-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixed unsoundness of using &mut MaybeUninit<T>
as the out type for …
#1
Conversation
It features: - enhancing `Vec::reserve_uninit` to a more general API for accessing with the backing buffer / capacity of a Vec; - Rename `idx` to `.get_out` - (Ab)use `.copy_from_slice()` in read implementations to use less unsafe TODO: - The iterator API, - Documentation Co-Authored-By: Andreas Molzer <andreas.molzer@gmx.de>
e9f9568
to
e3926f9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Some TODOs
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Typos
42dc756
to
ce8f8bc
Compare
Not only does this lead to replacing `OutSlice<T>` with the more readable `Out<[T]>`, it also results in other parts of the API being greatly simplified (mainly the `AsOut` trait).
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Review, round two. The interface with Out
works great! The core of it came together very well. There are a few nits, documentation and naming, but no direct unsoundess that I could find.
Co-Authored-By: Andreas Molzer <andreas.molzer@gmx.de>
This (WIP) PR objective is to fix the issues spotted by @Kixunil (thanks for telling me!):
Minor: using
transmute
on fat references makes incorrect assumptions about their layout, so that code could break in a future version of Rust.slice::from_raw_parts{,_mut}
instead.MAJOR: The API used
&mut MaybeUninit<_>
as its&out
reference type, assuming that it was sound to transmute between&mut T
and&mut MaybeUninit<T>
, which it is not (see Document that casting &mut T to &mut MaybeUninit<T> is not safe rust-lang/rust#66699)&out
references that does not let writingMaybeUninit::uninit()
into the pointee.Added some API features, such as being able to forge a
&out T
from&mut ManuallyDrop<T>
(to offer&out
refs even whenT : !Copy
and could thus have drop glue (although leaking is safe, I take an opinionated stance here that so doing ought to be visible and thus verbose)@HeroicKatora do you wanna review this?
TODO:
Document new methods
Add extra helpers to
Out
references