is imported as aliases from various different platforms, so maybe the as casts were added just to make sure it worked (or at least compiled) on any weird platforms where the fields were different type?

Removing the as casts doesn't make any platforms I've tried with ./x.py check library/std complain though1, so maybe they could be removed?

Footnotes

  1. x86_64-unknown-linux-gnu, aarch64-unknown-linux-gnu, aarch64-unknown-freebsd, arm-linux-androideabi, armv7-linux-androideabi, i686-linux-android

Comment on lines 749 to 752
// To make sure the field actually exists and is visible,
// and we aren't silently doing any Deref coercion.
const _: usize = mem::offset_of!(dirent64, $field);
&raw const (*entry_ptr).$field
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The deref concern makes sense to me (and is scary in general), but what happens if the first clause happens i.e. the field doesn't exist or isn't visible? Afaik, &raw doesn't allow bypassing field visibility.

Copy link
Contributor Author

@zachs18 zachs18 Dec 23, 2024

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that is true, yes, any error about a field being missing or too private should cause an error on both the offset_of! and the &raw equally. I could remove the the field actually exists and is visible, and part of the comment if that would be clearer.

Edit: I've updated the comment to only talk about Deref coercion.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm still not sure what the potential error is here - is the concern that dirent64 may add a Deref implementation to something that also has a field named d_ino/d_type/ d_name? That seems unlikely enough that I don't see the need for checking offset_of. At least, I don't think this is any more of a concern for dirent64 than for any other use of &raw.

@RalfJung any thoughts about this kind of pattern?

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Interesting, I hadn't considered the semver implications on this... moving a field behind a Deref impl is indeed a breaking change for some unsafe code users.

But I also never saw this pattern explicitly defending against that, not sure if it's worth it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
O-unix Operating system: Unix-like S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants