Skip to content

Unpin references #51935

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Jul 4, 2018
Merged

Unpin references #51935

merged 2 commits into from
Jul 4, 2018

Conversation

cramertj
Copy link
Member

I also considered adding an impl for raw pointers as well, but that makes it easy to accidentally have unsound owning-collections that might otherwise be able to project pinned-ness (e.g. Box).

cc @RalfJung

r? @withoutboats

cramertj added 2 commits June 29, 2018 19:31
@cramertj
Implement Unpin for references
2ce61c0 
These don'town the backing storage for their data,
so projecting `PinMut` into their fields is already unsound.
@cramertj
Make Waker and LocalWaker Unpin
a2b21e5 
These types never project pinned-ness into their contents,
so it is safe for them to be `Unpin`.
@rust-highfive rust-highfive added the S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. label Jun 30, 2018
@withoutboats
Copy link
Contributor

@bors r+

I agree

@bors
Copy link
Collaborator

bors commented Jul 3, 2018

📌 Commit a2b21e5 has been approved by withoutboats

@bors bors added S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion. and removed S-waiting-on-review Status: Awaiting review from the assignee but also interested parties. labels Jul 3, 2018
@withoutboats
Copy link
Contributor

withoutboats commented Jul 3, 2018
edited
Loading

I am fairly dubious of any data structure that would claim to safely project through raw pointers; I suppose you could create an adequate API but it seems suspicious to claim to pin project through a pointer. So I wouldn't mind the raw pointers impls either.

But I also think its fine to not have them, maybe better, just to make people implementing data structures actually think about it.

@RalfJung
Copy link
Member

RalfJung commented Jul 3, 2018
edited
Loading

LGTM (the reference part, I don't know Waker). I also agree raw pointers shouldn't be Unpin, just like they are not Send/Sync -- to make people think about it.

The relevant property here is that from a PinMut<&mut T> we cannot get a PinMut<T>, and similar with Pin and shared references. This makes the impl Unpin safe.

Note that this would be implementable fairly easily using map_unchecked. How high do we think the risk is that someone does this?

@cramertj
Copy link
Member Author

cramertj commented Jul 3, 2018

@RalfJung

Note that this would be implementable fairly easily using map_unchecked. How high do we think the risk is that someone does this?

Pretty high, unfortunately-- @aturon already did it once ;). I think this might be worth explicitly noting in the docs of map_unchecked. I also think we can prevent this by offering less footgun-y ways to project PinMut than map_unchecked-- we've started using unsafe_pinned!(fieldname -> FieldType); macros to generate projection-mapping methods in futures-rs, and that has worked well to ferret out a lot of the hard-to-analyze unsafe bits.

@RalfJung
Copy link
Member

RalfJung commented Jul 3, 2018

Might it be a good idea to have a macro in libstd that generates a map_unchecked which is guaranteed to not deref (if that's possible... it would have to avoid auto-deref)? That'd still be unsafe but less so. (I imagine unsafe_pinned! is something like that.)

Then we could add big fat warnings in the map_unchecked docs to use that macro instead, and if that does not work, triple-check if what one wants to do is safe.

@cramertj
Copy link
Member Author

cramertj commented Jul 3, 2018

@RalfJung I could also imagine adding a clippy lint against a deref inside of a map_unchecked impl.

@bors
Copy link
Collaborator

bors commented Jul 4, 2018

⌛ Testing commit a2b21e5 with merge a22bcd8...

bors added a commit that referenced this pull request Jul 4, 2018
@bors
Auto merge of #51935 - cramertj:unpin-references, r=withoutboats
a22bcd8 
Unpin references

I also considered adding an impl for raw pointers as well, but that makes it easy to accidentally have unsound owning-collections that might otherwise be able to project pinned-ness (e.g. `Box`).

cc @RalfJung

r? @withoutboats
@bors
Copy link
Collaborator

bors commented Jul 4, 2018

☀️ Test successful - status-appveyor, status-travis
Approved by: withoutboats
Pushing a22bcd8 to master...

@bors bors merged commit a2b21e5 into rust-lang:master Jul 4, 2018
@cramertj cramertj deleted the unpin-references branch July 9, 2018 22:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@withoutboats withoutboats

Labels
S-waiting-on-bors Status: Waiting on bors to run and complete tests. Bors will change the label on completion.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@cramertj @withoutboats @bors @RalfJung @rust-highfive