Since SystemTime is opaque there is no way to check if the result
of an addition will be in bounds. That makes the Add<Duration>
trait completely unusable with untrusted data. This is a big problem
because adding a Duration to UNIX_EPOCH is the standard way of
constructing a SystemTime from a unix timestamp.
This commit implements checked_add_duration(&self, &Duration) -> Option<SystemTime>
for std::time::SystemTime and as a prerequisite also for all platform
specific time structs. This also led to the refactoring of many
add_duration(&self, &Duration) -> SystemTime functions to avoid
redundancy (they now unwrap the result of checked_add_duration).
Some basic unit tests for the newly introduced function were added
too.
Rollup of 12 pull requests
Successful merges:
- #54885 (Don't lint 'unused_parens` on `if (break _) { .. }`)
- #55205 (Improve a few cases of collecting to an FxHash(Map/Set))
- #55450 (msp430: remove the whole Atomic* API)
- #55459 (Add UI test for #49296)
- #55472 (Use opt.take() instead of mem::replace(opt, None))
- #55473 (Take advantage of impl Iterator in (transitive/elaborate)_bounds)
- #55474 (Fix validation false positive)
- #55476 (Change a flat_map with 0/1-element vecs to a filter_map)
- #55487 (Adjust Ids of path segments in visibility modifiers)
- #55493 (Doc fixes)
- #55494 (borrowck=migrate must look at parents of closures)
- #55496 (Update clippy)
Failed merges:
r? @ghost
borrowck=migrate must look at parents of closures
This fixes the NLL migration mode (which is the default with edition=2018) to inspect all parents of a closure in addition to the closure itself when looking to see if AST-borrowck issues an error for the given code.
This should be a candidate for beta backport.
Fix#55492
Take advantage of impl Iterator in (transitive/elaborate)_bounds
Other than for `debug!`ging purposes, `bounds` are only iterated over, so they don't need to be collected into vectors.
msp430: remove the whole Atomic* API
PR #51953 enabled the Atomic*.{load,store} API on MSP430. Unfortunately,
the LLVM backend doesn't currently support those atomic operations, so this
commit removes the API and leaves instructions on how and when to enable it
in the future.
the second fixes compiling liballoc for msp430
closes#54511
r? @alexcrichton
cc @chernomor @awygle @cr1901 @pftbest
Rollup of 9 pull requests
Successful merges:
- #54965 (update tcp stream documentation)
- #55269 (fix typos in various places)
- #55384 (Avoid unnecessary allocations in `float_lit` and `integer_lit`.)
- #55423 (back out bogus `Ok`-wrapping suggestion on `?` arm type mismatch)
- #55426 (Make a bunch of trivial methods of NonNull be `#[inline]`)
- #55438 (Avoid directly catching BaseException in bootstrap configure script)
- #55439 (Remove unused sys import from generate-deriving-span-tests)
- #55440 (Remove unreachable code in hasClass function in Rustdoc)
- #55447 (Fix invalid path in generate-deriving-span-tests.py.)
Failed merges:
r? @ghost
Make a bunch of trivial methods of NonNull be `#[inline]`
I was seeing super trivial methods not getting inlined in some of my builds, so I went ahead and just marked all the methods inline where it seemed appropriate.
r? @SimonSapin
back out bogus `Ok`-wrapping suggestion on `?` arm type mismatch
This suggestion was introduced in #51938 / 6cc78bf8d7 (while introducing different language for type errors coming from `?` rather than a `match`), but it has a lot of false-positives, and incorrect suggestions carry more badness than marginal good suggestions do goodness. I regret not doing this earlier. 😞Resolves#52537, resolves#54578.
r? @estebank
Avoid unnecessary allocations in `float_lit` and `integer_lit`.
This commit avoids an allocation when parsing any float and integer
literals that don't involved underscores.
This reduces the number of allocations done for the `tuple-stress`
benchmark by 10%, reducing its instruction count by just under 1%.
miri engine: Stacked Borrows NG
For more refined tracking in miri, we do return untagged pointers from the memory abstraction after allocations and let the caller decide how to tag these.
Also refactor the `tag_(de)reference` hooks so they can be more easily called in the ref-to-place and place-to-ref methods, and reorder things in validation: validation calls ref-to-place which (when running in miri) triggers some checks, so we want to run it rather late and catch other problems first. We also do not need to redundantly check the ref to be allocated any more, the checks miri does anyway imply thath.
r? @oli-obk
Unchecked thread spawning
# Summary
Add an unsafe interface for spawning lifetime-unrestricted threads for
library authors to build less-contrived, less-hacky safe abstractions
on.
# Motivation
So a few years back scoped threads were entirely removed from the Rust
stdlib, the reason being that it was possible to leak the scoped thread's
join guards without resorting to unsafe code, which meant the concept
was not completely safe, either.
Only a maximally-restrictive safe API for thread spawning was kept in the
stdlib, that requires `'static` lifetime bounds on both the thread closure
and its return type.
A number of 3rd party libraries sprung up to offer their implementations
for safe scoped threads implementations.
These work by essentially hiding the join guards from the user, thus
forcing them to join at the end of an (internal) function scope.
However, since these libraries have to use the maximally restrictive
thread spawning API, they have to resort to some very contrived manipulations
and subversions of Rust's type system to basically achieve what this commit does
with some minimal restructuring of the current code and exposing a new unsafe
function signature for spawning threads without lifetime restrictions.
Obviously this is unsafe, but its main use would be to allow library authors
to write safe abstractions with and around it.
To further illustrate my point, here's a quick summary of the hoops that,
for instance `crossbeam`, has to jump through to spawn a lifetime unrestricted
thread, all of which would not be necessary if an unsafe API existed as part
of the stdlib:
1. Allocate an `Arc<Option<T>>` on the heap where the result with type
`T: 'a` will go (in practice requires `Mutex` or `UnsafeCell` as well).
2. Wrap the desired thread closure with lifetime bound `'a` into another
closure (also `..: 'a`) that returns `()`, executes the inner closure and
writes its result into the pre-allocated `Option<T>`.
3. Box the wrapping closure, cast it to a trait object (`FnBox`) and
(unsafely) transmute its lifetime bound from `'a` to `'static`.
So while this new `spawn_unchecked` function is certainly not very relevant
for general use, since scoped threads are so common I think it makes sense
to expose an interface for libraries implementing these to build on.
The changes implemented are also very minimal: The current `spawn` function
(which internally contains unsafe code) is moved into an unsafe `spawn_unchecked`
function, which the safe function then wraps around.
# Issues
- ~~so far, no documentation for the new function (yet)~~
- the name of the function might be controversial, as `*_unchecked` more commonly
indicates that some sort of runtime check is omitted (`unrestricted` may be
more fitting)
- if accepted, it might make sense to add a freestanding `thread::spawn_unchecked`
function similar to the current `thread::spawn` for convenience.
Delayed CTFE backtraces
This renames the env var that controls CTFE backtraces from `MIRI_BACKTRACE` to `RUST_CTFE_BACKTRACE` so that we can use `MIRI_BACKTRACE` in the miri tool to only show backtraces of the main miri execution.
It also makes `RUST_CTFE_BACKTRACE` only show backtraces that actually get rendered as errors, instead of showing them eagerly when the `Err` happens. The current behavior is near useless in miri because it shows about one gazillion backtraces for errors that we later catch and do not care about. However, @oli-obk likes the current behavior for rustc CTFE work so it is still available via `RUST_CTFE_BACKTRACE=immediate`.
NOTE: This is based on top of https://github.com/rust-lang/rust/pull/53821. Only [the last three commits](https://github.com/oli-obk/rust/compare/sanity_query...RalfJung:ctfe-backtrace) are new.
Fixes https://github.com/rust-lang/rust/issues/53355
PR #51953 enabled the Atomic*.{load,store} API on MSP430. Unfortunately, the
LLVM backend doesn't currently support those atomic operations, so this commit
removes the API and leaves instructions on how and when to enable it in the
future.