-
Notifications
You must be signed in to change notification settings - Fork 9
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Alignment is not accounted for #22
Comments
It may be possible salvage the safety guarantees you want to provide by using explicit unaligned loads: https://doc.rust-lang.org/std/ptr/fn.read_unaligned.html |
@BurntSushi Thanks for the finding. Admittedly, this crate tends to sail through some murky laundry-eating waters. I recall that a previous version of the crate would perform the check with I made a few tests that would read unaligned slices in #21. They all seem to pass, but I understand that this doesn't prove memory safety (good behaviour in UB is still possible...). |
This seems plausible, yes. Note that I am not an expert in Rust's UB. Honestly, probably very few people are, because we don't have a formal semantics for it yet. I would strongly urge you to put a warning somewhere around this crate that it hasn't been thoroughly vetted, but that such vetting would be welcome. :-) In general, I like the ideas motivating this crate, but I think we need to be super careful about what we're claiming is safe and what isn't. |
Emphatically, yes. And it may vary by platform. |
Indeed. @nabijaczleweli can you work on this?
I agree. This crate emerged with some exciting use cases, but once the first versions were laid out, we did realize that making it safe was not very trivial. The feedback from better informed members of the community has been invaluable so far, and I hope to ensure that this never hits 1.0.0 until we're sure that the non- |
Was
Cool and good. (Timing: post-PRs and pre-release.)
Well, since we've merged some magenta changes into |
That's not quite how semver works though. 0-major versions are pre-releases, so breaking changes are always permitted. I wouldn't also underestimate the message that we are passing with a major release. The Rust API guidelines also suggest that a library should avoid launching a major release until all of its dependencies are also "stable" (>=1.0.0) releases. Even if we're placing a message in the documentation, I really don't want to give users of this crate this false sense of security. |
That 0-major thing sounds like a specialcase and specialcases are the incarnation of satan itself :angery: The Rust API Guidelines? Where is that? Also, "avoid launching pre-release till all deps are >= 1.0.0" makes little sense. Also, Anyway, re: #21. If you're really opposed to always running the tests (which, I admit, may be kinda dicey), we can mark them as |
On phone right now, so I'll be brief:
|
Released in |
As far as I can tell, alignment isn't accounted for at all in this crate. You seem to assert that converting a
*const u8
to a*const T
is OK even whenT
has an alignment greater than1
. For example, yourguarded_transmute
function checks the sizes, but not alignment, and then proceeds to dereference a*const T
pointer even though it might have an alignment greater than1
. That's UB. This is then used as an implementation of functions likeguarded_transmute_pod
to declare that it is safe, but it is in fact not safe.The text was updated successfully, but these errors were encountered: