diff options
| author | Alex Crichton <alex@alexcrichton.com> | 2017-08-22 14:36:49 -0700 |
|---|---|---|
| committer | Alex Crichton <alex@alexcrichton.com> | 2017-08-28 08:06:52 -0700 |
| commit | b6f554b6dc972608761db93a375bcb0e89155e1d (patch) | |
| tree | 4543e921c025346532151af3a5ec8ae5b8666447 /src/liballoc/allocator.rs | |
| parent | a24e0f25d7a0ac793b37eb4db353d5f9f2befc97 (diff) | |
| download | rust-b6f554b6dc972608761db93a375bcb0e89155e1d.tar.gz rust-b6f554b6dc972608761db93a375bcb0e89155e1d.zip | |
std: Mark allocation functions as nounwind
This commit flags all allocation-related functions in liballoc as "this can't unwind" which should largely resolve the size-related issues found on #42808. The documentation on the trait was updated with such a restriction (they can't panic) as well as some other words about the relative instability about implementing a bullet-proof allocator. Closes #42808
Diffstat (limited to 'src/liballoc/allocator.rs')
| -rw-r--r-- | src/liballoc/allocator.rs | 23 |
1 files changed, 23 insertions, 0 deletions
diff --git a/src/liballoc/allocator.rs b/src/liballoc/allocator.rs index fc6585a9f95..c7177029011 100644 --- a/src/liballoc/allocator.rs +++ b/src/liballoc/allocator.rs @@ -464,6 +464,29 @@ impl fmt::Display for CannotReallocInPlace { /// * if a layout `k` fits a memory block (denoted by `ptr`) /// currently allocated via an allocator `a`, then it is legal to /// use that layout to deallocate it, i.e. `a.dealloc(ptr, k);`. +/// +/// # Unsafety +/// +/// The `Alloc` trait is an `unsafe` trait for a number of reasons, and +/// implementors must ensure that they adhere to these contracts: +/// +/// * Pointers returned from allocation functions must point to valid memory and +/// retain their validity until at least the instance of `Alloc` is dropped +/// itself. +/// +/// * It's undefined behavior if global allocators unwind. This restriction may +/// be lifted in the future, but currently a panic from any of these +/// functions may lead to memory unsafety. Note that as of the time of this +/// writing allocators *not* intending to be global allocators can still panic +/// in their implementation without violating memory safety. +/// +/// * `Layout` queries and calculations in general must be correct. Callers of +/// this trait are allowed to rely on the contracts defined on each method, +/// and implementors must ensure such contracts remain true. +/// +/// Note that this list may get tweaked over time as clarifications are made in +/// the future. Additionally global allocators may gain unique requirements for +/// how to safely implement one in the future as well. pub unsafe trait Alloc { // (Note: existing allocators have unspecified but well-defined |