You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
We believe it may be sound to eliminate our NoCell requirements on methods that consume exclusive references, such as FromBytes::mut_from and transmute_mut!. Our reasoning for this is that NoCell guards against the risk of data races (two references to the same memory cannot be concurrently mutated with different synchronization strategies), but exclusivity also prevents data races (because there is only one active reference to that memory).
We're looking for assurance that this reasoning is correct in rust-lang/unsafe-code-guidelines#495. Once we have that, we can proceed with implementation.
In the simplest case, transmute_mut, removing the NoCell bound is as simple as removing the NoCell bound (#1049). However, for our APIs that build atop our internal abstractions, removing NoCell bounds is trickier. Our approach here falls into two categories:
encode our datarace-related reasoning into the type system
We call this data-race reasoning "Cell Safety", and encode this reasoning into the type system with a trait called CellSafe. The CellSafe trait encodes the justification for why a combination of pointer invariants means a data race cannot occur: 1421250#diff-c84b1c1033a8a168bf891d71b31d02bad91617845f66de445f96c820a6b2bfb9
This technique allows us to avoid providing two sets of methods, each with a different cell safety reason; i.e., one that consumes an exclusive pointer, and another that consumes a shared pointer but has a NoCell bound. In #1026 we apply this approach to parameterizing TryFromBytes::is_bit_valid.
reacted with thumbs up emoji reacted with thumbs down emoji reacted with laugh emoji reacted with hooray emoji reacted with confused emoji reacted with heart emoji reacted with rocket emoji reacted with eyes emoji
-
We believe it may be sound to eliminate our
NoCellrequirements on methods that consume exclusive references, such asFromBytes::mut_fromandtransmute_mut!. Our reasoning for this is thatNoCellguards against the risk of data races (two references to the same memory cannot be concurrently mutated with different synchronization strategies), but exclusivity also prevents data races (because there is only one active reference to that memory).We're looking for assurance that this reasoning is correct in rust-lang/unsafe-code-guidelines#495. Once we have that, we can proceed with implementation.
In the simplest case,
transmute_mut, removing theNoCellbound is as simple as removing theNoCellbound (#1049). However, for our APIs that build atop our internal abstractions, removingNoCellbounds is trickier. Our approach here falls into two categories:Ptr::cast_unsized#999)We call this data-race reasoning "Cell Safety", and encode this reasoning into the type system with a trait called
CellSafe. TheCellSafetrait encodes the justification for why a combination of pointer invariants means a data race cannot occur: 1421250#diff-c84b1c1033a8a168bf891d71b31d02bad91617845f66de445f96c820a6b2bfb9This technique allows us to avoid providing two sets of methods, each with a different cell safety reason; i.e., one that consumes an exclusive pointer, and another that consumes a shared pointer but has a
NoCellbound. In #1026 we apply this approach to parameterizingTryFromBytes::is_bit_valid.Beta Was this translation helpful? Give feedback.
All reactions