What's the source of immutability for pointers produced by const?
#502
Comments
RalfJung
added
the
A-aliasing-model
My idea is that the |
|
That's definitely not entirely true, as the const-AM also produces But I was hoping that we wouldn't have to talk about this in the spec and could derive it all from shared references being immutable... |
That's not quite true, |
That's a quirk of Stacked Borrows that is not shared by Tree Borrows and that I think we want to get rid of. For the purpose of SB, we do consider that code to implicitly create a shared reference ( |
This is already possible in tree borrows, because it allows const CONSTANT: &i32 = &42;
unsafe { transmute::<&i32, &mut i32>(CONSTANT) }to get the exact same effect as const MUTABLE: &mut i32 = unsafe { transmute(&42) };
MUTABLEIMHO both should be allowed. |
|
That text you quote was talking about const MUTABLE: &mut i32 = &mut 15;This is currently caught by const-checking but the way it works is somewhat indirect and relies on non-local invariants about the structure of MIR, so I'd prefer for it not to be soundness-bearing. Also Right now it's sound because the mutability check at interning time catches this. If we remove this check, we need an argument for why it is UB to write to that reference. |
|
How about making a rule that at the end of each initializer scope, an implicit reference is performed to every byte of every constant allocation, be that the main |
|
Creating a reference doesn't make that memory immutable for all accesses. It's only memory accesses through that reference (and everything derived from it) that become immutable. Creating a reference and then immediately discarding it and never using it again is a NOP. (Well, almost: it's a read access, but that's it. It has no lasting effect.) |
|
FWIW, the reference already contains wording like this:
I always considered that temporary, and intended to remove it once we have figured out our aliasing story. But this means that nominally, "all pointers that come out of |
But all mutable pointers in the |
No, why would they? Under Tree Borrows some mutable pointers would get frozen, namely if the access is done with a foreign tag and the pointer is already activated (in the 2-phase sense). But I don't see why this would apply to all pointers. If we do a magic thing with everything that comes out of a |
|
I meant a foreign read like so: const PTR: *mut i32 = {
let ptr = const_allocate(4, 4) as *mut i32;
ptr.write(42);
ptr
};becomes const PTR: *mut i32 = {
let magically_remembered_pointer: *mut u8;
let result = {
let ptr = {
magically_remembered_pointer = const_allocate(4, 4);
magically_remembered_pointer
} as *mut i32;
ptr.write(42);
ptr
}
// Magic reads:
&*magically_remembered_pointer.add(0);
&*magically_remembered_pointer.add(1);
&*magically_remembered_pointer.add(2);
&*magically_remembered_pointer.add(3);
result
}Phrasing it like this means that we don't need to introduce a new source of immutability. But the specific wording doesn't matter, as you point out. Related: can this code be made to compile? const VAL: &'static i32 = {
let val = Box::new_in(42, Constant);
let val = Box::leak(val);
&*val
}; |
Let's not discuss const_allocate here, that has a too high risk of derailing the discussion. The tracking issue is at rust-lang/rust#79597. |
We do, though. If |
|
Ah yes, whoops. Please think of magically_remembered_pointer
} as *mut i32;in the above as let guarded = (&mut *magically_remembered_pointer) as *mut u8;
guarded.write(/* undef */);
guarded
} as *mut i32; |
|
Yeah that would work. But I think we went far enough down this rabbit hole to also demonstrate why I don't think that is the most elegant approach. ;) |
|
What are you talking about, the above is a totally elegant and clean way to solve this 😄. I just wanted to slightly weaken the downsides you pointed out, cause I'd love to have this. As rust-lang/rust#123254 demonstrated, working around the current limitations just leads to way worse code. |
|
rust-lang/rust#123254 needs const_heap though so that's anyway somewhat of a different topic. If we remain strict on immutability we could add a |
If a
const(item or expression) contains references and pointers, then what is their mutability (or more generally, their status in the aliasing model)?It seems fairly clear that we want them to be immutable. It's called "const(ant)" after all, and also constants are values but we deduplicate the underlying storage, which would be bad news if anything is mutable.
Currently we're doing our best to make this an implementation detail: const-eval tracks the actual mutability of a pointer, and interning bails out if a mutable pointer makes it into the final value. That means all the pointers in the final value are anyway already immutable.
But there's an alternative: we can say that the transition from a const result to a value embedded in other computations (that may themselves be const computations, or they may happen at runtime) makes all pointers (or, equivalently, the memory they point to) immutable.
This has several advantages:
const_allocateresults can more easily be used to create constants without running into issues like this.It also has several downsides:
&mutvalues in consts. If an&mutvalue ends up in the result of a const, the new rules would say that despite it being a mutable reference, it actually is an immutable pointer. We can catch some cases where that happens, but if people get creative and e.g. smuggle out an&mutinside aMaybeUninit, there's a chance to cause UB.The downsides are why I added these checks in the first place, and they make me hesitant to un-do all that work. OTOH I did not see #493 coming, and it's undeniably useful to be able to do
const { &None }even when this is anOption<Cell<T>>.Cc @rust-lang/wg-const-eval, this issue is an the intersection of opsem and const-eval.
The text was updated successfully, but these errors were encountered: