So, after numerous attempts, we wound up falling back to IRC. How shall we talk in the future? IRC is not that bad, but it’s also got some limitations.
In any case, here are some vague notes in an etherpad. We discussed the fate of the rust-memory-model repository. I think the consensus was that we should move towards a set of executable .rs tests (with a main() function) that demonstrate UB or lack thereof for various patterns. Each test would have copious comments and be organized in some sensible and TBD way.
I proposed toward the end that we should try to get started by attempting to canvas “real world” unsafe code in the wild. It seemed that there was general agreement. Therefore, I plan to try to assign to each participant (and anyone else who wants!) a crate or two to look at. There are some notes in the etherpad about what to look for, but here they are reproduced (and any additional comments would be fine):
- Things to watch out for:
- “escaping” – e.g. functions like
fn foo(x: &u32) { .. }, where the memory at*xis somehow used afterfooreturns - aliasing between raw pointers and references – e.g., a
*mut u32and&mut u32both pointing at same memory, used in intermingled ways - new capabilities that could not be modeled in safe code (e.g., mutex, rayon)
- hidden assumptions in unsafe code (e.g., rayon assumes dtors of local variables execute)
- type-based aliasing violations
- “too strong” types – as in RefCell, declaring a
&Twhen in fact the value is not always safe to use for the lifetime - “uninitialized memory” – how does it get used?
- transmutes of all kinds
- “escaping” – e.g. functions like
The idea would be to gather up notes and then meet to discuss what we found. I think this could be helpful in terms of helping us to restructure the repo too.
Thanks everyone! When should we meet again? This time slot isn’t great for me as a repeating thing (it overlaps with a regular meeting I have), but maybe we could do something somewhat earlier? Also, how frequently should we meet?