ManuallyDrop should be an object-safe receiver type #64351
Comments
withoutboats
added
F-arbitrary_self_types
|
(Note: I believe for now, the way to express the method I'm interested in so that it is object safe is |
|
👎 . We should focus on stabilizing |
|
I'm not sure I agree with @comex, I don't think adding another special case would get in the way of stabilizing If we do add ManuallyDrop as a special case, I'm pretty sure all we have to do is implement the |
|
These things don't block one another - stabilizing the ability for users to define custom receivers doesn't have any kind of ordering with which std types can be custom receivers. We've already given std the special privilege to use this feature beyond what other crates can do (as we have with many other features), these types were just overlooked from the set we stabilized for no particular reason. Blocking progress in one way to create pressure to make progress in another is filibuster logic. Thanks for pointing out that its as easy as adding impls @mikeyhew! |
|
The reason I care about ordering is that every new In fact, the ordering is the only aspect of these features I care about. I'm not personally interested in That said, this is admittedly only a small extension to an existing set of functionality. If it were up to me, the existing set wouldn't have been stabilized until |
I just realized that's not true. Right now, if the feature flag is not enabled, we require that the receiver type implements |
|
@mikeyhew is it challenging to implement the work for composed receivers but not stabilize them? I would think that's just a matter of the Receiver impls. Composed receivers are a bit more uncertain to mebecause they make the set of receivers infinite with absurdity like |
|
I'm in the process of working to stabilize composed receivers in #64325 |
|
I personally have no objection to extending the set of stabilized types a bit farther. That said, I would appreciate a few more details on the proposed use cases. Otherwise:
would all seem to be in order. Seems like it might also make sense to combine this effort with #64325? |
|
What are the rules a type has to satisfy to be a "well-behaved" object-safe receiver type? Is there a "checklist" such that we can be sure a type that checks all the boxes is good to go as objcect-safe receiver type? This should be documented somewhere persistently, IMO before we go on stabilizing more of those. I am, naturally, particularly interested in any interaction with unsafe code and guarantees it would have to promise to uphold. Yes, such docs work is not a lot of fun, but it is important (and with |
Being represented as a pointer to the type and (transitively) safely dereferencing to it. There are some additional traits involved. I agree the present situation is not great, but I think this has to do with stabilizing the |
Well, we better make sure the std-privileged types we add are actually safe. That's hard to do until we have a proper handle of what that actually means. |
|
@RalfJung yes, There are types we have held off on adding because they would involve making UCG related decisions - nonnull and raw ptrs, for example, because we haven't determined if the vtable pointer needs to be valid and how that relates to calling trait object methods, etc. Which is why the requirements now are narrowly types that we are confident would guarantee a valid vtable and data pointer (which includes ManuallyDrop). |
|
Oh, and receiver types don't "nest", right? So all of the ones you are listing in the OP are exactly one pointer indirection. However, |
|
@RalfJung yea, I meant the deref impl, which in those cases has to also do the offset past the reference counts.. In terms of nesting, currently they don't, but cramertj has a PR to allow them, though any that are double indirection (or more) would not be object safe. My understanding is that if the type guarantees that |
Why that?
On first sight, that sounds like a reasonable assumption. |
I think its just an implementation limitation on how we access the vtable right now, @mikeyhew would know more. |
We should extend the set of library-defined self types on stable to include types involving
ManuallyDrop.ManuallyDropis a transparent wrapper around another type which is completely unconstrained; there should be no technical limitations on making it an object-safe receiver type.To be explicit, I am proposing to make the following types valid self types on stable, and all but the first would be object safe:
ManuallyDrop<Self>&ManuallyDrop<Self>&mut ManuallyDrop<Self>Box<ManuallyDrop<Self>>Rc<ManuallyDrop<Self>>Arc<ManuallyDrop<Self>>Pin<&ManuallyDrop<Self>>Pin<&mut ManuallyDrop<Self>>Pin<Box<ManuallyDrop<Self>>>Pin<Rc<ManuallyDrop<Self>>>Pin<Arc<ManuallyDrop<Self>>>This is similar to but distinct from #56193, which is about making coercions valid involving a manually drop wrapped around a pointer type.
In particular, I am personally interested in having
Pin<&mut ManuallyDrop<Self>>as an object-safe receiver type for an unsafe trait method in my code, as it assists users in understanding the guarantees the caller is giving them - that it will never access or move this value again, even to drop it, do with that what you will.cc @mikeyhew @rust-lang/lang @rust-lang/wg-unsafe-code-guidelines
The text was updated successfully, but these errors were encountered: