[ptr] Document maximum allocation size #116675

joshlf · 2023-10-12T22:17:25Z

Partially addresses rust-lang/unsafe-code-guidelines#465

rustbot · 2023-10-12T22:17:33Z

r? @joshtriplett

(rustbot has picked a reviewer for you, use r? to override)

library/core/src/ptr/mod.rs

RalfJung · 2023-11-04T11:51:28Z

FCP passed in #116988 so you can now assume that null is 0 here.

the8472 · 2024-01-14T19:20:41Z

These are fairly fundamental requirements of rust. Shouldn't they also go into the reference?

RalfJung · 2024-01-22T10:40:29Z

Yeah it's the usual issue where the stdlib docs is more likely to be actually visible but conceptually the reference is where this belongs. But given that this already defines "allocated object", this seems like a sensible place.

I think what is left here is uncontroversial:

It is guaranteed that an allocated object never spans more than isize::MAX bytes.
An allocated object cannot contain [null()] (i.e., the address with the numerical value 0) and
cannot contain the last (usize::MAX) byte of the address space.

But let's ping some people and nominate to see if anyone disagrees.
Cc @rust-lang/opsem @rust-lang/lang

r? @RalfJung

the8472 · 2024-01-22T10:55:09Z

Yeah it's the usual issue where the stdlib docs is more likely to be actually visible but conceptually the reference is where this belongs.

There are those newfangled thingies called hyperlinks. 😉

Imo the reference should at least contain the requirement while std spells out the consequences of that. How it interacts with Layout, Allocator, pointer methods etc.

RalfJung · 2024-01-22T10:56:33Z

Where in the reference would you put this?

the8472 · 2024-01-22T11:02:48Z

The type layout page already contains a section on size and alignment. The maximum allocation size could be specified there. Or maybe under the currently quite anemic memory model page.

RalfJung · 2024-01-22T12:52:28Z

The type layout page already contains a section on size and alignment. The maximum allocation size could be specified there.

No that's definitely the wrong page, this guarantee has nothing to do with types nor layouts.

Or maybe under the currently quite anemic memory model page.

Yeah that makes more sense. It's just hard to specify a memory model in a piecemeal way so it's somewhat unclear what one should say there.

tmandry · 2024-01-24T17:02:39Z

Discussed in lang team meeting.

@rfcbot merge

rfcbot · 2024-01-24T17:02:41Z

Team member @tmandry has proposed to merge this. The next step is review by the rest of the tagged team members:

No concerns currently listed.

Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up!

cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns.
See this document for info about what commands tagged team members can give me.

bors · 2024-05-13T18:11:58Z

📌 Commit be075d3 has been approved by scottmcm

It is now in the queue for this repository.

RalfJung · 2024-05-13T18:12:11Z

@bors r-

Sorry, one last nit -- @joshlf can you squash then commits?

scottmcm · 2024-05-13T18:13:23Z

Oh, good point Ralf. I didn't notice it's currently 9 commits.

joshlf · 2024-05-13T18:15:50Z

Done. You can see on the diff that the squash happened successfully without modifying the PR contents.

scottmcm · 2024-05-13T18:30:43Z

Thanks!

@bors r+ rollup

bors · 2024-05-13T18:30:45Z

📌 Commit 293b5cb has been approved by scottmcm

It is now in the queue for this repository.

[ptr] Document maximum allocation size Partially addresses rust-lang/unsafe-code-guidelines#465

Rollup of 5 pull requests Successful merges: - rust-lang#116675 ([ptr] Document maximum allocation size) - rust-lang#124807 (Migrate `run-make/rustdoc-io-error` to `rmake.rs`) - rust-lang#124997 (Fix ICE while casting a type with error) - rust-lang#125072 (Add test for dynamic dispatch + Pin::new soundness) - rust-lang#125090 (Migrate fuchsia docs from `pm` to `ffx`) r? `@ghost` `@rustbot` modify labels: rollup

Rollup of 4 pull requests Successful merges: - rust-lang#116675 ([ptr] Document maximum allocation size) - rust-lang#124997 (Fix ICE while casting a type with error) - rust-lang#125072 (Add test for dynamic dispatch + Pin::new soundness) - rust-lang#125090 (Migrate fuchsia docs from `pm` to `ffx`) r? `@ghost` `@rustbot` modify labels: rollup

Rollup merge of rust-lang#116675 - joshlf:patch-10, r=scottmcm [ptr] Document maximum allocation size Partially addresses rust-lang/unsafe-code-guidelines#465

Update Rust toolchain from nightly-2024-05-14 to nightly-2024-05-15 without any other source changes. This is an automatically generated pull request. If any of the CI checks fail, manual intervention is required. In such a case, review the changes at https://github.com/rust-lang/rust from rust-lang@ab14f94 up to rust-lang@8387315. The log for this commit range is: rust-lang@8387315ab3 Auto merge of rust-lang#125125 - lovesegfault:opt-dist-specify-rustc-perf, r=Mark-Simulacrum rust-lang@c3c9783de2 feat(tools/opt-dist): allow local builds to specify a rustc-perf checkout rust-lang@ac385a5af6 Auto merge of rust-lang#125120 - compiler-errors:rollup-mnjybwv, r=compiler-errors rust-lang@31016d5879 Rollup merge of rust-lang#125118 - GuillaumeGomez:cleanup-run-make, r=jieyouxu rust-lang@d59f430eec Rollup merge of rust-lang#125100 - compiler-errors:faster, r=nnethercote rust-lang@712e7c37f7 Rollup merge of rust-lang#125088 - compiler-errors:uplift-alias-ty, r=lcnr rust-lang@8c64acdbdc Rollup merge of rust-lang#125080 - bvanjoi:fix-124946, r=nnethercote rust-lang@844c7e826e Rollup merge of rust-lang#125047 - Oneirical:test5, r=jieyouxu rust-lang@0458d8a53b Rollup merge of rust-lang#124844 - compiler-errors:shadow-probe, r=lcnr rust-lang@36287830a2 Rollup merge of rust-lang#119838 - joshtriplett:style-guide-binop-indent, r=compiler-errors rust-lang@ade33b02f2 only find segs chain for missing methods when no available candidates rust-lang@bdfd941f4d Auto merge of rust-lang#123816 - tgross35:f16-f128-mangling, r=michaelwoerister rust-lang@f97d915173 Use new utility functions/methods in run-make tests rust-lang@792a9bdd4b Enable v0 mangling tests and add checks for `f16`/`f128` rust-lang@809b84edba Add v0 symbol mangling for `f16` and `f128` rust-lang@31026b7fe3 Auto merge of rust-lang#125023 - morr0ne:linux-none-target, r=Nilstrieb rust-lang@68407f9049 fix typo in x86_64-unknown-linux-none docs rust-lang@c45e831d8f Auto merge of rust-lang#124228 - compiler-errors:lint-overcaptures, r=oli-obk rust-lang@58426f4a5b Auto merge of rust-lang#125026 - Oneirical:clink-tests, r=jieyouxu rust-lang@e098eb14ae Wording improvement rust-lang@e2d9c0d938 Fix missing word rust-lang@57c32a193f style-guide: When breaking binops handle multi-line first operand better rust-lang@dbd2ca6478 Use a proper probe for shadowing impl rust-lang@052de1da4f And finally add tests rust-lang@1529c661e4 Warn against redundant use<...> rust-lang@f3fb727b08 Don't suggest using use<> syntax to capture APITs rust-lang@6afe1352d9 Suggest adding use<> syntax rust-lang@554becc180 Add some commenting rust-lang@d57e57ca1f Implement initial IMPL_TRAIT_OVERCAPTURES lint rust-lang@8f97a2588c Add test to make sure suggestions are still quick rust-lang@fba5f44bd8 Auto merge of rust-lang#125098 - jhpratt:rollup-2qm4gga, r=jhpratt rust-lang@45b50d303c lto function, static_library call, rename rust-lang@9f8cdb286e Remove to_term rust-lang@1ad28a6f53 Uplift AliasTy rust-lang@812f89728a fix fmt rust-lang@2e4c90c3f7 Don't do post-method-probe error reporting steps if we're in a suggestion rust-lang@32d74f1800 Rollup merge of rust-lang#125090 - erickt:bump-fuchsia, r=tmandry rust-lang@209703af85 Rollup merge of rust-lang#125072 - Darksonn:pin-dyn-dispatch-sound, r=jhpratt rust-lang@18d9c039bb Rollup merge of rust-lang#124997 - gurry:124848-ice-should-be-sized, r=Nadrieril rust-lang@74a78af0e2 Rollup merge of rust-lang#116675 - joshlf:patch-10, r=scottmcm rust-lang@9105c57b7f Auto merge of rust-lang#124256 - nnethercote:rm-NtIdent-NtLifetime, r=petrochenkov rust-lang@34582118af Auto merge of rust-lang#125076 - compiler-errors:alias-term, r=lcnr rust-lang@95e519ecbf Remove `NtIdent` and `NtLifetime`. rust-lang@fa84018c2e Apply nits rust-lang@58ee9192e0 Migrate fuchsia docs from `pm` to `ffx` rust-lang@293b5cb1ca [ptr] Document maximum allocation size rust-lang@3bcdf3058e split out AliasTy -> AliasTerm rust-lang@b3a78c1d09 Add test for dynamic dispatch + Pin::new soundness rust-lang@9a63a42cb7 Remove a `Span` from `TokenKind::Interpolated`. rust-lang@71fd2cf5b4 fix function call and import rust-lang@a1b5ea0cc2 make tidy happy rust-lang@f2de5fb2ae rewrite issue-14500 to rmake rust-lang@a6f237ca85 docs: fix typo in platform-support docs rust-lang@923cdb35aa test: Add assembly tests for x86_64-unknown-linux-none target rust-lang@10c358f111 Make tidy happy rust-lang@e37d2989c1 remove trailing whitespace rust-lang@a2e7e79a13 Port c-link-to-rust-va-list-fn to Rust rust-lang@9cf080099d docs: Document x86_64-unknown-linux-none target rust-lang@a3ef01b1fc Add x86_64-unknown-linux-none target rust-lang@fb619ec208 FIx ICE while casting a type with error Co-authored-by: tautschnig <1144736+tautschnig@users.noreply.github.com>

…Amanieu offset_from, offset: clearly separate safety requirements the user needs to prove from corollaries that automatically follow By landing rust-lang#116675 we decided that objects larger than `isize::MAX` cannot exist in the address space of a Rust program, which lets us simplify these rules. For `offset_from`, we can even state that the *absolute* distance fits into an `isize`, and therefore exclude `isize::MIN`. This PR also changes Miri to treat an `isize::MIN` difference like the other isize-overflowing cases.

Rollup merge of rust-lang#127275 - RalfJung:offset-from-isize-min, r=Amanieu offset_from, offset: clearly separate safety requirements the user needs to prove from corollaries that automatically follow By landing rust-lang#116675 we decided that objects larger than `isize::MAX` cannot exist in the address space of a Rust program, which lets us simplify these rules. For `offset_from`, we can even state that the *absolute* distance fits into an `isize`, and therefore exclude `isize::MIN`. This PR also changes Miri to treat an `isize::MIN` difference like the other isize-overflowing cases.

rustbot assigned joshtriplett Oct 12, 2023

rustbot added S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. T-libs Relevant to the library team, which will review and decide on the PR/issue. labels Oct 12, 2023

This was referenced Oct 12, 2023

Where to document allocation size upper bound? rust-lang/unsafe-code-guidelines#465

Closed

References refer to allocated objects #116677

Merged

RalfJung reviewed Oct 13, 2023

View reviewed changes