transmute: caution against int2ptr transmutation #122379
Conversation
rustbot
added
S-waiting-on-review
m-ou-se
added
S-waiting-on-author
|
@scottmcm should this go through t-lang FCP? |
RalfJung
force-pushed
the
int2ptr-transmute
branch
from
be28971
to
90a5a6c
Compare
|
I would prefer to see something here that indicates that it is specifically not possible to round-trip pointers through transmuting to an integer type and back, because that is the pattern that people do in the wild. |
|
I would consider this an inevitable conclusion from the Provenance RFC's acceptance (i.e. not requiring FCP). |
This is currently implied by:
Are you saying that roundtrips should be mentioned more explicitly? Sure, I can do that. |
RalfJung
force-pushed
the
int2ptr-transmute
branch
from
90a5a6c
to
d3299af
Compare
We could declare that ptr2int transmute "exposes" the pointer and int2ptr transmute makes it pick up an exposed provenance similar to I'd prefer if we didn't do that, though. |
|
If "transmute is semantically equivalent to a bitwise move of one type into another", then how would we rationalize the operation being different from a pointer load without changing the definition of transmute? |
|
We'd rationalize this as a hack in the transmute intrinsic that is intended to keep old code working -- code that made wrong assumptions about the Rust memory model at a time when there were no reliable docs about which assumptions one could make.
|
|
Ah, we'd burn down the performance of Rust programs because they did undefined behavior! I see, I see. Wait, what? |
|
I don't think this would impact the performance of any "good" programs. After all with I didn't say it's an option I like, I just said it's a possible option and the docs added here are not an inevitable conclusion of Rust having provenance on pointers but not integers. |
|
I suppose I can concede that much, and will simply say that I would strongly prefer we not seriously entertain any ideas that are technically valid but involve deeply undermining an understanding of how programs will be compiled. |
|
I believe Ralf is referring to reverting #121282. Before that PR, |
I brought this up briefly in lang triage today, @RalfJung. Meeting consensus was that we don't need checkboxes for it. If you/opsem are happy with the description, we're happy to land stuff since the RFC about having provenance was approved. |
RalfJung
added
T-opsem
|
Okay let's do t-opsem FCP then. @rustbot fcp merge |
|
Oh, wrong bot. |
|
Team member @RalfJung has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
rfcbot
added
the
proposed-final-comment-period
RalfJung
force-pushed
the
int2ptr-transmute
branch
from
474f071
to
f4adb1e
Compare
rfcbot
added
finished-final-comment-period
|
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
bors
added
S-waiting-on-bors
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `@saethlin` `@scottmcm` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 6 pull requests Successful merges: - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122895 (add some ice tests 5xxxx to 9xxxx) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122952 (Miri subtree update) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ``@saethlin`` ``@scottmcm`` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#116016 (Soft-destabilize `RustcEncodable` & `RustcDecodable`, remove from prelude in next edition) - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#116016 (Soft-destabilize `RustcEncodable` & `RustcDecodable`, remove from prelude in next edition) - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ````@saethlin```` ````@scottmcm```` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…kingjubilee Rollup of 13 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#121940 (Mention Register Size in `#[warn(asm_sub_register)]`) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122460 (Rework rmake support library API) - rust-lang#122797 (Fix compile of wasm64-unknown-unknown target) - rust-lang#122875 (CFI: Support self_cell-like recursion) - rust-lang#122879 (CFI: Strip auto traits off Virtual calls) - rust-lang#122895 (add some ice tests 5xxxx to 9xxxx) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122923 (In `pretty_print_type()`, print `async fn` futures' paths instead of spans.) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
…iaskrgr Rollup of 9 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122840 (`rustdoc --test`: Prevent reaching the maximum size of command-line by using files for arguments if there are too many) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc `````@saethlin````` `````@scottmcm````` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
Rollup merge of rust-lang#122379 - RalfJung:int2ptr-transmute, r=m-ou-se transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
transmute: caution against int2ptr transmutation This came up in rust-lang#121282. Cc ```@saethlin``` ```@scottmcm``` Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.
…iaskrgr Rollup of 9 pull requests Successful merges: - rust-lang#121281 (regression test for rust-lang#103626) - rust-lang#122168 (Fix validation on substituted callee bodies in MIR inliner) - rust-lang#122217 (Handle str literals written with `'` lexed as lifetime) - rust-lang#122379 (transmute: caution against int2ptr transmutation) - rust-lang#122840 (`rustdoc --test`: Prevent reaching the maximum size of command-line by using files for arguments if there are too many) - rust-lang#122907 (Uniquify `ReError` on input mode in canonicalizer) - rust-lang#122942 (Add test in higher ranked subtype) - rust-lang#122943 (add a couple more ice tests) - rust-lang#122963 (core/panicking: fix outdated comment) r? `@ghost` `@rustbot` modify labels: rollup
This came up in #121282.
Cc @saethlin @scottmcm
Eventually we'll add a proper description of provenance that we can reference, but that's a bunch of work and it's unclear who will have the time to do that when. Meanwhile, let's at least do what we can without mentioning provenance explicitly.