From b9c15c5d3bfb503676fffccab69fe27c5b532283 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 14 Aug 2023 09:40:09 +0200 Subject: [PATCH 1/3] clarify safety documentation of ptr::swap and ptr::copy --- library/core/src/intrinsics.rs | 3 +++ library/core/src/ptr/mod.rs | 3 +++ 2 files changed, 6 insertions(+) diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index 9ef2c7cde02eb..84b9a3bba88e3 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -2709,6 +2709,9 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us /// /// * `dst` must be [valid] for writes of `count * size_of::()` bytes. /// +/// * `src` must remain valid for reads even after `dst` is written, and vice versa. +/// (In other words, there cannot be aliasing restrictions on the use of these pointers.) +/// /// * Both `src` and `dst` must be properly aligned. /// /// Like [`read`], `copy` creates a bitwise copy of `T`, regardless of diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 5f094ac4e7e64..f8badc4130dca 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -797,6 +797,9 @@ pub const fn slice_from_raw_parts_mut(data: *mut T, len: usize) -> *mut [T] { /// /// * Both `x` and `y` must be [valid] for both reads and writes. /// +/// * `x` must remain valid for reads and writes even after `y` is read/written, and vice versa. +/// (In other words, there cannot be aliasing restrictions on the use of these pointers.) +/// /// * Both `x` and `y` must be properly aligned. /// /// Note that even if `T` has size `0`, the pointers must be non-null and properly aligned. From 0188b9cbb43c2631111281fad0624f8bb0538e3a Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Mon, 21 Aug 2023 13:54:03 +0200 Subject: [PATCH 2/3] try to clarify wording --- library/core/src/intrinsics.rs | 11 ++++++----- library/core/src/ptr/mod.rs | 7 +++---- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index 84b9a3bba88e3..f7469008d7c00 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -2705,12 +2705,13 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us /// /// Behavior is undefined if any of the following conditions are violated: /// -/// * `src` must be [valid] for reads of `count * size_of::()` bytes. -/// -/// * `dst` must be [valid] for writes of `count * size_of::()` bytes. +/// * `src` must be [valid] for reads of `count * size_of::()` bytes, and must remain valid even +/// if `dst` is written for `count * size_of::()` bytes. (This means if the memory ranges +/// overlap, the two pointers must not be subject to aliasing restrictions relative to each +/// other.) /// -/// * `src` must remain valid for reads even after `dst` is written, and vice versa. -/// (In other words, there cannot be aliasing restrictions on the use of these pointers.) +/// * `dst` must be [valid] for writes of `count * size_of::()` bytes, and must remain valid even +/// if `src` is read for `count * size_of::()` bytes. /// /// * Both `src` and `dst` must be properly aligned. /// diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index f8badc4130dca..69d775075f369 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -795,10 +795,9 @@ pub const fn slice_from_raw_parts_mut(data: *mut T, len: usize) -> *mut [T] { /// /// Behavior is undefined if any of the following conditions are violated: /// -/// * Both `x` and `y` must be [valid] for both reads and writes. -/// -/// * `x` must remain valid for reads and writes even after `y` is read/written, and vice versa. -/// (In other words, there cannot be aliasing restrictions on the use of these pointers.) +/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even if the +/// other pointer is written. (This means if the memory ranges overlap, the two pointers must not +/// be subject to aliasing restrictions relative to each other.) /// /// * Both `x` and `y` must be properly aligned. /// From 4684ffaf2ac5c7bb1467baf4e7f01469488c8ef2 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 5 Sep 2023 17:20:31 +0200 Subject: [PATCH 3/3] if -> when --- library/core/src/intrinsics.rs | 4 ++-- library/core/src/ptr/mod.rs | 2 +- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/library/core/src/intrinsics.rs b/library/core/src/intrinsics.rs index f7469008d7c00..639e33762cf6b 100644 --- a/library/core/src/intrinsics.rs +++ b/library/core/src/intrinsics.rs @@ -2706,12 +2706,12 @@ pub const unsafe fn copy_nonoverlapping(src: *const T, dst: *mut T, count: us /// Behavior is undefined if any of the following conditions are violated: /// /// * `src` must be [valid] for reads of `count * size_of::()` bytes, and must remain valid even -/// if `dst` is written for `count * size_of::()` bytes. (This means if the memory ranges +/// when `dst` is written for `count * size_of::()` bytes. (This means if the memory ranges /// overlap, the two pointers must not be subject to aliasing restrictions relative to each /// other.) /// /// * `dst` must be [valid] for writes of `count * size_of::()` bytes, and must remain valid even -/// if `src` is read for `count * size_of::()` bytes. +/// when `src` is read for `count * size_of::()` bytes. /// /// * Both `src` and `dst` must be properly aligned. /// diff --git a/library/core/src/ptr/mod.rs b/library/core/src/ptr/mod.rs index 69d775075f369..452800516f713 100644 --- a/library/core/src/ptr/mod.rs +++ b/library/core/src/ptr/mod.rs @@ -795,7 +795,7 @@ pub const fn slice_from_raw_parts_mut(data: *mut T, len: usize) -> *mut [T] { /// /// Behavior is undefined if any of the following conditions are violated: /// -/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even if the +/// * Both `x` and `y` must be [valid] for both reads and writes. They must remain valid even when the /// other pointer is written. (This means if the memory ranges overlap, the two pointers must not /// be subject to aliasing restrictions relative to each other.) ///