|
|
|
@ -23,25 +23,25 @@ language cares about is preventing the following things:
|
|
|
|
* Causing a [data race][race]
|
|
|
|
* Causing a [data race][race]
|
|
|
|
* Executing code compiled with [target features][] that the current thread of execution does
|
|
|
|
* Executing code compiled with [target features][] that the current thread of execution does
|
|
|
|
not support
|
|
|
|
not support
|
|
|
|
* Producing invalid primitive values (either alone or as a field of a compound
|
|
|
|
* Producing invalid values (either alone or as a field of a compound type such
|
|
|
|
type such as `enum`/`struct`/array/tuple):
|
|
|
|
as `enum`/`struct`/array/tuple):
|
|
|
|
* a `bool` that isn't 0 or 1
|
|
|
|
* a `bool` that isn't 0 or 1
|
|
|
|
* an undefined `enum` discriminant
|
|
|
|
* an `enum` with an invalid discriminant
|
|
|
|
* null `fn` pointers
|
|
|
|
* a null `fn` pointer
|
|
|
|
* a `char` outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF]
|
|
|
|
* a `char` outside the ranges [0x0, 0xD7FF] and [0xE000, 0x10FFFF]
|
|
|
|
* a `!` (all values are invalid for this type)
|
|
|
|
* a `!` (all values are invalid for this type)
|
|
|
|
* dangling/unaligned references, references that do themselves point to
|
|
|
|
* a reference that is dangling, unaligned, points to an invalid value, or
|
|
|
|
invalid values, or wide references (to a dynamically sized type) with
|
|
|
|
that has invalid metadata (if wide)
|
|
|
|
invalid metadata
|
|
|
|
|
|
|
|
* slice metadata is invalid if the slice has a total size larger than
|
|
|
|
* slice metadata is invalid if the slice has a total size larger than
|
|
|
|
`isize::MAX` bytes in memory
|
|
|
|
`isize::MAX` bytes in memory
|
|
|
|
* `dyn Trait` metadata is invalid if it is not a pointer to a vtable for
|
|
|
|
* `dyn Trait` metadata is invalid if it is not a pointer to a vtable for
|
|
|
|
`Trait` that matches the actual dynamic trait the reference points to
|
|
|
|
`Trait` that matches the actual dynamic trait the reference points to
|
|
|
|
* a non-utf8 `str`
|
|
|
|
* a `str` that isn't valid UTF-8
|
|
|
|
* an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from
|
|
|
|
* an integer (`i*`/`u*`), floating point value (`f*`), or raw pointer read from
|
|
|
|
[uninitialized memory][]
|
|
|
|
[uninitialized memory][]
|
|
|
|
* an invalid library type with custom invalid values, such as a `NonNull` or
|
|
|
|
* a type with custom invalid values that is one of those values, such as a
|
|
|
|
the `NonZero` family of types, that is 0
|
|
|
|
`NonNull` that is null. (Requesting custom invalid values is an unstable
|
|
|
|
|
|
|
|
feature, but some stable libstd types, like `NonNull`, make use of it.)
|
|
|
|
|
|
|
|
|
|
|
|
"Producing" a value happens any time a value is assigned, passed to a
|
|
|
|
"Producing" a value happens any time a value is assigned, passed to a
|
|
|
|
function/primitive operation or returned from a function/primitive operation.
|
|
|
|
function/primitive operation or returned from a function/primitive operation.
|
|
|
|
@ -50,7 +50,9 @@ A reference/pointer is "dangling" if it is null or not all of the bytes it
|
|
|
|
points to are part of the same allocation (so in particular they all have to be
|
|
|
|
points to are part of the same allocation (so in particular they all have to be
|
|
|
|
part of *some* allocation). The span of bytes it points to is determined by the
|
|
|
|
part of *some* allocation). The span of bytes it points to is determined by the
|
|
|
|
pointer value and the size of the pointee type. As a consequence, if the span is
|
|
|
|
pointer value and the size of the pointee type. As a consequence, if the span is
|
|
|
|
empty, "dangling" is the same as "non-null".
|
|
|
|
empty, "dangling" is the same as "non-null". Note that slices point to their
|
|
|
|
|
|
|
|
entire range, so it's very important that the length metadata is never too
|
|
|
|
|
|
|
|
large. If for some reason this is too cumbersome, consider using raw pointers.
|
|
|
|
|
|
|
|
|
|
|
|
That's it. That's all the causes of Undefined Behavior baked into Rust. Of
|
|
|
|
That's it. That's all the causes of Undefined Behavior baked into Rust. Of
|
|
|
|
course, unsafe functions and traits are free to declare arbitrary other
|
|
|
|
course, unsafe functions and traits are free to declare arbitrary other
|
|
|
|
|
Ralf Jung
6 years ago
committed by
Alexis Beingessner