-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
strict provenance: rename addr → bare_addr #121588
Conversation
This comment has been minimized.
This comment has been minimized.
9bf5abe
to
a64ef5b
Compare
The Miri subtree was changed cc @rust-lang/miri |
a64ef5b
to
c0a68e1
Compare
This comment has been minimized.
This comment has been minimized.
c0a68e1
to
bec6b66
Compare
This comment has been minimized.
This comment has been minimized.
bec6b66
to
e5df574
Compare
Portable SIMD is developed in its own repository. If possible, consider making this change to rust-lang/portable-simd instead. |
The naming has been discussed heavily in this Zulip topic, and I'd prefer to not religitate the points made there in a forum which is worse for conversation (GitHub's automatic hiding of comments is horrendous for long conversations): https://rust-lang.zulipchat.com/#narrow/stream/136281-t-opsem/topic/Next.20steps.20for.20strict.20provenance.20stabilization What someone could do that would be very helpful is post a summary of the arguments made in that Zulip thread and add it to the PR description. I'm saying this because there is a good argument made against @joboet's point above, and their comment seems unaware of it. We should be providing new entrants an easy onboarding to the conversation, and we aren't. |
This particular argument actually made it into the PR summary, albeit in very abbreviated form:
In other words, blindly replacing That's why the lint now adds some extra caution:
|
r? libs-api |
71dd9f7
to
17ddacd
Compare
This comment has been minimized.
This comment has been minimized.
17ddacd
to
a77c209
Compare
☔ The latest upstream changes (presumably #121662) made this pull request unmergeable. Please resolve the merge conflicts. |
We discussed this in last week's libs-api meeting, but we did not reach a consensus among those present. Some of us thought the name |
My opinion is similar to what @joboet expressed in this comment. I'm personally not convinced that My mental model if a pointer is basically a pair
Having clear documentation for Separately from all that, I don't think |
Specifically, David wondered whether the goal of the rename is:
|
I'm just channeling other people that were uncomfortable with I gave the arguments against
The idea is that people will see the "bare" an go "huh, why does it say
This. |
That sounds like a bad idea tot me. In other words: the way I see it, the "without provenance" in |
Indeed, that's why I proposed |
I rather like the direction of "bare" pointer. It's a word that doesn't have a common definition already, so we have have a section talking about it in the And it's nice and short :) Let me see if I can more directly reflect the I would love for it to be just If we had a different way, like how Otherwise I just worry that it'll be de facto impossible to change to something different from exposing, because we'd likely see a ton of crater failing on it 🙁 If we have something for people to use that's a method instead of an Even if it's just |
Well, we could store the pointer in memory and then load it back as an
Okay so if we were to stabilize some form of |
Unfortunately, even just at Right now it apparently just doesn't have a way to express this difference. (Maybe |
Yes. Even if we just stabilize So long as there's something to help keep everyone who sees the release notes from going "oh, I'll replace all my (Of course, I'm biased because I also want something like that which we can put in a lint suggestion to tell people to move off |
Honestly, I think |
Okay, let's stick to |
Many people are concerned that
ptr.addr()
is too tempting of a name: people might just replace allptr as usize
cast withptr.addr()
and not change anything else about their code, and that would be bad as it can introduce UB. The namebare_addr
is meant to nudge people towards reading the docs which hopefully avoids such mistakes.@rust-lang/libs when you are discussing this -- we'd really like feedback on naming preferences here. I first suggested another name,
addr_without_provenance
, but people were generally unhappy with that. A lot would preferaddr
. This is almost always what you should use, but the issue is that to use it you have to change more than one thing in your code -- you have to replace the int2ptr casts by something entirely different, likewith_addr
/map_addr
. We can steer people towards usingaddr
by giving it a nice and short name, but we cannot use API design alone to steer people towards then also doing the right thing at the other end of the cast. (I think of these casts as coming in pairs: somewhere a ptr is cast to an int, and later an int is cast back to a ptr.)So
bare_addr
is a compromise between these concerns. If we go for this we should probably renameptr::without_provenance
toptr::from_bare_addr
orptr::from_bare
orptr::bare
or something like that. (from_bare
is a bit strange since this is converting from a usize and usizes are always bare integers... this would be in contrast tofrom_exposed
which also takes a bare usize but then does "magic" to equip it with suitable provenance, at least in some cases.) I'm happy to prepare that PR, but if t-libs-api has opinions on that name they'd be good to hear. :)