diff options
| author | Matthias Krüger <matthias.krueger@famsik.de> | 2024-09-29 20:17:35 +0200 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2024-09-29 20:17:35 +0200 |
| commit | 1d452037793ce9ca4694baedd0a29a4aefdc78ab (patch) | |
| tree | 3446fc52802fb615a9e01807620ec12de88cfb5b /library/core/src/alloc | |
| parent | 42ff2eedb0585e32e3e8da0e83ff82dd49987a2c (diff) | |
| parent | 896ccaa8acddcca4f44b7627210533d0f77459df (diff) | |
| download | rust-1d452037793ce9ca4694baedd0a29a4aefdc78ab.tar.gz rust-1d452037793ce9ca4694baedd0a29a4aefdc78ab.zip | |
Rollup merge of #123932 - adamse:global-alloc-safety-preconds-positive, r=tgross35
restate GlobalAlloc method safety preconditions in terms of what the caller has to do for greater clarity
Diffstat (limited to 'library/core/src/alloc')
| -rw-r--r-- | library/core/src/alloc/global.rs | 32 |
1 files changed, 17 insertions, 15 deletions
diff --git a/library/core/src/alloc/global.rs b/library/core/src/alloc/global.rs index a6f799c4a7d..68f00d07529 100644 --- a/library/core/src/alloc/global.rs +++ b/library/core/src/alloc/global.rs @@ -124,8 +124,8 @@ pub unsafe trait GlobalAlloc { /// /// # Safety /// - /// This function is unsafe because undefined behavior can result - /// if the caller does not ensure that `layout` has non-zero size. + /// `layout` must have non-zero size. Attempting to allocate for a zero-sized `layout` may + /// result in undefined behavior. /// /// (Extension subtraits might provide more specific bounds on /// behavior, e.g., guarantee a sentinel address or a null pointer @@ -156,14 +156,14 @@ pub unsafe trait GlobalAlloc { /// /// # Safety /// - /// This function is unsafe because undefined behavior can result - /// if the caller does not ensure all of the following: + /// The caller must ensure: /// - /// * `ptr` must denote a block of memory currently allocated via - /// this allocator, + /// * `ptr` is a block of memory currently allocated via this allocator and, /// - /// * `layout` must be the same layout that was used - /// to allocate that block of memory. + /// * `layout` is the same layout that was used to allocate that block of + /// memory. + /// + /// Otherwise undefined behavior can result. #[stable(feature = "global_alloc", since = "1.28.0")] unsafe fn dealloc(&self, ptr: *mut u8, layout: Layout); @@ -172,7 +172,8 @@ pub unsafe trait GlobalAlloc { /// /// # Safety /// - /// This function is unsafe for the same reasons that `alloc` is. + /// The caller has to ensure that `layout` has non-zero size. Like `alloc` + /// zero sized `layout` can result in undefined behaviour. /// However the allocated block of memory is guaranteed to be initialized. /// /// # Errors @@ -220,20 +221,21 @@ pub unsafe trait GlobalAlloc { /// /// # Safety /// - /// This function is unsafe because undefined behavior can result - /// if the caller does not ensure all of the following: + /// The caller must ensure that: /// - /// * `ptr` must be currently allocated via this allocator, + /// * `ptr` is allocated via this allocator, /// - /// * `layout` must be the same layout that was used + /// * `layout` is the same layout that was used /// to allocate that block of memory, /// - /// * `new_size` must be greater than zero. + /// * `new_size` is greater than zero. /// /// * `new_size`, when rounded up to the nearest multiple of `layout.align()`, - /// must not overflow `isize` (i.e., the rounded value must be less than or + /// does not overflow `isize` (i.e., the rounded value must be less than or /// equal to `isize::MAX`). /// + /// If these are not followed, undefined behaviour can result. + /// /// (Extension subtraits might provide more specific bounds on /// behavior, e.g., guarantee a sentinel address or a null pointer /// in response to a zero-size allocation request.) |