From 5e082af6817dfa72a3ce6cf89b723ef6dd7585fc Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 25 Aug 2019 12:17:22 +0200 Subject: [PATCH 01/10] adjust for current reality wrt. wide raw pointers --- src/what-unsafe-does.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 49cf121..36b3488 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -16,8 +16,7 @@ to your program. You definitely *should not* invoke Undefined Behavior. Unlike C, Undefined Behavior is pretty limited in scope in Rust. All the core language cares about is preventing the following things: -* Dereferencing (using the `*` operator on) dangling, or unaligned pointers, or - wide pointers with invalid metadata (see below) +* Dereferencing (using the `*` operator on) dangling or unaligned pointers (see below) * Breaking the [pointer aliasing rules][] * Unwinding into another language * Causing a [data race][race] @@ -36,6 +35,7 @@ language cares about is preventing the following things: `isize::MAX` bytes in memory * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for `Trait` that matches the actual dynamic trait the reference points to + * a wide raw pointer that has invalid metadata (see above) * a `str` that isn't valid UTF-8 * an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from [uninitialized memory][] From 9cf4a9a6f1526eb3c5acc325e0d849de8f340aa3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 25 Aug 2019 12:36:08 +0200 Subject: [PATCH 02/10] clarify, also cover Box --- src/what-unsafe-does.md | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 36b3488..2f90e99 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -29,13 +29,12 @@ language cares about is preventing the following things: * a null `fn` pointer * a `char` outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF] * a `!` (all values are invalid for this type) - * a reference that is dangling, unaligned, points to an invalid value, or - that has invalid metadata (if wide) + * a reference/`Box` that is dangling, unaligned, or points to an invalid value. + * a wide reference, `Box` or raw pointer that has invalid metadata: * slice metadata is invalid if the slice has a total size larger than `isize::MAX` bytes in memory * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for `Trait` that matches the actual dynamic trait the reference points to - * a wide raw pointer that has invalid metadata (see above) * a `str` that isn't valid UTF-8 * an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from [uninitialized memory][] From 61b001f52ce2b375c6a7e65231e386f2ebde1a5b Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Sun, 25 Aug 2019 22:45:52 +0200 Subject: [PATCH 03/10] Oxford Co-Authored-By: Mazdak Farrokhzad --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 2f90e99..d83f78c 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -30,7 +30,7 @@ language cares about is preventing the following things: * a `char` outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF] * a `!` (all values are invalid for this type) * a reference/`Box` that is dangling, unaligned, or points to an invalid value. - * a wide reference, `Box` or raw pointer that has invalid metadata: + * a wide reference, `Box`, or raw pointer that has invalid metadata: * slice metadata is invalid if the slice has a total size larger than `isize::MAX` bytes in memory * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for From 8db5ad17bfc5c573023760f174bfd896d9a2c0fb Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Aug 2019 19:51:20 +0200 Subject: [PATCH 04/10] fix slice wide ptr metadata --- src/what-unsafe-does.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index d83f78c..242c26a 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -29,15 +29,15 @@ language cares about is preventing the following things: * a null `fn` pointer * a `char` outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF] * a `!` (all values are invalid for this type) + * an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from + [uninitialized memory][] * a reference/`Box` that is dangling, unaligned, or points to an invalid value. * a wide reference, `Box`, or raw pointer that has invalid metadata: - * slice metadata is invalid if the slice has a total size larger than - `isize::MAX` bytes in memory * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for `Trait` that matches the actual dynamic trait the reference points to + * slice metadata is invalid if the length is not a valid `usize` + (i.e., it must not be read from uninitialized memory) * a `str` that isn't valid UTF-8 - * an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from - [uninitialized memory][] * a type with custom invalid values that is one of those values, such as a `NonNull` that is null. (Requesting custom invalid values is an unstable feature, but some stable libstd types, like `NonNull`, make use of it.) From 78c247398f8c5069447af68dcc838a5469d60e24 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Aug 2019 19:53:23 +0200 Subject: [PATCH 05/10] note on not-too-large slices --- src/what-unsafe-does.md | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 242c26a..78d936a 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -50,8 +50,10 @@ points to are part of the same allocation (so in particular they all have to be part of *some* allocation). The span of bytes it points to is determined by the pointer value and the size of the pointee type. As a consequence, if the span is empty, "dangling" is the same as "non-null". Note that slices point to their -entire range, so it's very important that the length metadata is never too -large. If for some reason this is too cumbersome, consider using raw pointers. +entire range, so it's very important that the length metadata is never too large +(in particular, allocations and therefore slices cannot be bigger than +`isize::MAX` bytes). If for some reason this is too cumbersome, consider using +raw pointers. That's it. That's all the causes of Undefined Behavior baked into Rust. Of course, unsafe functions and traits are free to declare arbitrary other From 5287c526f77776587c5cfd4a8565ac7b8f9f9aa7 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 26 Aug 2019 20:04:47 +0200 Subject: [PATCH 06/10] fix noun --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 78d936a..b369509 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -34,7 +34,7 @@ language cares about is preventing the following things: * a reference/`Box` that is dangling, unaligned, or points to an invalid value. * a wide reference, `Box`, or raw pointer that has invalid metadata: * `dyn Trait` metadata is invalid if it is not a pointer to a vtable for - `Trait` that matches the actual dynamic trait the reference points to + `Trait` that matches the actual dynamic trait the pointer or reference points to * slice metadata is invalid if the length is not a valid `usize` (i.e., it must not be read from uninitialized memory) * a `str` that isn't valid UTF-8 From c6bf198f75127d862e15cb711c5549844765bb27 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 27 Aug 2019 12:51:53 +0200 Subject: [PATCH 07/10] adjust fn unwinding clause to match reference --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index b369509..093d69f 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -18,7 +18,7 @@ language cares about is preventing the following things: * Dereferencing (using the `*` operator on) dangling or unaligned pointers (see below) * Breaking the [pointer aliasing rules][] -* Unwinding into another language +* Calling a function with the wrong call ABI (in particular, with the wrong unwind ABI). * Causing a [data race][race] * Executing code compiled with [target features][] that the current thread of execution does not support From d3a5f5b21d15e96bf985460ef93b86b78e6df9f3 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 27 Aug 2019 19:05:42 +0200 Subject: [PATCH 08/10] impove wording Co-Authored-By: gnzlbg --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 093d69f..23aa82f 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -18,7 +18,7 @@ language cares about is preventing the following things: * Dereferencing (using the `*` operator on) dangling or unaligned pointers (see below) * Breaking the [pointer aliasing rules][] -* Calling a function with the wrong call ABI (in particular, with the wrong unwind ABI). +* Calling a function with the wrong call ABI or wrong unwind ABI. * Causing a [data race][race] * Executing code compiled with [target features][] that the current thread of execution does not support From 04823fd22bf954ffb5d705aba5733c01e85423f7 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 9 Sep 2019 18:54:24 +0200 Subject: [PATCH 09/10] use agreed-upon wording --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 23aa82f..2caf62e 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -18,7 +18,7 @@ language cares about is preventing the following things: * Dereferencing (using the `*` operator on) dangling or unaligned pointers (see below) * Breaking the [pointer aliasing rules][] -* Calling a function with the wrong call ABI or wrong unwind ABI. +* Calling a function with the wrong call ABI or unwinding from a function with the wrong unwind ABI. * Causing a [data race][race] * Executing code compiled with [target features][] that the current thread of execution does not support From d176807b2ebabdd522886eaf8133c29ccd500778 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Wed, 11 Sep 2019 19:12:28 +0200 Subject: [PATCH 10/10] Update src/what-unsafe-does.md Co-Authored-By: Mazdak Farrokhzad --- src/what-unsafe-does.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/what-unsafe-does.md b/src/what-unsafe-does.md index 2caf62e..7f13f93 100644 --- a/src/what-unsafe-does.md +++ b/src/what-unsafe-does.md @@ -50,7 +50,7 @@ points to are part of the same allocation (so in particular they all have to be part of *some* allocation). The span of bytes it points to is determined by the pointer value and the size of the pointee type. As a consequence, if the span is empty, "dangling" is the same as "non-null". Note that slices point to their -entire range, so it's very important that the length metadata is never too large +entire range, so it's important that the length metadata is never too large (in particular, allocations and therefore slices cannot be bigger than `isize::MAX` bytes). If for some reason this is too cumbersome, consider using raw pointers.