mem::zeroed docs should be more explicit about the dangers of invalid values #46096
Labels
A-docs
Area: Documentation for any part of the project, including the compiler, standard library, and tools
C-enhancement
Category: An issue proposing an enhancement or a PR with one.
E-medium
Call for participation: Medium difficulty. Experience needed to fix: Intermediate.
P-medium
Medium priority
Comments
kennytm
added
C-enhancement
|
Forgot to mention: Motivation for opening this issue was #46089 |
steveklabnik
added
the
E-medium
|
@steveklabnik @rkruppe I am not sure when the original docs got changed but they seem to be improved! They also make a mention of MaybeUninit. I think we can close this issue now if you agree! |
|
Yeah, this can be closed now, thanks! |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
This function is sometimes perceived as "more safe" than
mem::uninitializedfor arbitrary types. For types where the all-zero bit pattern is invalid, however, it is only more safe in that the run-time consequences of the UB are likely a bit less exploitable.While the docs do warn that it can produce invalid values, this is put in the context of "dropping those invalid values is UB". At least some of the other ways in which invalid values can cause UB should be mentioned. There's a reference to
mem::uninitializedfor "similar caveats", but it's tricky to apply the wording there (talking about uninitialized data) to invalid values.Ideally I'd like to say creating invalid values is UB, period (the Nomicon already says so, and it matches
mem::uninitializedbeing slated for deprecation) but that's of course a rather drastic measure. At minimum, there should be a hint that various ways of reading the value (matching on it, putting it in an enum, printing it) are UB with invalid values.The text was updated successfully, but these errors were encountered: