Canvas unsafe code in the wild

RalfJung · 2017-06-13 01:20:08 UTC

You are saying that for the same trait, the offset in Rc<Trait> can differ? Wow, I did not realize that is possible. Thanks for pointing it out!

nikomatsakis · 2017-06-13 01:24:40 UTC

In the compiler sprint, we felt that it would be possible, but using a union to account for the ‘maybe uninitialized’ nature of the data (that is, you could cast your &[u8] into a &[Uninit<u8>], where union Uninit<T> { init: T, uninit: () } (or something like that).

nikomatsakis · 2017-06-15 00:52:58 UTC

30 posts were split to a new topic: Role of UB / uninitialized memory

briansmith · 2017-06-15 08:18:48 UTC

In ring, we sometimes need to treat a &[u64] slice as a &[u32] slice and/or a &[u8] slice. We use unsafe to do this, but we would prefer it to be built into libcore or the language instead.
For various reasons we benefit from converting a slice &[u8] to an array reference &[u8; n] after verifying that the slice has n elements, which requires us to use unsafe. This is another thing that we think should be built-in to the language and/or standard library instead.

We keep our hacks for things that should be built-in in one module:

github.com

briansmith/ring/blob/master/src/polyfill.rs

// Copyright 2015-2016 Brian Smith.
//
// Permission to use, copy, modify, and/or distribute this software for any
// purpose with or without fee is hereby granted, provided that the above
// copyright notice and this permission notice appear in all copies.
//
// THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHORS DISCLAIM ALL WARRANTIES
// WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
// MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHORS BE LIABLE FOR ANY
// SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
// WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION
// OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN
// CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.

//! Polyfills for functionality that will (hopefully) be added to Rust's
//! standard library soon.

use core;

// A better name for the `&*` idiom for removing the mutability from a

This file has been truncated. show original

newpavlov · 2017-06-15 10:07:37 UTC

Almost the same thing mentioned by Brian is done in the RustCrypto too. This code is stored in the separate crate called byte-tools. Essentially it’s a specialized version of byteorder without generic capabilities and with operations on slices.

I agree with Brian and think that such tools must be included in the standard library.