Make raw ptr ops unsafe in const contexts #55009
Conversation
rust-highfive
added
the
S-waiting-on-review
This comment has been minimized.
This comment has been minimized.
|
The job Click to expand the log.I'm a bot! I can only do what humans tell me to, so if this was not helpful or you have suggestions for improvements, please ping or otherwise contact |
|
Before I go look at the code, a high-level remark: Doesn't this need an RFC or so? Seems like we are slowly deciding on what to do about "unconst", and that's new language design. |
src/librustc_mir/build/mod.rs
Outdated
| } else { | ||
| build::construct_const(cx, body_id, return_ty_span) | ||
| match cx.body_owner_kind { | ||
| hir::BodyOwnerKind::Fn | hir::BodyOwnerKind::Closure => { |
There was a problem hiding this comment.
You could reduce the diff and rightwards drift here (and above) my using if let hir::BodyOwnerKind::Fn | hir::BodyOwnerKind::Closure = ....
There was a problem hiding this comment.
I don't think that's possible. Or is this a new feature?
There was a problem hiding this comment.
Ah, it's an unstable feature. Never mind then.
| _ => {}, | ||
| } | ||
| } | ||
| // raw pointer and fn pointer operations are unsafe |
There was a problem hiding this comment.
This one (unlike the above) is temporary, right? miri could do all of them. That might be worth noting.
There was a problem hiding this comment.
they'll stay unsafe, as you cannot compare the order of pointers to different allocations during const eval.
There was a problem hiding this comment.
Okay, the (in)equality operations need to remain unsafe. The only other binop is Offset and that only occurs in generated MIR which, I guess, doesn't go through this check.
Please add a comment why this is unsafe.
|
Just some minors nits in the code, but I am a little concerned about process here. I mean this is all unstable so I guess we have some lee-way, but you did plan to move this through RFC eventually, did you not? @Centril you are more familiar with process, what do you think? |
These are unstable features. We'll need an RFC for the const soundness rules I guess, but once we have that, this is just something that needs an FCP to best of my knowledge |
| } | ||
| } | ||
| }, | ||
| // casting pointers to ints is unsafe in const fn |
There was a problem hiding this comment.
Please add a comment explaining why.
This seems fine to me since it is unstable and allows for some experimentation on nightly (always useful with some usage experience data). Just as long as we are not making any commitments here. However, I'd like to check in with the rest of the team before doing this. @rfcbot poll lang Can we do this experimentally before introducing an RFC? |
|
Team member @Centril has asked teams: T-lang, for consensus on:
|
|
r=me with the nits fixed and when T-lang agrees. |
|
☔ The latest upstream changes (presumably #55134) made this pull request unmergeable. Please resolve the merge conflicts. |
|
☔ The latest upstream changes (presumably #55069) made this pull request unmergeable. Please resolve the merge conflicts. |
oli-obk
added
T-lang
|
(in hindsight i wish we had taken the opportunity with the edition shift to make a whole bunch of casting stuff require |
|
My feeling is this: I am mildly positive on this general direction and willing to approve this particular PR. I do however remain uncertain about the idea of overloading However, I am becoming increasingly nervous about the procedure. Basically the same thing that @RalfJung called out here:
For example, in order to figure out what this PR is doing, I have to look at the tests -- there doesn't appear to be any write-up of any kind, even on the PR, much less in something like an RFC. I'm wary of winding up in a situation where our behavior is not well understood apart from the implementation -- imagine if the next Uber comes along to scoop up @oli-obk and @RalfJung and we poor saps were left to puzzle it out on our own! =) Another bad scenario i'd like to avoid is a lot of piecemeal RFCs making small edits — those can make it really hard to understand the "overall vision" if you're not following closely. To be clear, I'm really critiquing how the lang-team (and Rust team) is functioning more than the consts stuff per se. For example, I feel like there are similar problems around the NLL working group etc, where we ought to be writing up more of the "small decisions" and arriving at a more complete spec. At least consts has the https://github.com/rust-rfcs/const-eval/ repository, which in and of itself is a good start. I don't entirely know how I think things should be working. I think what I'd like to see is something like the process that I proposed in my blog post. Basically, there would be active discussions on the https://github.com/rust-rfcs/const-eval/ repository on the detailed points. When a rough consensus is reached, it might be surfaced for broader feedback. In this context, I would feel pretty good about "live experimentation" on master, so long as the design is sufficiently feature-gated. I feel like most of the lang team doesn't really have time to be involved in the nitty gritty, but would maybe like to discuss the "big picture" stuff (to be fair, also, this RFC falls to some extent in that "big picture" category, particularly with respect to whether |
|
The reason I opened this PR out of nowhere is that I didn't know how to proceed on this topic. Opening a piecemeal RFC for just these two ops felt wrong, too. Additionally these two are the only operations that are unconst but safe. I am kind of lost on how to proceed. There's no good way of creating a big picture discussion that doesn't immediately dive into discussions about the small pieces. Collecting the small pieces one by one is missing the big picture. There was some discussion about So we (meaning @RalfJung ) started building some documents in the const-eval repo. The relevant document for this PR is https://github.com/rust-rfcs/const-eval/blob/master/const_safety.md We can of course build an image of what we want over there, but what's the endgame? Will we dump all of these as a massive RFC? Start splitting them up again for smaller RFCs? Maybe eRFCs for PRs like this so we can try out stuff? I wanna do this right, but I don't know how to communicate the problems and features in a way that
|
|
@oli-obk I also don't know the full answer, so don't worry! As I said, I didn't mean my comment as criticism of you in the slightest. First off, I didn't know about the document pertaining to this, thanks for the link! As I said, the const effort is way ahead of the rest of us. ;) Regarding the challenge of achieving those three objects, I think the only answer is that we have to have an iterative process. I think I would feel good about something like this:
Basically, I think where our current RFC process often goes wrong is that we wind up trying to get full consensus before we start implementing. I would rather see if we can get full consensus on the need to experiment, and also rough consensus on the things we wish to learn from the experiment -- i.e., if we're not sure whether This of course presumes a working group. I suspect we could form up a working group of "people who want to build stuff with const generics" pretty quickly. |
|
I opened a tracking issue and rebased the PR. |
This comment has been minimized.
This comment has been minimized.
|
From T-Lang's POV, we can go ahead with this now since it would have been FCP-completed by now if I had used |
oli-obk
force-pushed
the
const_safety
branch
2 times, most recently
from
bfee610
to
eee155c
Compare
|
@bors r=RalfJung |
|
📌 Commit aedc3a5 has been approved by |
bors
added
S-waiting-on-bors
|
⌛ Testing commit aedc3a5 with merge ade22eda01eb7678ea6d1abfbb51461973ae2438... |
|
💔 Test failed - status-appveyor |
bors
added
S-waiting-on-review
|
@bors retry AppVeyor screwed up a bit. |
bors
added
S-waiting-on-bors
|
☀️ Test successful - checks-travis, status-appveyor |
|
📣 Toolstate changed by #55009! Tested on commit 51cc3cd. 💔 clippy-driver on windows: test-pass → build-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra). |
Tested on commit rust-lang/rust@51cc3cd. Direct link to PR: <rust-lang/rust#55009> 💔 clippy-driver on windows: test-pass → build-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra). 💔 clippy-driver on linux: test-pass → build-fail (cc @Manishearth @llogiq @mcarton @oli-obk, @rust-lang/infra).
| Node::Expr(&Expr { node: ExprKind::Closure(..), .. }) => { | ||
| BodyOwnerKind::Closure | ||
| } | ||
| node => bug!("{:#?} is not a body node", node), |
There was a problem hiding this comment.
This currently breaks Clippy in clippy_lints/src/utils/mod.rs:
pub fn in_constant(cx: &LateContext<'_, '_>, id: NodeId) -> bool {
let parent_id = cx.tcx.hir().get_parent(id);
match cx.tcx.hir().body_owner_kind(parent_id) {
hir::BodyOwnerKind::Fn | hir::BodyOwnerKind::Closure => false,
hir::BodyOwnerKind::Const | hir::BodyOwnerKind::Static(..) => true,
}
}This is because it is called on an enum variant here: clippy_lints/src/non_copy_const.rs. self.get(id) returns Node::Item(Item { node: ItemKind::Enum(..), .. })
Should this function really produce an ICE if the node isn't one of the above. I think the previous approach of just assuming it is a function is also wrong. Maybe another variant for BodyOwnerKind would be better (BodyOwnerKind::Other?)
I would be happy to open a PR if this refactor should be done. Otherwise I'll try to fix this in Clippy.
cc @oli-obk
There was a problem hiding this comment.
We could make it return an Option, but I'm not sure if that is desirable. We didn't want to know whether something was a function, closure or something else, we just wanted to know whether it is a constant or static.
In the end I decided to just check for const/static manually: https://github.com/rust-lang/rust-clippy/pull/3685/files
r? @RalfJung
cc @Centril