UnsafePinned: also include the effects of UnsafeCell #140638
Open
+142
−19
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
|
The Miri subtree was changed cc @rust-lang/miri |
This comment has been minimized.
This comment has been minimized.
Sky9x
approved these changes
May 4, 2025
RalfJung
added
the
I-lang-nominated
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
b08491e to
66ca017
Compare
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
66ca017 to
bc8609c
Compare
traviscross
reviewed
May 5, 2025
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
bc8609c to
d87cf5a
Compare
9 tasks
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
unsafe-pinned-shared-aliased
branch
from
d87cf5a to
405c954
Compare
Sky9x
reviewed
May 5, 2025
| use std::pin::UnsafePinned; | ||
|
|
||
| fn mutate(x: &UnsafePinned<i32>) { | ||
| let ptr = x as *const _ as *mut i32; |
There was a problem hiding this comment.
shouldn't this go through UnsafeCell/UnsafePinned::get? https://doc.rust-lang.org/nightly/std/cell/struct.UnsafeCell.html#memory-layout
also maybe UnsafePinned::get should return a *mut T now...
There was a problem hiding this comment.
We're testing the aliasing model here so we want to see everything that happens in the code. This is not a doctest. :)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This tackles #137750 by including an
UnsafeCellinUnsafePinned, thus imbuing it with all the usual properties of interior mutability (nonoaliasnordereferenceableon shared refs, special treatment by Miri's aliasing model). The soundness issue is not fixed yet because coroutine lowering does not useUnsafePinned.The RFC said that
UnsafePinnedwould not permit mutability on shared references, but since then, #137750 has demonstrated that this is not tenable. In the face of those examples, I propose that we do the "obvious" thing and permit shared mutable state insideUnsafePinned. This seems loosely consistent with the fact that we allow going fromPin<&mut T>to&T(where the former can be aliased with other pointers that perform mutation, and hence the same goes for the latter) -- but theas_refexample shows that we in fact would need to add thisUnsafeCelleven if we didn't have a safe conversion to&T, since for the compiler and Miri,&TandPin<&T>are basically the same type.To make this possible, I had to remove the
CopyandCloneimpls forUnsafePinned.Tracking issue: #125735
Cc @rust-lang/lang @rust-lang/opsem @Sky9x
I don't think this needs FCP since the type is still unstable -- we'll finally decide whether we like this approach when
UnsafePinnedis moved towards stabilization (IOW, this PR is reversible). However, I'd still like to make sure that the lang team is okay with the direction I am proposing here.