Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

UnsafePinned: allow aliasing of pinned mutable references #3467

Merged
merged 35 commits into from
Jun 18, 2024
Merged

UnsafePinned: allow aliasing of pinned mutable references #3467

Changes from 1 commit
Commits
Show all changes
35 commits
Select commit Hold shift + click to select a range
51bed0f
UnsafeAliased: port text from hackmd
RalfJung Aug 1, 2023
d599c1e
typos and nits
RalfJung Aug 1, 2023
c2bbec7
polyfill; Send/Sync question
RalfJung Aug 1, 2023
60ca0fa
remove some wrong cells
RalfJung Aug 2, 2023
6910494
detail example
RalfJung Aug 4, 2023
a1a05fb
Unpin hack migration plan
RalfJung Aug 4, 2023
a10d70c
remove stable feature gate
RalfJung Aug 5, 2023
9535a37
add alternative: drop aliasing rules for mutable references
RalfJung Aug 7, 2023
06b52df
link to real-world intrusive linked list example
RalfJung Aug 9, 2023
0369352
add get_mut_pinned method
RalfJung Aug 10, 2023
3e97a7e
fix typo
RalfJung Aug 15, 2023
a8f2516
add !Unpin impl to UnsafeAliased
RalfJung Aug 15, 2023
a55adde
add some links to prior discussions
RalfJung Sep 13, 2023
5f03b25
rename UnsafeAliased → UnsafePinned
RalfJung Nov 4, 2023
ce937b8
explain the naming choice
RalfJung Nov 4, 2023
60c255f
update UnsafeUnpin trait notes
RalfJung Nov 4, 2023
9881c94
explain why this is so much more awkward than UnsafeCell
RalfJung Nov 11, 2023
36b694d
be more clear about the soundness issues around '&mut UnsafePinned'
RalfJung Nov 25, 2023
7158ce2
also explain a non-alternative
RalfJung Nov 25, 2023
5ff0df8
fix a typo: mutation -> aliasing
RalfJung Nov 26, 2023
086412d
we should block niches
RalfJung Nov 26, 2023
7190a78
drawback: losing too much noalias
RalfJung Nov 28, 2023
d793712
elaborate on `Unpin + !UnsafeUnpin`
RalfJung Nov 28, 2023
9327537
fix typo
RalfJung Dec 22, 2023
86e0188
add example for why this is tied to pinning
RalfJung Feb 10, 2024
14b9019
update UnsafePinned docs regarding public API exposure
RalfJung Feb 11, 2024
5b2d690
Send and Sync
RalfJung Mar 10, 2024
1f31c7b
fix code example
RalfJung May 3, 2024
76a4035
make UnsafePinned derive Copy, Send, Sync
RalfJung May 3, 2024
bfb8c4b
expand back-compat note
RalfJung May 3, 2024
e98f367
add fixed code example
RalfJung May 29, 2024
474389f
add open question around naming
RalfJung May 29, 2024
3efb695
update filename and RFC number
RalfJung Jun 17, 2024
519aeb6
Clean up trailing whitespace
traviscross Jun 18, 2024
b950de5
Add tracking issue for RFC 3467
traviscross Jun 18, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
Prev Previous commit
Next Next commit
update UnsafePinned docs regarding public API exposure
  • Loading branch information
@RalfJung
RalfJung committed Feb 11, 2024
commit 14b9019c26a91960cd50a2d6ce49a484c260c250
18 changes: 10 additions & 8 deletions text/0000-unsafe-aliased.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -192,13 +192,17 @@ Similarly, the intrusive linked list from the motivation can be fixed by wrappin
/// The type `UnsafePinned<T>` lets unsafe code violate
/// the rule that `&mut UnsafePinned<T>` may never alias anything else.
///
/// However, it is still very risky to have an `&mut UnsafePinned<T>` that aliases
/// However, even if you define your type like `pub struct Wrapper(UnsafePinned<...>)`,
/// it is still very risky to have an `&mut Wrapper` that aliases
/// anything else. Many functions that work generically on `&mut T` assume that the
/// memory that stores `T` is uniquely owned (such as `mem::swap`). In other words,
/// while having aliasing with `&mut UnsafePinned<T>` is not immediate Undefined
/// while having aliasing with `&mut Wrapper` is not immediate Undefined
/// Behavior, it is still unsound to expose such a mutable reference to code you do
/// not control!
/// Techniques such as pinning via `Pin` are needed to ensure soundness.
/// not control! Techniques such as pinning via `Pin` are needed to ensure soundness.
///
/// Similar to `UnsafeCell`, `UnsafePinned` will not usually show up in the public
/// API of a library. It is an internal implementation detail of libraries that
/// need to support aliasing mutable references.
///
/// Further note that this does *not* lift the requirement that shared references
/// must be read-only! Use `UnsafeCell` for that.
Expand Down Expand Up @@ -227,10 +231,8 @@ impl<T: ?Sized> UnsafePinned<T> {

/// Get read-write access to the contents of an `UnsafePinned`.
///
/// If you need to use this function, something is likely going wrong.
/// Exposing an `&mut UnsafePinned` that aliases other pointers to code outside your
/// crate is unsound. Only `Pin<&mut UnsafePinned>` can be exposed soundly.
/// Use `get_mut_pinned` instead whenever possible!
/// You should usually be using `get_mut_pinned` instead to explicitly track
/// the fact that this memory is "pinned" due to there being aliases.
pub fn get_mut_unchecked(&mut self) -> *mut T {
ptr::addr_of_mut!(self.value)
}
Expand Down