New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Move PhantomData<T> from Shared<T> to users of both Shared and #[may_dangle] #46749

Merged
merged 1 commit into from Dec 19, 2017

Conversation

Projects
None yet
7 participants
@SimonSapin
Contributor

SimonSapin commented Dec 15, 2017

After discussing #27730 (comment) today with @pnkfelix and @Gankro, we concluded that it’s ok for drop checking not to be much smarter than the current #[may_dangle] design which requires an explicit unsafe opt-in.

See reasoning below: #46749 (comment)

@rust-highfive

This comment has been minimized.

Show comment
Hide comment
@rust-highfive

rust-highfive Dec 15, 2017

Collaborator

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @joshtriplett (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

Collaborator

rust-highfive commented Dec 15, 2017

Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @joshtriplett (or someone else) soon.

If any changes to this PR are deemed necessary, please add them as extra commits. This ensures that the reviewer can see what has changed since they last reviewed the code. Due to the way GitHub handles out-of-date commits, this should also make it reasonably obvious what issues have or haven't been addressed. Large or tricky changes may require several passes of review and changes.

Please see the contribution instructions for more information.

@joshtriplett

This comment has been minimized.

Show comment
Hide comment
@joshtriplett

joshtriplett Dec 15, 2017

Member

The code as written looks to me like a correct implementation of the change the commit message describes.

For the actual question of whether the change the commit message describes seems reasonable, could I get some additional confirmation from @nikomatsakis or @aturon?

Apart from that, the Travis build seems to have failed. Looks like the tidy check failed? @SimonSapin, can you please take a look at that and make sure it passes?

Member

joshtriplett commented Dec 15, 2017

The code as written looks to me like a correct implementation of the change the commit message describes.

For the actual question of whether the change the commit message describes seems reasonable, could I get some additional confirmation from @nikomatsakis or @aturon?

Apart from that, the Travis build seems to have failed. Looks like the tidy check failed? @SimonSapin, can you please take a look at that and make sure it passes?

@nikomatsakis

This comment has been minimized.

Show comment
Hide comment
@nikomatsakis
Contributor

nikomatsakis commented Dec 16, 2017

@Gankro

This comment has been minimized.

Show comment
Hide comment
@Gankro

Gankro Dec 16, 2017

Contributor

(on phone)

So our meeting with @arielby boiled down to the following:

PhantomData does 3 things:

  • variance
  • owns
  • auto trait opt outs

If you make struct<T> you’ll get a warning if T isn’t used (suggesting PhantomData?). If you toss in that PhantomData<T> you’re good to go. Ok good.

If you use *mut T, you get invariance and opt out of all autotraits. Safe, good! But you don’t get owns.

If you opt to do *const and then cast to mut, then you get covariance but this is so very unergenomic that the only reason to do this is to explicitly get covariance. So that’s fine.

In either case you get no warning to use PhantomData. So dropck is fundamentally very easy to get wrong while also being incredibly obscure.

However this unsafety has been temporarily resolved by the fact that the non-parametric dropck rfc moved to safe defaults, where the presence of a generic argument implies “owns T”. And there’s no way to sneak in interesting lifetimes without being generic over them!

Now “owns T” only matters if you use the unsafe eyepatch, which is a great place to teach the user “hey if you do this, you should add a bunch of “owns” annotations.

So Shared owning T potentially blocks using it with the eyepatch (or its replacement) and shared not owning T isn’t really a major footgun.

All that remained was to agree that we weren’t willing to take a 5th shot at trying to make a “smart and safe” dropck. Everyone in the meeting agreed it was time to give up on such an endeavour.

Contributor

Gankro commented Dec 16, 2017

(on phone)

So our meeting with @arielby boiled down to the following:

PhantomData does 3 things:

  • variance
  • owns
  • auto trait opt outs

If you make struct<T> you’ll get a warning if T isn’t used (suggesting PhantomData?). If you toss in that PhantomData<T> you’re good to go. Ok good.

If you use *mut T, you get invariance and opt out of all autotraits. Safe, good! But you don’t get owns.

If you opt to do *const and then cast to mut, then you get covariance but this is so very unergenomic that the only reason to do this is to explicitly get covariance. So that’s fine.

In either case you get no warning to use PhantomData. So dropck is fundamentally very easy to get wrong while also being incredibly obscure.

