Skip to content

Documentation of wrapping_add/-_sub/-_offset need clarification... #80306

New issue
New issue
Closed
#80383
Closed
Documentation of wrapping_add/-_sub/-_offset need clarification...#80306
#80383
Labels
A-docsArea: Documentation for any part of the project, including the compiler, standard library, and toolsC-enhancementCategory: An issue proposing an enhancement or a PR with one.T-langRelevant to the language team, which will review and decide on the PR/issue.T-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.
@steffahn

Description

@steffahn
steffahn
opened on Dec 22, 2020

...about whether pointer arithmetic is allowed to - temporarily - leave the bounds of an object, then go back into bounds and afterwards dereference the pointer.

The question is if code like this:

fn foo(x: &u8) {
    let mut x = x as *const u8;
    x = x.wrapping_add(42);
    x = x.wrapping_sub(42);
    let _val = unsafe { *x };
    // use _val
}

is sound or unsound.

The current documentation says:

The resulting pointer does not need to be in bounds, but it is potentially hazardous to dereference (which requires unsafe).

In particular, the resulting pointer remains attached to the same allocated object that self points to. It may not be used to access a different allocated object. Note that in Rust, every (stack-allocated) variable is considered a separate allocated object.

Compared to add / sub / offset, this method basically delays the requirement of staying within the same allocated object: add / sub / offset is immediate Undefined Behavior when crossing object boundaries; wrapping_add / wrapping_sub / wrapping_offset produces a pointer but still leads to Undefined Behavior if that pointer is dereferenced. add / sub / offset can be optimized better and is thus preferable in performance-sensitive code.

So it specifies that the resulting pointer “remains attached to the same allocated object that self points to”, which suggests that after going back into bounds, dereferencing should be safe again.

It also says “this method basically delays the requirement of staying within the same allocated object; ” which sounds like, staying within the same allocated object is still a requirement, which could be interpreted as that whenever any intermediate value did not stay within bounds, that intermediate value has some delayed violation of requirements attached to it that triggers UB once the final (back in bounds) pointer is dereferenced.

The following comparison, “add / sub / offset is immediate Undefined Behavior when crossing object boundaries; wrapping_add / wrapping_sub / wrapping_offset produces a pointer but still leads to Undefined Behavior if that pointer is dereferenced” can easily be interpreted as confirming this interpretation, since object boundaries are crossed (twice, first going out of the object, then going back in) and the pointer is dereference afterwards (right after the second crossing of object boundaries).

After I was addressing this on IRLO, @RalfJung gave the answer

It is explicitly intended to be allowed to leave the object and then go back inbounds. Looks like we need to clarify the docs.

@rustbot modify labels: T-doc, T-libs, T-lang, C-enhancement
Feel free to remove a T- label if this doesn’t seem relevant for that team.

Metadata

Metadata

Assignees

No one assigned

    Labels

    A-docsArea: Documentation for any part of the project, including the compiler, standard library, and toolsC-enhancementCategory: An issue proposing an enhancement or a PR with one.T-langRelevant to the language team, which will review and decide on the PR/issue.T-libs-apiRelevant to the library API team, which will review and decide on the PR/issue.

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions