-
Notifications
You must be signed in to change notification settings - Fork 59
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Decide on the validity invariant of integers, floats, bool, thin raw pointers, and char #439
Comments
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
Now again with T-opsem label... |
Team member @RalfJung has proposed to merge this. The next step is review by the rest of the tagged team members: No concerns currently listed. Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! See this document for info about what commands tagged team members can give me. |
🔔 This is now entering its final comment period, as per the review above. 🔔 |
The final comment period, with a disposition to merge, as per the review above, is now complete. As the automated representative of the governance process, I would like to thank the author for their work and everyone else who contributed. This will be merged soon. |
I added this to https://github.com/rust-lang/opsem-team/blob/main/fcps.md, the issue can be closed. |
We have closed various issues discussing validity invariants for simple types (integers, float, bool, char, thin raw pointers). I'd like to have somewhere to point for team consensus, such as an FCP in this issue. :)
We decide
that the validity invariants are
str
need to be initialized0..0xD800
or0xE000..0x110000
Transmuting any provenance-free input that satisfies the above requirements is definitely allowed. In particular, integers can be transmuted to raw pointers without causing immediate UB. What can be done with those pointers in terms of memory accesses is a different question and not answered here.
We do not decide what happens when the input has provenance. This is tracked here. In particular, values such as
&0
(that have provenance) might or might not be legal to transmute to integers.Rationale
bool
andchar
have the same validity and safety invariant, which makes these types simpler to think about.char
can also be exploited by unicode algorithms, at least in principle.noundef
). For int, float, and thin raw pointers this choice also aligns the safety and validity invariant.str
is intended to behave like[u8]
when it comes to language UB, so its validity invariant is made consistent with that of integers.Examples
The following pieces of code cause UB (as in, the UB arises when executing the code, not just potentially later):
The following pieces of code are well-defined:
The following is not decided by this FCP:
The following functions are sound (as in, safe code invoking these functions can never have UB):
Prior discussion
The text was updated successfully, but these errors were encountered: