-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NonZero constructor in debug-builds should assert input is actually nonzero. #31217
Comments
To actually put in this check, the language would need to be extended to some degree, since (I have discussion here rust-lang/rfcs#1383 of potentially trying to change/extend const evaluation to support |
another necessary extension to the language implementation would probably be #28809 (see why in #28809 (comment) ) |
cc #27730 |
In case its not clear, I strongly encourage the libs team to not stabilize |
(and see also #27573 ) |
|
Note that adding the debug assert is an exception-safety concern -- though it will only trigger if you were about to do UB, so it's ok I guess? |
@gankro How do you know the value is non-zero to begin with? |
@eddyb usually because we're already checking -- e.g. it came out of an allocator and we didn't abort. Unique is pretty universally used for "we're Box but not". The problem code exists because someone was using |
@gankro There's your answer. If it's known to be not NULL, then the allocator should return |
Yep, that'd be great. 's in the allocator API RFC to some extent already. |
Triage: NonZero has been replaced with many types, like NonZeroU8. These have both checked and unsafe unchecked constructors. Closing! |
NonZero constructor in debug-builds should assert input is actually nonzero.
In particular, I am a bit concerned by the somewhat free-wheeling way that we are adding uses of the unsafe
NonZero::new
constructor function without any checks that the given input actually is non-zero.I freely admit that I do not have many examples of current bugs that such a check would have prevented. However, I can point to some questionable code in a previous iteration of the libstd btree code that such a check would have at least caught: prior to PR #30426, the btree node.rs code had this line:
rust/src/libcollections/btree/node.rs
Line 305 in 26a2f85
Was this a bug? Well, ... according to the invariants of
Unique
andNonZero
, thekeys.is_null()
check should in principle be optimizable to be "always false", right?#[unsafe_no_drop_flag]
, and so that drop code can (and will) be run repeatedly, so thatkeys.is_null()
call can well occur in a context where the data is in a "bad state"keys.is_null()
check is to catch the null being used as a sentinel value, even though it is in fact illegal in that context.)The text was updated successfully, but these errors were encountered: