Commit Graph

3106 Commits

Author SHA1 Message Date
Aria Beingessner
378ed259d9 refine the definition of temporal provenance 2022-03-29 20:18:28 -04:00
Aria Beingessner
28576e9c51 mark FIXMES for all the places found that are probably offset_from 2022-03-29 20:18:28 -04:00
Aria Beingessner
5f720fa55e more review fixes to ptr docs 2022-03-29 20:18:28 -04:00
Aria Beingessner
9efcd996d5 Add even more details to top-level pointer docs 2022-03-29 20:18:27 -04:00
Aria Beingessner
7514d760b8 cleanup some of the less terrifying library code 2022-03-29 20:18:27 -04:00
Aria Beingessner
31e1cde4b5 clean up pointer docs 2022-03-29 20:18:27 -04:00
Aria Beingessner
b608df8277 revert changes that cast functions to raw pointers, portability hazard 2022-03-29 20:18:27 -04:00
Aria Beingessner
c7de289e1c Make the stdlib largely conform to strict provenance.
Some things like the unwinders and system APIs are not fully conformant,
this only covers a lot of low-hanging fruit.
2022-03-29 20:18:21 -04:00
Aria Beingessner
5167b6891c Introduce experimental APIs for conforming to "strict provenance".
This patch series examines the question: how bad would it be if we adopted
an extremely strict pointer provenance model that completely banished all
int<->ptr casts.

The key insight to making this approach even *vaguely* pallatable is the

ptr.with_addr(addr) -> ptr

function, which takes a pointer and an address and creates a new pointer
with that address and the provenance of the input pointer. In this way
the "chain of custody" is completely and dynamically restored, making the
model suitable even for dynamic checkers like CHERI and Miri.

This is not a formal model, but lots of the docs discussing the model
have been updated to try to the *concept* of this design in the hopes
that it can be iterated on.
2022-03-29 20:16:34 -04:00
bors
c1230e137b Auto merge of #95249 - HeroicKatora:set-ptr-value, r=dtolnay
Refactor set_ptr_value as with_metadata_of

Replaces `set_ptr_value` (#75091) with methods of reversed argument order:

```rust
impl<T: ?Sized> *mut T {
    pub fn with_metadata_of<U: ?Sized>(self, val: *mut U) -> *mut U;
}

impl<T: ?Sized> *const T {
    pub fn with_metadata_of<U: ?Sized>(self, val: *const U) -> *const U;
}
```

By reversing the arguments we achieve several clarifications:

- The function closely resembles `cast` with an argument to
  initialize the metadata. This is easier to teach and answers a long
  outstanding question that had restricted cast to `Sized` pointee
  targets. See multiples reviews of
  <https://github.com/rust-lang/rust/pull/47631>
- The 'object identity', in the form of provenance, is now preserved
  from the receiver argument to the result. This helps explain the method as
  a builder-style, instead of some kind of setter that would modify
  something in-place. Ensuring that the result has the identity of the
  `self` argument is also beneficial for an intuition of effects.
- An outstanding concern, 'Correct argument type', is avoided by not
  committing to any specific argument type. This is consistent with cast
  which does not require its receiver to be a 'raw address'.

Hopefully the usage examples in `sync/rc.rs` serve as sufficient examples of the style to convince the reader of the readability improvements of this style, when compared to the previous order of arguments.

I want to take the opportunity to motivate inclusion of this method _separate_ from metadata API, separate from `feature(ptr_metadata)`. It does _not_ involve the `Pointee` trait in any form. This may be regarded as a very, very light form that does not commit to any details of the pointee trait, or its associated metadata. There are several use cases for which this is already sufficient and no further inspection of metadata is necessary.

- Storing the coercion of `*mut T` into `*mut dyn Trait` as a way to dynamically cast some an arbitrary instance of the same type to a dyn trait instance. In particular, one can have a field of type `Option<*mut dyn io::Seek>` to memorize if a particular writer is seekable. Then a method `fn(self: &T) -> Option<&dyn Seek>` can be provided, which does _not_ involve the static trait bound `T: Seek`. This makes it possible to create an API that is capable of utilizing seekable streams and non-seekable streams (instead of a possible less efficient manner such as more buffering) through the same entry-point.

- Enabling more generic forms of unsizing for no-`std` smart pointers. Using the stable APIs only few concrete cases are available. One can unsize arrays to `[T]` by `ptr::slice_from_raw_parts` but unsizing a custom smart pointer to, e.g., `dyn Iterator`, `dyn Future`, `dyn Debug`, can't easily be done generically. Exposing `with_metadata_of` would allow smart pointers to offer their own `unsafe` escape hatch with similar parameters where the caller provides the unsized metadata. This is particularly interesting for embedded where `dyn`-trait usage can drastically reduce code size.
2022-03-28 22:47:31 +00:00
Konrad Borowski
12c085a057 Inline u8::is_utf8_char_boundary 2022-03-28 18:37:11 +02:00
Dylan DPC
9412316ac3
Rollup merge of #88375 - joshlf:patch-3, r=dtolnay
Clarify that ManuallyDrop<T> has same layout as T

This PR implements the documentation change under discussion in https://github.com/rust-lang/unsafe-code-guidelines/issues/302. It should not be approved or merged until the discussion there is resolved.
2022-03-28 04:12:09 +02:00
David Tolnay
2ac9efbe95
Debug print char 0 as '\0' rather than '\u{0}' 2022-03-27 04:49:10 -07:00
David Tolnay
333756f1c5
Bump const_ptr_offset stabilization to 1.61 2022-03-26 21:15:16 -07:00
Andreas Molzer
d489ea777d Refactor set_ptr_value as with_metadata_of
By reversing the arguments we achieve several clarifications:

- The function closely resembles `cast` but with an argument to
  initialized the metadata. This is easier to teach and answers an long
  outstanding question that had restricted cast to `Sized` targets
  initially. See multiples reviews of
  <https://github.com/rust-lang/rust/pull/47631>
- The 'object identity', in the form or provenance, is now preserved
  from the call receiver to the result. This helps explain the method as
  a builder-style, instead of some kind of setter that would modify
  something in-place. Ensuring that the result has the identity of the
  `self` argument is also beneficial for an intuition of effects.
- An outstanding concern, 'Correct argument type', is avoided by not
  committing to any specific argument type. This is consistent with cast
  which does not require its receiver to be a raw address.
2022-03-23 19:59:37 +01:00
Dylan DPC
fb3d126458
Rollup merge of #94842 - tspiteri:there-is-no-try, r=Dylan-DPC
Remove unnecessary try_opt for operations that cannot fail

As indicated in the added comments, some operation cannot overflow, so using `try_opt!` for them is unnecessary.
2022-03-11 13:38:39 +01:00
Dylan DPC
cdd6d39ecc
Rollup merge of #94776 - martingms:optimize-escape-default, r=nnethercote
Optimize ascii::escape_default

`ascii::escape_default` showed up as a hot function when compiling `deunicode-1.3.1` in `@nnethercote's` [analysis](https://hackmd.io/mxdn4U58Su-UQXwzOHpHag) of `@lqd's` [rustc-benchmarking-data](https://github.com/lqd/rustc-benchmarking-data).
After taking a look at the generated assembly it looked like a LUT-based approach could be faster for `hexify()`-ing ascii characters, so that's what this PR implements

The patch looks like it provides about a 1-2% improvement in instructions for that particular crate. This should definitely be verified with a perf run as I'm still getting used to the `rustc-perf` tooling and might easily have made an error!
2022-03-11 13:38:37 +01:00
Trevor Spiteri
ed10356d52 remove unnecessary try_opt for operations that cannot fail 2022-03-11 11:07:45 +01:00
Dylan DPC
6d66020594
Rollup merge of #94765 - m-ou-se:is-some-and, r=Dylan-DPC
Rename is_{some,ok,err}_with to is_{some,ok,err}_and.

This renames `is_{some,ok,err}_with` to `is_{some,ok,err}_and`. This was discussed on the [tracking issue](https://github.com/rust-lang/rust/issues/93050).
2022-03-11 03:32:04 +01:00
Dylan DPC
d58c69ae96
Rollup merge of #93293 - nvzqz:nonzero-min-max, r=joshtriplett
Implement `MIN`/`MAX` constants for non-zero integers

This adds the associated [`MIN`](https://doc.rust-lang.org/stable/std/primitive.usize.html#associatedconstant.MIN)/[`MAX`](https://doc.rust-lang.org/stable/std/primitive.usize.html#associatedconstant.MAX) constants to `NonZero{U,I}{8,16,32,64,128,size}`, requested in #89065.

This reimplements #89077 due that PR being stagnant for 4 months. I am fine with closing this in favor of that one if the author revisits it. If so, I'd like to see that PR have the docs link to the `$Int`'s constants.
2022-03-11 03:32:02 +01:00
Nikolai Vazquez
ecb7927050 Move note about 0 gap to signed integers
Was accidentally placed on unsigned integers, where it is not relevant.
2022-03-10 17:52:48 -05:00
Dylan DPC
3979e150cc
Rollup merge of #94790 - RalfJung:portable-simd-miri, r=Dylan-DPC
enable portable-simd doctests in Miri

With https://github.com/rust-lang/miri/pull/2013 we shouldn't need to disable these tests any more. :)
2022-03-10 23:13:01 +01:00
Dylan DPC
5a7f09d9a3
Rollup merge of #93950 - T-O-R-U-S:use-modern-formatting-for-format!-macros, r=Mark-Simulacrum
Use modern formatting for format! macros

This updates the standard library's documentation to use the new format_args syntax.
The documentation is worthwhile to update as it should be more idiomatic
(particularly for features like this, which are nice for users to get acquainted
with). The general codebase is likely more hassle than benefit to update: it'll
hurt git blame, and generally updates can be done by folks updating the code if
(and when) that makes things more readable with the new format.

A few places in the compiler and library code are updated (mostly just due to
already having been done when this commit was first authored).

`eprintln!("{}", e)` becomes `eprintln!("{e}")`, but `eprintln!("{}", e.kind())` remains untouched.
2022-03-10 23:12:57 +01:00
Matthias Krüger
b5127202b2
Rollup merge of #94587 - JKAnderson409:issue-90107-fix, r=scottmcm
Document new recommended use of `FromIterator::from_iter`

#90107
Most of the added prose was paraphrased from the links provided in the issue. The suggested `VecDeque` example seemed to make the point well enough so I just used that.
2022-03-10 19:00:06 +01:00
T-O-R-U-S
72a25d05bf Use implicit capture syntax in format_args
This updates the standard library's documentation to use the new syntax. The
documentation is worthwhile to update as it should be more idiomatic
(particularly for features like this, which are nice for users to get acquainted
with). The general codebase is likely more hassle than benefit to update: it'll
hurt git blame, and generally updates can be done by folks updating the code if
(and when) that makes things more readable with the new format.

A few places in the compiler and library code are updated (mostly just due to
already having been done when this commit was first authored).
2022-03-10 10:23:40 -05:00
Martin Gammelsæter
c62ab422d0 Inline <EscapeDefault as Iterator>::next 2022-03-10 15:35:22 +01:00
Matthias Krüger
e7281d08de
Rollup merge of #94746 - notriddle:notriddle/method-rustc-on-unimplemented, r=davidtwco
diagnostics: use rustc_on_unimplemented to recommend `[].iter()`

To make this work, the `#[rustc_on_unimplemented]` data needs to be used to
report method resolution errors, which is most of what this commit does.

Fixes #94581
2022-03-10 12:20:53 +01:00
Matthias Krüger
fe034cb43b
Rollup merge of #94657 - fee1-dead:const_slice_index, r=oli-obk
Constify `Index{,Mut}` for `[T]`, `str`, and `[T; N]`

Several panic functions were rewired (via `const_eval_select`) to simpler implementations that do not require formatting for compile-time usage.

r? ```@oli-obk```
2022-03-10 12:20:52 +01:00
Matthias Krüger
313a668234
Rollup merge of #94635 - jhpratt:merge-deprecated-attrs, r=davidtwco
Merge `#[deprecated]` and `#[rustc_deprecated]`

The first commit makes "reason" an alias for "note" in `#[rustc_deprecated]`, while still prohibiting it in `#[deprecated]`.

The second commit changes "suggestion" to not just be a feature of `#[rustc_deprecated]`. This is placed behind the new `deprecated_suggestion` feature. This needs a tracking issue; let me know if this PR will be approved and I can create one.

The third commit is what permits `#[deprecated]` to be used when `#![feature(staged_api)]` is enabled. This isn't yet used in stdlib (only tests), as it would require duplicating all deprecation attributes until a bootstrap occurs. I intend to submit a follow-up PR that replaces all uses and removes the remaining `#[rustc_deprecated]` code after the next bootstrap.

`@rustbot` label +T-libs-api +C-feature-request +A-attributes +S-waiting-on-review
2022-03-10 12:20:51 +01:00
Ralf Jung
29d979fb3c enable portable-simd doctests in Miri 2022-03-09 19:31:25 -05:00
Matthias Krüger
d5c05fcc8a
Rollup merge of #93057 - frengor:iter_collect_into, r=m-ou-se
Add Iterator::collect_into

This PR adds `Iterator::collect_into` as proposed by ``@cormacrelf`` in #48597 (see https://github.com/rust-lang/rust/pull/48597#issuecomment-842083688).
Followup of #92982.

This adds the following method to the Iterator trait:

```rust
fn collect_into<E: Extend<Self::Item>>(self, collection: &mut E) -> &mut E
```
2022-03-09 23:14:11 +01:00
Matthias Krüger
2567d0f883
Rollup merge of #92541 - asquared31415:from-docs, r=m-ou-se
Mention intent of `From` trait in its docs

This pr is a docs modification to add to the documentation of the `From` trait a note about its intent as a perfect conversion.  This is already stated in the `TryFrom` docs so this is simply adding that information in a more visible way.
2022-03-09 23:14:10 +01:00
Matthias Krüger
c0259626b6
Rollup merge of #91804 - woppopo:const_clone, r=oli-obk
Make some `Clone` impls `const`

Tracking issue: #91805
`Clone::clone_from` and some impls (Option, Result) bounded on `~const Drop`.

```rust
// core::clone
impl const Clone for INTEGER
impl const Clone for FLOAT
impl const Clone for bool
impl const Clone for char
impl const Clone for !
impl<T: ?Sized> const Clone for *const T
impl<T: ?Sized> const Clone for *mut T
impl<T: ?Sized> const Clone for &T

// core::option
impl<T> const Clone for Option<T>
where
    T: ~const Clone + ~const Drop

// core::result
impl<T, E> const Clone for Result<T, E>
where
    T: ~const Clone + ~const Drop,
    E: ~const Clone + ~const Drop,

// core::convert
impl const Clone for Infallible

// core::ptr
impl<T: ?Sized> const Clone for NonNull<T>
impl<T: ?Sized> const Clone for Unique<T>
```
2022-03-09 23:14:09 +01:00
Jacob Pratt
5636655d0f
New deprecated_suggestion feature, use in tests 2022-03-09 16:32:47 -05:00
Martin Gammelsæter
7f4f4fc34c Use indexing instead of .get_unchecked() for LUT lookup
Based on @paolobarbolini's tip that the unsafe block was unnecessary in
this case.

Not much left of `hexify()` after this, so seemed clearer to just inline
it.
2022-03-09 22:21:35 +01:00
fren_gor
63eddb3e68
Add tracking issue 2022-03-09 21:12:07 +01:00
Michael Howell
32d7f8145a diagnostics: use rustc_on_unimplemented to recommend [].iter()
To make this work, the `#[rustc_on_unimplemented]` data needs to be used to
report method resolution errors, which is most of what this commit does.

Fixes #94581
2022-03-09 09:52:55 -07:00
Martin Gammelsæter
876142417c Optimize ascii::escape_default by using a digit LUT 2022-03-09 17:10:34 +01:00
Mara Bos
7c7411fb5d Rename is_{some,ok,err}_with to is_{some,ok,err}_and. 2022-03-09 11:20:36 +01:00
Dylan DPC
ff54e34463
Rollup merge of #94723 - dtolnay:mustuse, r=Mark-Simulacrum
Add core::hint::must_use

The example code in this documentation is minimized from a real-world situation in the `anyhow` crate where this function would have been valuable.

Having this provided by the standard library is especially useful for proc macros, even more than for macro_rules. That's because proc macro crates aren't allowed to export anything other than macros, so they couldn't make their own `must_use` function for their macro-generated code to call.

<br>

## Rendered documentation

> An identity function that causes an `unused_must_use` warning to be triggered if the given value is not used (returned, stored in a variable, etc) by the caller.
>
> This is primarily intended for use in macro-generated code, in which a [`#[must_use]` attribute][must_use] either on a type or a function would not be convenient.
>
> [must_use]: https://doc.rust-lang.org/reference/attributes/diagnostics.html#the-must_use-attribute
>
> ### Example
>
> ```rust
> #![feature(hint_must_use)]
>
> use core::fmt;
>
> pub struct Error(/* ... */);
>
> #[macro_export]
> macro_rules! make_error {
>     ($($args:expr),*) => {
>         core::hint::must_use({
>             let error = $crate::make_error(core::format_args!($($args),*));
>             error
>         })
>     };
> }
>
> // Implementation detail of make_error! macro.
> #[doc(hidden)]
> pub fn make_error(args: fmt::Arguments<'_>) -> Error {
>     Error(/* ... */)
> }
>
> fn demo() -> Option<Error> {
>     if true {
>         // Oops, meant to write `return Some(make_error!("..."));`
>         Some(make_error!("..."));
>     }
>     None
> }
> ```
>
> In the above example, we'd like an `unused_must_use` lint to apply to the value created by `make_error!`. However, neither `#[must_use]` on a struct nor `#[must_use]` on a function is appropriate here, so the macro expands using `core::hint::must_use` instead.
>
> - We wouldn't want `#[must_use]` on the `struct Error` because that would make the following unproblematic code trigger a warning:
>
>   ```rust
>   fn f(arg: &str) -> Result<(), Error>
>
>   #[test]
>   fn t() {
>       // Assert that `f` returns error if passed an empty string.
>       // A value of type `Error` is unused here but that's not a problem.
>       f("").unwrap_err();
>   }
>   ```
>
> - Using `#[must_use]` on `fn make_error` can't help because the return value *is* used, as the right-hand side of a `let` statement. The `let` statement looks useless but is in fact necessary for ensuring that temporaries within the `format_args` expansion are not kept alive past the creation of the `Error`, as keeping them alive past that point can cause autotrait issues in async code:
>
>   ```rust
>   async fn f() {
>       // Using `let` inside the make_error expansion causes temporaries like
>       // `unsync()` to drop at the semicolon of that `let` statement, which
>       // is prior to the await point. They would otherwise stay around until
>       // the semicolon on *this* statement, which is after the await point,
>       // and the enclosing Future would not implement Send.
>       log(make_error!("look: {:p}", unsync())).await;
>   }
>
>   async fn log(error: Error) {/* ... */}
>
>   // Returns something without a Sync impl.
>   fn unsync() -> *const () {
>       0 as *const ()
>   }
>   ```
2022-03-08 22:43:59 +01:00
David Tolnay
b2473e988f
Add core::hint::must_use 2022-03-08 10:58:03 -08:00
Matthias Krüger
aec535f805
Rollup merge of #94559 - m-ou-se:thread-scope-spawn-closure-without-arg, r=Mark-Simulacrum
Remove argument from closure in thread::Scope::spawn.

This implements ```@danielhenrymantilla's``` [suggestion](https://github.com/rust-lang/rust/issues/93203#issuecomment-1040798286) for improving the scoped threads interface.

Summary:

The `Scope` type gets an extra lifetime argument, which represents basically its own lifetime that will be used in `&'scope Scope<'scope, 'env>`:

```diff
- pub struct Scope<'env> { .. };
+ pub struct Scope<'scope, 'env: 'scope> { .. }

  pub fn scope<'env, F, T>(f: F) -> T
  where
-     F: FnOnce(&Scope<'env>) -> T;
+     F: for<'scope> FnOnce(&'scope Scope<'scope, 'env>) -> T;
```

This simplifies the `spawn` function, which now no longer passes an argument to the closure you give it, and now uses the `'scope` lifetime for everything:

```diff
-     pub fn spawn<'scope, F, T>(&'scope self, f: F) -> ScopedJoinHandle<'scope, T>
+     pub fn spawn<F, T>(&'scope self, f: F) -> ScopedJoinHandle<'scope, T>
      where
-         F: FnOnce(&Scope<'env>) -> T + Send + 'env,
+         F: FnOnce() -> T + Send + 'scope,
-         T: Send + 'env;
+         T: Send + 'scope;
```

The only difference the user will notice, is that their closure now takes no arguments anymore, even when spawning threads from spawned threads:

```diff
  thread::scope(|s| {
-     s.spawn(|_| {
+     s.spawn(|| {
          ...
      });
-     s.spawn(|s| {
+     s.spawn(|| {
          ...
-         s.spawn(|_| ...);
+         s.spawn(|| ...);
      });
  });
```

<details><summary>And, as a bonus, errors get <em>slightly</em> better because now any lifetime issues point to the outermost <code>s</code> (since there is only one <code>s</code>), rather than the innermost <code>s</code>, making it clear that the lifetime lasts for the entire <code>thread::scope</code>.

</summary>

```diff
  error[E0373]: closure may outlive the current function, but it borrows `a`, which is owned by the current function
   --> src/main.rs:9:21
    |
- 7 |         s.spawn(|s| {
-   |                  - has type `&Scope<'1>`
+ 6 |     thread::scope(|s| {
+   |                    - lifetime `'1` appears in the type of `s`
  9 |             s.spawn(|| println!("{:?}", a)); // might run after `a` is dropped
    |                     ^^                  - `a` is borrowed here
    |                     |
    |                     may outlive borrowed value `a`
    |
  note: function requires argument type to outlive `'1`
   --> src/main.rs:9:13
    |
  9 |             s.spawn(|| println!("{:?}", a)); // might run after `a` is dropped
    |             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  help: to force the closure to take ownership of `a` (and any other referenced variables), use the `move` keyword
    |
  9 |             s.spawn(move || println!("{:?}", a)); // might run after `a` is dropped
    |                     ++++
"
```
</details>

The downside is that the signature of `scope` and `Scope` gets slightly more complex, but in most cases the user wouldn't need to write those, as they just use the argument provided by `thread::scope` without having to name its type.

Another downside is that this does not work nicely in Rust 2015 and Rust 2018, since in those editions, `s` would be captured by reference and not by copy. In those editions, the user would need to use `move ||` to capture `s` by copy. (Which is what the compiler suggests in the error.)
2022-03-08 11:04:51 +01:00
Matthias Krüger
e22331ce02
Rollup merge of #92385 - clarfonthey:const_option, r=fee1-dead
Add Result::{ok, err, and, or, unwrap_or} as const

Already opened tracking issue #92384.

I don't think that this should actually cause any issues as long as the constness is unstable, but we may want to double-check that this doesn't get interpreted as a weird `Drop` bound even for non-const usages.
2022-03-08 11:04:50 +01:00
Eric Holk
8700b45b67 Stabilize const_impl_trait as well 2022-03-07 08:47:18 -08:00
Eric Holk
7723506d13 Stabilize const_fn_fn_ptr_basics and const_fn_trait_bound 2022-03-07 08:47:15 -08:00
Matthias Krüger
e8f38a03b5
Rollup merge of #94671 - csmoe:pin-typo, r=m-ou-se
fix pin doc typo

r? `@m-ou-se`
2022-03-06 19:08:38 +01:00
csmoe
bf089331b4 fix pin doc typo 2022-03-06 21:40:30 +08:00
Deadbeef
4654a91001
Constify slice index for strings 2022-03-06 17:28:50 +11:00
Gentoli
62a65945b7
doc: Iterator::partition use partial type hints 2022-03-05 19:40:40 -05:00
Dylan DPC
a3fe63e9fe
Rollup merge of #94620 - pierwill:partialord-constistency, r=yaahc
Edit docs on consistency of `PartialOrd` and `PartialEq`

Use ordered list to make the information about implementations more readable.
2022-03-05 04:46:38 +01:00