Skip to content

Doc: MaybeUninit::assume_init_read Safety: warn on thread safety #148398

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Doc: MaybeUninit::assume_init_read Safety: warn on thread safety #148398

wants to merge 1 commit into from
+39 −0

Conversation

@gksato
Copy link

@gksato gksato commented Nov 2, 2025
edited
Loading

Fixes #148083.

Due to impl<T: Sync> Sync for MaybeUninit<T>,
MaybeUninit::assume_init_read is prone to the illegal use transferring ownership of !Send + Sync value across threads. This PR adds a warning on this thread safety problem to the method's Safety section. This PR also adds two code examples related to this problem.

On the bad case code example: I wish I could use something better than MutexGuard<'_, u32>, because I wasn't able to produce Miri-detectable UB. core::sync::Exclusive<&Cell<u32>> would be nice, but it's unstable.

@rustbot rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Nov 2, 2025
@rustbot
Copy link
Collaborator

rustbot commented Nov 2, 2025

r? @scottmcm

rustbot has assigned @scottmcm.
They will have a look at your PR within the next two weeks and either review your PR or reassign to another reviewer.

Use r? to explicitly pick a reviewer

@rustbot

This comment has been minimized.

Sign in to view
@gksato
Doc: MaybeUninit::assume_init_read Safety: warn on thread safety
1033c71 
Due to `impl<T: Sync> Sync for MaybeUninit<T>`,
`MaybeUninit::assume_init_read` is prone to the illegal use transferring
ownership of `!Send + Sync` value across threads. This commit adds a
warning on this thread safety problem to the method's Safety section.
This commit also adds two code examples related to this problem.
@gksato gksato force-pushed the 148083_maybe_uninit_read_thread_safety_doc branch from bf0ca0c to 1033c71 Compare November 2, 2025 12:06
@gksato gksato changed the title Doc: MaybeUninit::assume_init_read Safety: warn on thread safety Doc: MaybeUninit::assume_init_read Safety: warn on thread safety (fix of #148083) Nov 2, 2025
@gksato gksato changed the title Doc: MaybeUninit::assume_init_read Safety: warn on thread safety (fix of #148083) Doc: MaybeUninit::assume_init_read Safety: warn on thread safety Nov 2, 2025
@gksato
Copy link
Author

gksato commented Nov 4, 2025

@rustbot label A-docs I-unsound

@rustbot rustbot added A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels Nov 4, 2025
@gksato
Copy link
Author

gksato commented Nov 4, 2025
edited
Loading

@rustbot label -I-unsound -I-prioritize

@rustbot rustbot removed I-unsound Issue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness I-prioritize Issue: Indicates that prioritization has been requested for this issue. labels Nov 4, 2025
@gksato
Copy link
Author

gksato commented Nov 8, 2025
edited
Loading

Is it worth adding the following, or something similar?

Note that, if you duplicate the ownership of a non-Copy value with this function (most typically, by calling assume_init_* after this without calling write), it constitutes a fundamental breakage of Rust's safety constraint. In that case, neither Send or Sync can guarantee thread safety.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@scottmcm scottmcm

Labels

A-docs Area: Documentation for any part of the project, including the compiler, standard library, and tools S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Add MaybeUninit::assume_init_read Safety constraint: it can easily break !Send invariant

3 participants

@gksato @rustbot @scottmcm