Padding Bytes Guarantees?

[jswrenn]

The context of this issue is determining when it is safe for a struct to implement FromZeros (à la zerocopy::FromBytes), a marker trait implemented for a type T iff any sequence of initialized zeroed bytes of length size_of::<T>() is a valid instance of T. (For such types, mem::zeroed is safe!)

Per the reference:

The representation of a type can change the padding between fields, but does not change the layout of the fields themselves.

Therefore: for a struct T to be FromZeros, the fields of T must also be FromZeros.

I'm trying to determine whether this requirement alone is sufficient.

My understanding is that the padding bytes between fields is expressly undefined (i.e., it can be anything, including uninitialized). Will Rust ever rely on padding having a particular value?

If so, for a struct T to be FromZeros, it must have no padding, as a 0u8 might not correspond to a valid padding byte for T. This poses a very severe limitation on what structs could be FromZeros (and, by extension, FromBytes).

[Lokathor]

I also use a similar unsafe marker to make safe zeroing https://docs.rs/lokacore/0.1.0/lokacore/trait.Zeroable.html, so I suppose this applies to me as well.

[RalfJung]

Indeed, this should be properly guaranteed somewhere, at some point.

My current understanding is that, for structs, your condition is sufficient: in our current implementation, padding bytes can and do change as the struct gets copied, so rustc cannot rely on padding having a particular value.

[jswrenn]

in our current implementation

Part of why I'm cautious is that I can totally imagine optimizations that are enabled by assuming a particular value. For instance, if you assume all padding of a type T has a particular value, you can speed up equality checks between two instances of T by loading them in their entirety into registers and checking for equality (rather than checking field-by-field).

Making this guarantee will rule out performing that optimization. (That said, I think the benefits of that optimization pale in comparison to the sort of optimizations enabled by zerocopy::FromBytes!)

[RalfJung]

@jswrenn absolutely agreed. That's why I said current implementation. (I added emphasis on that now.)

[comex]

Assuming anything about padding bytes would make it impossible to use MaybeUninit to initialize structs field-by-field, even once raw-pointer-to-field is fixed.

[RalfJung]

See oconnor663/shared_child.rs#17: it would also make it impossible to initialize a struct with mem::zeroed (unless the padding assumption is "all 0").

So indeed I find it hard to imagine that we'd ever rely on padding having a particular value, or being preserved, or anything like that. If you want to be really sure, I'd expect this to be a rather uncontroversial RFC; the main issue is wording this precisely enough.

[jswrenn]

I drafted an RFC around the time I filed this issue, but put it on hold for typelayout. The field-by-field initialization case is especially compelling. I'll make a PR in the next day or so. :)

[oconnor663]

And the key issue with oconnor663/shared_child.rs#17 is that I think a lot of structs in libc can only be initialized with something like mem::zeroed, as far as I can tell, because they have both private fields and no public constructors.

[jswrenn]

@oconnor663 I've added a section about this to my RFC's motivation section and filed an issue on libc documenting the problem: rust-lang/libc#1451

[gnzlbg]

Assuming anything different from C about padding bytes for repr(C) types would make them unusable in C FFI:

let mut x: repr_c_type = c_ffi_fn();
c_ffi_fn2(&mut x);

When passing a repr_c_type value by value from C to Rust the padding bytes might contain anything that C allows them to contain, including undef. When passing a pointer to repr_c_type to C, C can dereference the pointer and write to it, writing anything that C allows to the padding bytes. It can also read from the pointer, which means that padding bytes in the Rust side must have a value that C supports.

AFAICT, this sub-section of the nomicon (https://doc.rust-lang.org/nomicon/ffi.html#interoperability-with-foreign-code) guarantees that repr(C) types, including their padding, are C compatible.

We could tune what values padding type supports as long as doing so does not break the C FFI use case.

[jswrenn]

@gnzlbg I'm convinced that the C FFI guarantees imply that Rust must never assume that padding bytes for #[repr(C)] datatypes have a particular value (and that a new RFC is not necessary for this). AFAIK, types in libc are repr(C), so zeroed initialization is safe.

However, there is still no such guarantee for repr(Rust) types, right?

[RalfJung]

@gnzlbg raised the point that mem::zeroed does not actually guarantee that the returned value has 0s in its padding bytes -- indeed, padding bytes are not preserved when returned from a function, and that includes mem::zeroed.

This still leaves the question of whether it is okay to transmute an all-0 integer slice -- or any integer slice -- to a struct involving padding (assuming the fields themselves are okay with whatever the integer values at their offsets are). Everyone seems to strongly agree that the answer is "yes, when creating a value of struct type you can have any data in the padding". I think the only open question is whether this needs an RFC, and where this should be documented.

Is that an accurate summary of the current status?

---

As pointed out before, for repr(C) struct this likely does not need an RFC because we should follow C rules here. That leaves our own Rust-specific reprs. We basically have two options:

• Permit the compiler to make assumptions about padding. This would have the big advantage of letting us use padding for niches. The big disadvantage is that we have to preserve those bytes on copy then, so we'd have to change the way things compile to LLVM, which could become very tricky.
• Allow any value for padding, and do not preserve padding on copies. This would have the big advantage of being more familiar, and matching our current implementation.

However, even if we end up wanting to use padding as niches, I strongly feel we should make sure that "0" is not considered a niche, to keep mem::zeroed working for such types.