-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
docs: be less harsh in wording for Vec::from_raw_parts #99216
Conversation
In particular, be clear that it is sound to specify memory not originating from a previous `Vec` allocation. That is already suggested in other parts of the documentation about zero-alloc conversions to Box<[T]>. Incorporate a constraint from `slice::from_raw_parts` that was missing but needs to be fulfilled, since a `Vec` can be converted into a slice.
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
Thanks for the pull request, and welcome! The Rust team is excited to review your changes, and you should hear from @joshtriplett (or someone else) soon. Please see the contribution instructions for more information. |
library/alloc/src/vec/mod.rs
Outdated
/// * The allocated size in bytes must be no larger than `isize::MAX`. | ||
/// See the safety documentation of [`pointer::offset`]. | ||
/// | ||
/// To ensure these requirements are easily met, ensure `ptr` has previously |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
"ensure" here still sounds like it's a must.
I'd say something along the lines of "These requirements are always upheld by any ptr
that has been allocated using a Vec<T>
, but manual allocation is okay as long as the invariants are upheld."
That last bit might need some work, but if I read "ensure" in a doc, I read that as a "it is UB if this is not true".
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah, good point, I'll reword.
Also, this looks like a t-libs-api issue
|
Oh, I read that to be about feature stabilization. |
@rustbot label +T-libs-api -T-libs |
library/alloc/src/vec/mod.rs
Outdated
/// * `T` needs to have the same alignment as what `ptr` was allocated with. | ||
/// (`T` having a less strict alignment is not sufficient, the alignment really | ||
/// needs to be equal to satisfy the [`dealloc`] requirement that memory must be | ||
/// allocated and deallocated with the same layout.) | ||
/// * The size of `T` times the `capacity` (ie. the allocated size in bytes) needs | ||
/// to be the same size as the pointer was allocated with. (Because similar to | ||
/// alignment, [`dealloc`] must be called with the same layout `size`.) | ||
/// * `length` needs to be less than or equal to `capacity`. | ||
/// * `length` needs to be less than or equal to `capacity` and the first `length` |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'd split this into 2 lines, this is 2 different safety comments.
library/alloc/src/vec/mod.rs
Outdated
/// to be the same size as the pointer was allocated with. (Because similar to | ||
/// alignment, [`dealloc`] must be called with the same layout `size`.) | ||
/// * `length` needs to be less than or equal to `capacity` and the first `length` | ||
/// values must be properly initialized values of type `T`. | ||
/// * `capacity` needs to be the capacity that the pointer was allocated with. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think there's some stuff on Allocator docs about a layout "fitting" another layout. So you can allocate with size 16, get an allocation of size 24, and deallocate with any size inbetween.
Not sure if we should reflect that here. And it probably doesn't apply to Vec<T, Global> since that goes through GlobalAlloc.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it would be worth it to mention it here. Something like "capacity
needs to fit the layout size that the pointer was allocated with."?
library/alloc/src/vec/mod.rs
Outdated
/// See the safety documentation of [`pointer::offset`]. | ||
/// | ||
/// These requirements are always upheld by any `ptr` that has been allocated | ||
/// via `Vec<T>`. Other allocation sources are allowed if the invariants are |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be Vec<T, A>
Probably also good to write some doctests showing how you'd do this. extern crate alloc;
fn main() {
use alloc::alloc::Layout;
let layout = Layout::array::<u32>(16).expect("overflow cannot happen");
let vec = unsafe {
let alloc = alloc::alloc::alloc(layout).cast::<u32>();
if alloc.is_null() {
return;
}
alloc.write(1_000_000);
Vec::from_raw_parts(alloc, 1, 16)
};
assert_eq!(vec, &[1_000_000]);
assert_eq!(vec.capacity(), 16);
} Something like this. I don't remember if |
Examples added :) |
Fixes GH-98780. |
@bors r+ rollup |
docs: be less harsh in wording for Vec::from_raw_parts In particular, be clear that it is sound to specify memory not originating from a previous `Vec` allocation. That is already suggested in other parts of the documentation about zero-alloc conversions to Box<[T]>. Incorporate a constraint from `slice::from_raw_parts` that was missing but needs to be fulfilled, since a `Vec` can be converted into a slice. Fixes rust-lang#98780.
docs: be less harsh in wording for Vec::from_raw_parts In particular, be clear that it is sound to specify memory not originating from a previous `Vec` allocation. That is already suggested in other parts of the documentation about zero-alloc conversions to Box<[T]>. Incorporate a constraint from `slice::from_raw_parts` that was missing but needs to be fulfilled, since a `Vec` can be converted into a slice. Fixes rust-lang#98780.
…iaskrgr Rollup of 7 pull requests Successful merges: - rust-lang#98218 (Document the conditional existence of `alloc::sync` and `alloc::task`.) - rust-lang#99216 (docs: be less harsh in wording for Vec::from_raw_parts) - rust-lang#99460 (docs: Improve AsRef / AsMut docs on blanket impls) - rust-lang#100470 (Tweak `FpCategory` example order.) - rust-lang#101040 (Fix `#[derive(Default)]` on a generic `#[default]` enum adding unnecessary `Default` bounds) - rust-lang#101308 (introduce `{char, u8}::is_ascii_octdigit`) - rust-lang#102486 (Add diagnostic struct for const eval error in `rustc_middle`) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
In particular, be clear that it is sound to specify memory not
originating from a previous
Vec
allocation. That is already suggestedin other parts of the documentation about zero-alloc conversions to Box<[T]>.
Incorporate a constraint from
slice::from_raw_parts
that was missingbut needs to be fulfilled, since a
Vec
can be converted into a slice.Fixes #98780.