-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: transmute<&mut T, &mut MaybeUninit<T>>
is unsound when exposed to safe code
#134583
Conversation
rustbot has assigned @workingjubilee. Use |
library/core/src/mem/maybe_uninit.rs
Outdated
/// | ||
/// Note that even though `MaybeUninit<T>` and `T` are ABI compatible it is still unsound to | ||
/// transmute `&mut T` to `&mut MaybeUninit<T>` because that would enable safe Rust to access | ||
/// uninitialized memory: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The reasoning only tells me why exposing a &mut MaybeUninit<T>
from an arbitrary &mut T
is unsafe, not that it's always unsound to do that reinterpretation.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I don't think this is the right place to put this warning. Though I'm not sure where the right place is. Maybe on MaybeUninit
itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is MaybeUninit
itself?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
oh, lol. yeah then only the wording should be changed
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
yeah, I wouldn't say "unsound" because unsafe code inherently can perform this sort of rule-bending feat without it immediately unsound, that's the point of unsafe code... but you do have to restore the invariants before you release control to code that isn't "in on it".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for quick review.
According to the reference:
if
unsafe
code can be misused by safe code to exhibit undefined behavior, it is unsound.
so I think this rewording is accurate:
/// Note that even though `T` and `MaybeUninit<T>` are ABI compatible it is still unsound to
/// transmute `&mut T` to `&mut MaybeUninit<T>` and expose that to safe code because it would allow
/// safe code to access uninitialized memory:
Does anyone disagree?
Here is how that looks when rendered to make it easier to get a feel for it:
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Sure, that seems fine.
transmute<&mut T, &mut MaybeUninit<T>>
is unsoundtransmute<&mut T, &mut MaybeUninit<T>>
is unsound with safe code
transmute<&mut T, &mut MaybeUninit<T>>
is unsound with safe codetransmute<&mut T, &mut MaybeUninit<T>>
is unsound when exposed to safe code
…d to safe code In the playground the example program terminates with an unpredictable exit code. The undefined behavior is also detected by miri: error: Undefined Behavior: using uninitialized data
3b8b8ad
to
2305012
Compare
transmute<&mut T, &mut MaybeUninit<T>>
is unsound when exposed to safe codetransmute<&mut T, &mut MaybeUninit<T>>
is unsound when exposed to safe code
@bors r+ rollup |
…iaskrgr Rollup of 6 pull requests Successful merges: - rust-lang#130289 (docs: Permissions.readonly() also ignores root user special permissions) - rust-lang#134583 (docs: `transmute<&mut T, &mut MaybeUninit<T>>` is unsound when exposed to safe code) - rust-lang#134611 (Align `{i686,x86_64}-win7-windows-msvc` to their parent targets) - rust-lang#134629 (compiletest: Allow using a specific debugger when running debuginfo tests) - rust-lang#134642 (Implement `PointerLike` for `isize`, `NonNull`, `Cell`, `UnsafeCell`, and `SyncUnsafeCell`.) - rust-lang#134660 (Fix spacing of markdown code block fences in compiler rustdoc) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 6 pull requests Successful merges: - rust-lang#130289 (docs: Permissions.readonly() also ignores root user special permissions) - rust-lang#134583 (docs: `transmute<&mut T, &mut MaybeUninit<T>>` is unsound when exposed to safe code) - rust-lang#134611 (Align `{i686,x86_64}-win7-windows-msvc` to their parent targets) - rust-lang#134629 (compiletest: Allow using a specific debugger when running debuginfo tests) - rust-lang#134642 (Implement `PointerLike` for `isize`, `NonNull`, `Cell`, `UnsafeCell`, and `SyncUnsafeCell`.) - rust-lang#134660 (Fix spacing of markdown code block fences in compiler rustdoc) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#134583 - Enselic:maybe-uninit-transmute, r=workingjubilee docs: `transmute<&mut T, &mut MaybeUninit<T>>` is unsound when exposed to safe code Closes rust-lang#66699 On my system (Edit: And also in the [playground](https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=90529e2a9900599cb759e4bfaa5b5efe)) the example program terminates with an unpredictable exit code: ```console $ cargo +nightly build && target/debug/bin ; echo $? 255 $ cargo +nightly build && target/debug/bin ; echo $? 253 ``` And miri considers the code to have undefined behavior: ```console $ cargo +nightly miri run error: Undefined Behavior: using uninitialized data, but this operation requires initialized memory --> src/main.rs:12:24 | 12 | std::process::exit(*code); // UB! Accessing uninitialized memory | ^^^^^ using uninitialized data, but this operation requires initialized memory | error: aborting due to 1 previous error ```
Closes #66699
On my system (Edit: And also in the playground) the example program terminates with an unpredictable exit code:
And miri considers the code to have undefined behavior: