-
Notifications
You must be signed in to change notification settings - Fork 744
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Adding methods for accepting &mut [MaybeUninit<u8>]
#1574
Comments
It's actually not UB, but it's unsound. Mio doesn't read the buffer nor does it write invalid ( |
After doing a little digging, I found the Unsafe Code Guidelines WG thread about it in rust-lang/unsafe-code-guidelines#71. If I'm reading @RalfJung correctly in nix-rust/nix#1655 (comment), it sounds like this pattern is UB, not just unsound. According to @djkoloski, it sounds like in order to make this non-UB, we'd need to use an LLVM intrinsic |
UB and unsound is the same thing. |
@Thomasdezeeuw would mio be interested in building on top of socket2, or would it make more sense to directly call the correct libc functions? Also, while it might be cleaner to do a breaking change, we could avoid doing that if we add methods like We'd also have to do something to handle uninitialized IoVecs like https://docs.rs/socket2/latest/socket2/struct.MaybeUninitSlice.html. Would it be better to just directly build upon socket2, and expose |
I'd say they are almost the same thing. ;) "unsound" is when using only safe code (but using libraries that internally might use unsafe code), I can use UB. UB is a property of a program with a |
But coming to the issue at hand, indeed using |
No we decided that Mio won't depend on Socket2, but most users of Mio actually use both.
Yeah, I haven't solved in Socket2 either as it has the opposite problem: rust-lang/socket2#223. Maybe |
In principle Tokio could use mio's |
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
This comment was marked as outdated.
@Thomasdezeeuw i think they’re still iterating on the standard ReadBuf implementation. @nrc has a new variant in rust-lang/rust#97015 that tries to fix the risk that someone could unexpectedly mem::swap a @RalfJung thanks for jumping in again! Just to confirm, is the act of doing |
"unsound" means "safe code can use this to cause UB", so that is definitely unsound. But I guess you are asking if that line of code causes UB. Under a strict reading of https://doc.rust-lang.org/reference/behavior-considered-undefined.html, it does, because it creates an |
I think we should close this in favour for an issue that follows the |
We decide to follow the same as the std library, so closing this. Once the read buf (rust-lang/rust#78485) becomes stable we can add support for that. |
I'm doing an audit of Tokio, and as part of it, we noticed in tokio-rs/tokio#4685 there are a few places where tokio is casting a
&mut [MaybeUninit<u8>]
to a&mut [u8]
. They then pass this slice to a variety of mio methods.If I'm reading the unsafe guidelines correctly, this is undefined behavior, or at least considered potentially undefined behavior.
Would it be possible to add some methods that accept
&mut [MaybeUninit<u8>]
to mio? That would let us shrink down the audit scope to these methods to make sure that mio won't accidentally read from these bytes. It'd also give us a place to easily migrate the ecosystem once the standard library is able to take&mut [MaybeUninit<u8>]
, orstd::io::ReadBuf
once stabilized.The text was updated successfully, but these errors were encountered: