Stream: t-lang/wg-unsafe-code-guidelines

Topic: Always uninitialized


gnzlbg (Aug 02 2019 at 12:29, on Zulip):

Can I use:

rkruppe (Aug 02 2019 at 12:32, on Zulip):

If you mean that nobody can ever (safely) write anything to the T bytes, then no. For example, with sufficient placement/RVO smarts, let x: AlwaysUninit<String> = ("foo".into(), panic!()) not only writes a String to x, it even cleans it up afterwards.

gnzlbg (Aug 02 2019 at 12:33, on Zulip):

I only want to prevent reads via MaybeUninit::assume_init

gnzlbg (Aug 02 2019 at 12:33, on Zulip):

If someone wants to do anything more complex to actually read or write to the bytes, they should be able to

nagisa (Aug 02 2019 at 12:44, on Zulip):

Yeah, it is valid and the call will panic

nagisa (Aug 02 2019 at 12:45, on Zulip):

Many MaybeUninit methods should compile down to a panic when its T is uninhabited, which is true in this case.

nagisa (Aug 02 2019 at 12:46, on Zulip):

Now this made me wonder… did we reach a decision on unhabitedness of &!?

gnzlbg (Aug 02 2019 at 13:09, on Zulip):

Now this made me wonder… did we reach a decision on unhabitedness of &!?

No, that is https://github.com/rust-lang/unsafe-code-guidelines/issues/77

RalfJ (Aug 02 2019 at 16:27, on Zulip):

@gnzlbg I do not understand what you are trying to achieve

RalfJ (Aug 02 2019 at 16:27, on Zulip):

assume_init is unsafe so if you are worried about a safe wrapper, you can ignore it

gnzlbg (Aug 03 2019 at 16:35, on Zulip):

I actually needed a type to express that something is always uninitialized

rkruppe (Aug 03 2019 at 16:37, on Zulip):

You said so from the start but it's not clear what that means or what you want it for (I know from discord you were thinking about manually adding padding to a type but what exactly do you intend to accomplish by "expressing" this?)

gnzlbg (Aug 03 2019 at 17:49, on Zulip):

Its "explicit" padding for repr(C) types, there is never a need to initialize that to anything, nor to try to ::assume_init it, so none of that is needed.

RalfJ (Aug 03 2019 at 18:41, on Zulip):

sounds like you just want a newtype around [MaybeUninit<u8>; N]?

RalfJ (Aug 03 2019 at 18:41, on Zulip):

no type will have a validity invariant "must be uninitialized"

RalfJ (Aug 03 2019 at 18:42, on Zulip):

and the safety invariant is up to you with a newtype

RalfJ (Aug 03 2019 at 18:42, on Zulip):

but I also cannot imagine a situation where uninitialized memory is okay but initialized memory is not

RalfJ (Aug 03 2019 at 18:42, on Zulip):

this includes padding

RalfJ (Aug 03 2019 at 18:42, on Zulip):

in which case plain [MaybeUninit<u8>; N] would do it

gnzlbg (Aug 05 2019 at 08:14, on Zulip):

@RalfJ I just ended with a wrapper struct Padding<T>(MaybeUninit<T>); that does not expose the private field, has no assume_init, etc.

RalfJ (Aug 05 2019 at 16:57, on Zulip):

seems reasonable

Last update: Nov 19 2019 at 17:35UTC