Ch. 20: Address soundness issues and introduce Miri #4062
Merged
+97
−25
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This was
linked to
issues
Oct 9, 2024
chriskrycho
force-pushed
the
unsafe-fixes
branch
3 times, most recently
from
19f8321
to
99d74db
Compare
Merged
Note: this requires Rust 1.82.0, and will be easiest to merge after that version is stabilized in two weeks. Since it is blocked on that anyway, I am also basing it on top of the listing changes.
- Add `SAFETY` documentation on the unsafe function and comments on the unsafe invocation in the code samples. - Discuss the soundness issues in more depth and explain the idiomatic use of those `SAFETY` comments.
We no longer get the raw pointers from references, although we *could*, because we can now use the raw pointer operator rather than an `as` cast and thus can get them directly from a variable in scope.
chriskrycho
force-pushed
the
unsafe-fixes
branch
from
99d74db
to
e934f31
Compare
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This makes three major changes to the unsafe section:
It uses the newly-stabilized1
&rawborrow operator to more safely get raw pointers, with&raw constand&raw mutrespectively. These provide a safe(r) way of getting raw pointers. These are part of the Rust effort to handle provenance correctly and thereby make unsafe safer and easier to work with—and while we’re not going to get into those details, this is definitely a better way to work than the castas *const i32andas *mut i32.It updates the
static mut COUNTERexample to use anunsafe fninstead of a safe function around anunsafeblock, since it is necessary for the caller to guarantee that the function is not called from multiple threads. To make the existing safe function actually safe, it would need to introduce some kind of locking mechanism, I think. Leaving it as an unsafe function gives us a nice opportunity to include// SAFETY: …comments, though, and thus to teach a bit more about idiomatic authoring and usage of unsafe code.It introduces Miri at the end of the section! I used Miri to investigate some of the issues folks had flagged up, and credit to the Miri team: it is very easy to use. The main thing I think we should think about here is whether we need more prose or explanation around installing nightly Rust.
Footnotes
as of Rust 1.82.0, which landed on 2024/10/16 ↩