|
| 1 | +- Feature Name: `project-safe-transmute` |
| 2 | +- Start Date: 2019-12-06 |
| 3 | +- RFC PR: [rust-lang/rfcs#0000](https://github.com/rust-lang/rfcs/pull/0000) |
| 4 | +- Rust Issue: [rust-lang/rust#0000](https://github.com/rust-lang/rust/issues/0000) |
| 5 | + |
| 6 | +# Summary |
| 7 | +[summary]: #summary |
| 8 | + |
| 9 | +To form a project group with the purpose of designing subsequent RFCs around the |
| 10 | +topic of safe transmute between types. |
| 11 | +* This RFC explicitly builds off of processes introduced in the [FFI unwinding project |
| 12 | +group RFC](https://github.com/rust-lang/rfcs/pull/2797/files) |
| 13 | +* The primary goal of the group is to determine how to replace most uses of |
| 14 | +[`std::mem::transmute`][transmute] with safe alternatives. |
| 15 | + * Subsequent goals may include extending other language features that are made possible |
| 16 | + with safe transmute including safe reading of union fields |
| 17 | + |
| 18 | +# Motivation |
| 19 | +[motivation]: #motivation |
| 20 | + |
| 21 | +Transmuting one type to another type and vice versa in Rust is extremely dangerous --- |
| 22 | +so much so that the docs for [std::mem::transmute][transmute] are essentially a long |
| 23 | +list of how to avoid doing so. However, transmuting is often times necessary especially |
| 24 | +in lower level contexts where copy of bytes is prohibitively expensive. For instance, |
| 25 | +in extremely performance-sensitive use cases, it may be necessary to transmute from |
| 26 | +bytes instead of explicitly copying bytes from a buffer into a struct. |
| 27 | + |
| 28 | +Because of this fact, [many][zerocopy] [external][safe-transmute] [crates][bytemuck] |
| 29 | +have been developed to tackle this issue, but no single crate has managed to solidify |
| 30 | +itself as a clear favorite in this space. Additionally, while it is possible to improve |
| 31 | +on unsafe transmute considerably in libraries, having such facilities in the standard |
| 32 | +library opens up the possibility of bringing safe constructs to even more currently |
| 33 | +unsafe features. |
| 34 | + |
| 35 | +For these reasons, we plan on learning from the prior art to implement a standard way of |
| 36 | +transmuting types in a safe way. |
| 37 | + |
| 38 | +## Details of the safe transmute project group |
| 39 | + |
| 40 | +[Repository][repository] |
| 41 | + |
| 42 | +Initial shepherds: |
| 43 | + |
| 44 | +* [rylev (Ryan)](https://github.com/rylev) |
| 45 | + |
| 46 | +Lang team liaisons: |
| 47 | + |
| 48 | +* [joshtriplett (Josh)](https://github.com/joshtriplett) |
| 49 | + |
| 50 | +### Charter |
| 51 | +[charter]: #charter |
| 52 | + |
| 53 | +The safe transmute project group has the following initial scope: |
| 54 | + |
| 55 | +* to define APIs for allowing zero copy transmute between types in a completely |
| 56 | + memory safe manner |
| 57 | + |
| 58 | +Once this scope has been reached, the team may continue working on features that are |
| 59 | +natural extensions of safe transmute like safe reading on union fields. |
| 60 | + |
| 61 | +### Constraints and considerations |
| 62 | + |
| 63 | +In its work, the project-group should consider various constraints and |
| 64 | +considerations: |
| 65 | + |
| 66 | +* That this feature is meant for performance sensitive workloads |
| 67 | +* That safety is of the upmost importance as there is already a way to |
| 68 | + transmute using unsafe APIs |
| 69 | + |
| 70 | +### Participation in the project group |
| 71 | + |
| 72 | +Like any Rust group, the safe transmute project group intends to operate |
| 73 | +in a public and open fashion and welcomes participation. Visit the |
| 74 | +[repository][repository] for more details. |
| 75 | + |
| 76 | +# Drawbacks |
| 77 | +[drawbacks]: #drawbacks |
| 78 | + |
| 79 | +* It is possible that the scope of this endeavor is not large enough to warrant a |
| 80 | + separate project group. |
| 81 | +* It can be argued that the design space has not been fully explored as evidenced by |
| 82 | + the many crates that address the issue without one being the clear "go to", and thus |
| 83 | + this issue should be left to libraries for further iteration. We believe that while |
| 84 | + there is no clear winner among existing crates, they are stable enough, small enough |
| 85 | + and share enough implementation characteristics to be ready for the community to |
| 86 | + rally around one design direction in the standard library. |
| 87 | + |
| 88 | +# Prior art |
| 89 | +[prior-art]: #prior-art |
| 90 | + |
| 91 | +The formation of the project group was first discussed in the [FFI unwind |
| 92 | +project group RFC][ffi unwind]. As is state in that RFC, this working group can be |
| 93 | +considered a precursor to the current ["shepherded project group" proposal][shepherd]. |
| 94 | + |
| 95 | +# Unresolved questions and Future possibilities |
| 96 | +[unresolved-questions]: #unresolved-questions |
| 97 | + |
| 98 | +Since this RFC merely formalizes the creation of the project group, it |
| 99 | +intentionally leaves all technical details within the project's scope |
| 100 | +unresolved. |
| 101 | + |
| 102 | +# Future possibilities |
| 103 | +[future-possibilities]: #future-possibilities |
| 104 | + |
| 105 | +The project group will start with a fairly [limited scope][charter], but if the |
| 106 | +initial effort to design and stabilize APIs for safe transmute between types, |
| 107 | +there is at least one other area that can be expanded upon by this group: safe reading |
| 108 | +of union fields. |
| 109 | + |
| 110 | +[transmute]: https://doc.rust-lang.org/std/mem/fn.transmute.html |
| 111 | +[ffi unwind]: https://github.com/rust-lang/rfcs/pull/2797 |
| 112 | +[zerocopy]: https://docs.rs/zerocopy |
| 113 | +[safe-transmute]: https://docs.rs/safe-transmute |
| 114 | +[bytemuck]: https://docs.rs/bytemuck |
| 115 | +[sheherd]: http://smallcultfollowing.com/babysteps/blog/2019/09/11/aic-shepherds-3-0/ |
| 116 | +[repository]: https://github.com/rust-lang/project-safe-transmute |
0 commit comments