fix Nomicon transmute UB

pull/219/head
Ralf Jung 5 years ago committed by Alexis Beingessner
parent d1517d4e3f
commit c94172314b

@ -12,17 +12,29 @@ to have the same size. The ways to cause Undefined Behavior with this are mind
boggling. boggling.
* First and foremost, creating an instance of *any* type with an invalid state * First and foremost, creating an instance of *any* type with an invalid state
is going to cause arbitrary chaos that can't really be predicted. is going to cause arbitrary chaos that can't really be predicted. Do not
transmute `3` to `bool`. Even if you never *do* anything with the `bool`. Just
don't.
* Transmute has an overloaded return type. If you do not specify the return type * Transmute has an overloaded return type. If you do not specify the return type
it may produce a surprising type to satisfy inference. it may produce a surprising type to satisfy inference.
* Making a primitive with an invalid value is UB * Transmuting an & to &mut is UB.
* Transmuting between non-repr(C) types is UB * Transmuting an & to &mut is *always* UB.
* Transmuting an & to &mut is UB * No you can't do it.
* Transmuting an & to &mut is *always* UB * No you're not special.
* No you can't do it
* No you're not special
* Transmuting to a reference without an explicitly provided lifetime * Transmuting to a reference without an explicitly provided lifetime
produces an [unbounded lifetime] produces an [unbounded lifetime]
* When transmuting between different compound types, you have to make sure they
are laid out the same way! If layouts differ, the wrong fields are going to
get filled with the wrong data, which will make you unhappy and can also be UB
(see above).
So how do you know if the layouts are the same? For `repr(C)` types and
`repr(transparent)` types, layout is precisely defined. But for your
run-of-the-mill `repr(Rust)`, it is not. Even different instances of the same
generic type can have wildly different layout. `Vec<i32>` and `Vec<u32>`
*might* have their fields in the same order, or they might not. The details of
what exactly is and is not guaranteed for data layout are still being worked
out over [at the UCG WG][ucg-layout].
[`mem::transmute_copy<T, U>`][transmute_copy] somehow manages to be *even more* [`mem::transmute_copy<T, U>`][transmute_copy] somehow manages to be *even more*
wildly unsafe than this. It copies `size_of<U>` bytes out of an `&T` and wildly unsafe than this. It copies `size_of<U>` bytes out of an `&T` and
@ -30,10 +42,12 @@ interprets them as a `U`. The size check that `mem::transmute` has is gone (as
it may be valid to copy out a prefix), though it is Undefined Behavior for `U` it may be valid to copy out a prefix), though it is Undefined Behavior for `U`
to be larger than `T`. to be larger than `T`.
Also of course you can get most of the functionality of these functions using Also of course you can get all of the functionality of these functions using raw
pointer casts. pointer casts or `union`s, but without any of the lints or other basic sanity
checks. Raw pointer casts and `union`s do not magically avoid the above rules.
[unbounded lifetime]: unbounded-lifetimes.html [unbounded lifetime]: unbounded-lifetimes.html
[transmute]: ../std/mem/fn.transmute.html [transmute]: ../std/mem/fn.transmute.html
[transmute_copy]: ../std/mem/fn.transmute_copy.html [transmute_copy]: ../std/mem/fn.transmute_copy.html
[ucg-layout]: https://rust-lang.github.io/unsafe-code-guidelines/layout.html

Loading…
Cancel
Save