However this unsafety has been temporarily resolved by the fact that the non-parametric dropck rfc moved to safe defaults, where the presence of a generic argument implies “owns T”. And there’s no way to sneak in interesting lifetimes without being generic over them!

Now “owns T” only matters if you use the unsafe eyepatch, which is a great place to teach the user “hey if you do this, you should add a bunch of “owns” annotations.

So Shared owning T potentially blocks using it with the eyepatch (or its replacement) and shared not owning T isn’t really a major footgun.

All that remained was to agree that we weren’t willing to take a 5th shot at trying to make a “smart and safe” dropck. Everyone in the meeting agreed it was time to give up on such an endeavour.

Move PhantomData<T> from Shared<T> to users of both Shared and #[may_…
…dangle]

After discussing [1] today with @pnkfelix and @Gankro,
we concluded that it’s ok for drop checking not to be much smarter
than the current `#[may_dangle]` design which requires an explicit
unsafe opt-in.

[1] #27730 (comment)
@SimonSapin

This comment has been minimized.

Show comment
Hide comment
@SimonSapin

SimonSapin Dec 16, 2017

Contributor

“Eyepatch” refers to the #[may_dangle] attribute that I mention in the commit message: https://github.com/rust-lang/rfcs/blob/master/text/1327-dropck-param-eyepatch.md


Thanks @joshtriplett, I pushed an amended commit that should fix the build.

Contributor

SimonSapin commented Dec 16, 2017

“Eyepatch” refers to the #[may_dangle] attribute that I mention in the commit message: https://github.com/rust-lang/rfcs/blob/master/text/1327-dropck-param-eyepatch.md


Thanks @joshtriplett, I pushed an amended commit that should fix the build.

@nikomatsakis

This comment has been minimized.

Show comment
Hide comment
@nikomatsakis

nikomatsakis Dec 18, 2017

Contributor

I find this logic persuasive. It'd be nice if we could have it documented somewhere very central.

Contributor

nikomatsakis commented Dec 18, 2017

I find this logic persuasive. It'd be nice if we could have it documented somewhere very central.

@nikomatsakis

This comment has been minimized.

Show comment
Hide comment
@nikomatsakis

nikomatsakis Dec 18, 2017

Contributor

@bors r+

I'm not sure what level of "governance r+" is needed here, but given that this is an unstable feature, it seems like relatively minimal, and I think all the key stakeholders have been involved here. I'll r+ -- if anyone objects, we could do some sort of FCP period I suppose.

Contributor

nikomatsakis commented Dec 18, 2017

@bors r+

I'm not sure what level of "governance r+" is needed here, but given that this is an unstable feature, it seems like relatively minimal, and I think all the key stakeholders have been involved here. I'll r+ -- if anyone objects, we could do some sort of FCP period I suppose.

@bors

This comment has been minimized.

Show comment
Hide comment
@bors

bors Dec 18, 2017

Contributor

📌 Commit 60dc104 has been approved by nikomatsakis

Contributor

bors commented Dec 18, 2017

📌 Commit 60dc104 has been approved by nikomatsakis

@bors

This comment has been minimized.

Show comment
Hide comment
@bors

bors Dec 19, 2017

Contributor

⌛️ Testing commit 60dc104 with merge b39c4bc...

Contributor

bors commented Dec 19, 2017

⌛️ Testing commit 60dc104 with merge b39c4bc...

bors added a commit that referenced this pull request Dec 19, 2017

Auto merge of #46749 - SimonSapin:exorcism, r=nikomatsakis
Move PhantomData<T> from Shared<T> to users of both Shared and #[may_dangle]

After discussing #27730 (comment) today with @pnkfelix and @Gankro, we concluded that it’s ok for drop checking not to be much smarter than the current `#[may_dangle]` design which requires an explicit unsafe opt-in.
@bors

This comment has been minimized.

Show comment
Hide comment
@bors

bors Dec 19, 2017

Contributor

☀️ Test successful - status-appveyor, status-travis
Approved by: nikomatsakis
Pushing b39c4bc to master...

Contributor

bors commented Dec 19, 2017

☀️ Test successful - status-appveyor, status-travis
Approved by: nikomatsakis
Pushing b39c4bc to master...

@bors bors merged commit 60dc104 into rust-lang:master Dec 19, 2017

2 checks passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details
homu Test successful
Details

@SimonSapin SimonSapin deleted the SimonSapin:exorcism branch Mar 30, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment