diff options
| author | León Orell Valerian Liehr <me@fmease.dev> | 2024-05-22 23:41:11 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-05-22 23:41:11 +0200 |
| commit | ab9e0a72ef51122a1b0bbf88b7e738baaccf68d6 (patch) | |
| tree | d70f08cc26aa14bb0cdf2000a0f84236d583073f | |
| parent | 22f5bdc42b06e0719eda6e3e23f28fe5493b2305 (diff) | |
| parent | 7c76eec30ff6cdb00b234896f6e0c5b76ef7143f (diff) | |
| download | rust-ab9e0a72ef51122a1b0bbf88b7e738baaccf68d6.tar.gz rust-ab9e0a72ef51122a1b0bbf88b7e738baaccf68d6.zip | |
Rollup merge of #125043 - RalfJung:ref-type-safety-invariant, r=scottmcm
reference type safety invariant docs: clarification The old text could have been read as saying that you can call a function if these requirements are upheld, which is definitely not true as they are an underapproximation of the actual safety invariant. I removed the part about functions relaxing the requirements via their documentation... this seems incoherent with saying that it may actually be unsound to ever temporarily violate the requirement. Furthermore, a function *cannot* just relax this for its return value, that would in general be unsound. And the part about "unsafe code in a safe function may assume these invariants are ensured of arguments passed by the caller" also interacts with relaxing things: clearly, if the invariant has been relaxed, unsafe code cannot rely on it any more. There may be a place to give general guidance on what kinds of function contracts can exist, but the reference type is definitely not the right place to write that down. I also took a clarification from https://github.com/rust-lang/rust/pull/121965 that is orthogonal to the rest of that PR. Cc ```@joshlf``` ```@scottmcm```
| -rw-r--r-- | library/core/src/primitive_docs.rs | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/library/core/src/primitive_docs.rs b/library/core/src/primitive_docs.rs index 8283fdc459b..5989bcbcc52 100644 --- a/library/core/src/primitive_docs.rs +++ b/library/core/src/primitive_docs.rs @@ -1476,14 +1476,17 @@ mod prim_usize {} /// /// For instance, this means that unsafe code in a safe function may assume these invariants are /// ensured of arguments passed by the caller, and it may assume that these invariants are ensured -/// of return values from any safe functions it calls. In most cases, the inverse is also true: -/// unsafe code must not violate these invariants when passing arguments to safe functions or -/// returning values from safe functions; such violations may result in undefined behavior. Where -/// exceptions to this latter requirement exist, they will be called out explicitly in documentation. +/// of return values from any safe functions it calls. +/// +/// For the other direction, things are more complicated: when unsafe code passes arguments +/// to safe functions or returns values from safe functions, they generally must *at least* +/// not violate these invariants. The full requirements are stronger, as the reference generally +/// must point to data that is safe to use at type `T`. /// /// It is not decided yet whether unsafe code may violate these invariants temporarily on internal /// data. As a consequence, unsafe code which violates these invariants temporarily on internal data -/// may become unsound in future versions of Rust depending on how this question is decided. +/// may be unsound or become unsound in future versions of Rust depending on how this question is +/// decided. /// /// [allocated object]: ptr#allocated-object #[stable(feature = "rust1", since = "1.0.0")] |