Introduce a Unsafe<T> type to be used as the basis for Cell, RefCell, Atomic, etc and remove Freeze
#12577
Comments
|
I guess this is an RFC, which I hate having on the issue tracker. Sigh. |
|
Albeit a small change, consolidating unsafety is one of my favorite things to do and this does a nice job of it. I'm not entirely sure where such a structure would live, perhaps We may also want to make an effort to tuck this away in the docs so we don't jump to this first as well. |
|
I'd like to know how feasible it would be to restrict most transmutes to |
|
On Thu, Feb 27, 2014 at 02:02:54AM -0800, Eduard Burtescu wrote:
A good question. |
|
+1 |
|
As another datapoint, I just noticed another example of a Cell-like pattern in libstd: |
|
Today we decided to call this type |
|
I updated the main text. |
|
@flaper87 good thing we waited to start implementing ;) |
|
The +1 for these changes though |
|
@nikomatsakis indeed, I could probably work on this since I was already assigned to the other 'remove Freeze` bug. |
|
It's not obvious from the bug report whether the static borrow should be forbidden just for immutable static items or from any kind. Just to make sure we're all on the same page, I think this should be applied just on |
|
On Fri, Mar 14, 2014 at 02:53:39PM -0700, Flavio Percoco Premoli wrote:
Yes, I agree. |
`Share` implies that all *reachable* content is *threadsafe*. Threadsafe is defined as "exposing no operation that permits a data race if multiple threads have access to a &T pointer simultaneously". (NB: the type system should guarantee that if you have access to memory via a &T pointer, the only other way to gain access to that memory is through another &T pointer)... Fixes #11781 cc #12577 What this PR will do ================ - [x] Add Share kind and - [x] Replace usages of Freeze with Share in bounds. - [x] Add Unsafe<T> #12577 - [x] Forbid taking the address of a immutable static item with `Unsafe<T>` interior What's left to do in a separate PR (after the snapshot)? =========================================== - Remove `Freeze` completely
This PR removes the `Freeze` kind and the `NoFreeze` marker completely. Fixes #12577 cc @nikomatsakis r?
internal: NameRefKind classification is not optional
UPDATED
We have various safe wrappers that permit aliasable mutability (
Cell,RefCell, etc). To be sound, all of them must use markers for invariance and non-freeze. We should factor out these markers and so on into a base typeUnsafe<T>that contains the most general (and unsafe) form of interior mutability, which is a function that yields a*mut T:It will be undefined behavior to transmute an aliasable reference into something mutable through any other means.
Unsafe<T>wlil be integrated into the compiler as follows:Unsafe<T>, you cannot take its address.Unsafe<T>(interior), the compiler will have to be careful about optimizing aliasing and so on. This may correspond to some existing LLVM compiler concept likevolatile.Freezekind (seemingly orthogonal but...not).This type replaces
transmute_mutas the building block for types likeCell. What is better about this is that it ties together the transmute along with the marker types that are required for soundness, so that they cannot be forgotten.cc @alexcrichton, with whom I was discussing this
cc @brson, because this relates to our discussion on laying out rules for unsafe code
The text was updated successfully, but these errors were encountered: