Stream: t-lang/wg-unsafe-code-guidelines

Topic: Relying on drop running


RalfJ (May 23 2019 at 19:50, on Zulip):

AFAIK it is well-accepted that you can rely on drop glue running in your own code, as that is not impeded by mem::forget. However, just recently someone was surprised by this, and now someone is actively doubting it. Does someone here know examples of libraries relying on this? I thought crossbeam did, but it uses catch_unwind instead. I found one case in libstd.

Alan Jeffrey (May 24 2019 at 18:39, on Zulip):

Stack-allocated GC rooting is a good example of this, e.g. providing an unsafe rooting API but then wrapping it in a macro that ensures the user can't call mem::forget.

RalfJ (May 24 2019 at 18:45, on Zulip):

@Alan Jeffrey ah, josephine is doing that these days, right?

RalfJ (May 24 2019 at 18:48, on Zulip):

hm, can't find that macro in josephine's docs?

Gankro (May 27 2019 at 22:58, on Zulip):

@RalfJ see also binary_heap::Hole: https://github.com/rust-lang/rust/blob/27cc0db7a248308fc2634ac68d7608a20b4a1c09/src/liballoc/collections/binary_heap.rs#L924-L983

Gankro (May 27 2019 at 22:59, on Zulip):

hashbrown::ScopeGuard: https://github.com/Amanieu/hashbrown/blob/master/src/scopeguard.rs

Gankro (May 27 2019 at 23:01, on Zulip):

...every user of the scopeguard crate: https://crates.io/crates/scopeguard/reverse_dependencies

gnzlbg (May 28 2019 at 07:50, on Zulip):

Relying on this _for safety_ ? Or just relying on this? E.g. Box relies on this..

gnzlbg (May 28 2019 at 07:50, on Zulip):

for not leaking memory

gnzlbg (May 28 2019 at 07:51, on Zulip):

if the user does not explicitly leak memory (e.g by writing mem::forget)

RalfJ (May 28 2019 at 08:00, on Zulip):

I was looking for safety cases

RalfJ (May 28 2019 at 08:01, on Zulip):

Stack-allocated GC rooting is a good example of this, e.g. providing an unsafe rooting API but then wrapping it in a macro that ensures the user can't call mem::forget.

@Alan Jeffrey do you have a link for this?

Alan Jeffrey (May 28 2019 at 13:17, on Zulip):

For Josephine I think the plan is to use the JS context and rooting scopes to avoid a magic macro, as discussed here: https://github.com/asajeffrey/josephine/issues/52

Alan Jeffrey (May 28 2019 at 13:18, on Zulip):

the use of a macro is something I've discussed a lot with nox, let me ping him and see if there's anything written down.

Alan Jeffrey (May 28 2019 at 13:19, on Zulip):

The basic idea is a macro which enforces that you can only create a Foo via let ref mut x = Foo::new(), so the caller doesn't have a owned Foo they can mem::forget, ManuallyDrop etc.

Alan Jeffrey (May 28 2019 at 13:20, on Zulip):

@RalfJ ^

RalfJ (May 28 2019 at 13:30, on Zulip):

yes that's what I imagined, I just thought that would already be implemented

RalfJ (May 28 2019 at 13:31, on Zulip):

if not, could you speak up in https://github.com/rust-lang-nursery/nomicon/issues/135 and cite that as a usecase?

RalfJ (May 28 2019 at 13:31, on Zulip):

I was confused for a sec here but the Pin in https://github.com/asajeffrey/josephine/issues/52 is not the one in libstd right?^^

Alan Jeffrey (May 28 2019 at 13:37, on Zulip):

I was confused for a sec here but the Pin in https://github.com/asajeffrey/josephine/issues/52 is not the one in libstd right?^^

yeah, Josephine's Pin predates the one in std.

Last update: Nov 20 2019 at 12:10UTC