Raw pointer field projection

JeffBurdges · February 28, 2021, 7:55pm

If you have a raw pointer to a struct like *mut Range<_>, such as one might obtain from MaybeUininit::<Range<_>>::as_mut_ptr then we incur an unsafe operations when projecting from the raw pointer to a field:

unsafe fn partial_default(self: &mut MaybeUninit<Self>) {
    let self = self.as_mut_ptr();
    let start = 0;
    let start_ptr = unsafe { &mut (*self).start as *mut T };  // Maybe avoidable unsafe?
    unsafe { core::ptr::write(start_ptr,start) };  // Unavoidable unsafe
}

Are there proc macro that facilitate this? Should rustc provide an easier method somehow? Could self.start be given type *mut T here? Or is projection too risky somehow?

I noticed this in one of the optional fields discussions.

matt1985 · February 28, 2021, 8:17pm

Can't help you with avoiding unsafe, but I have some criticisms of the code you wrote here.

let self = unsafe { self.assume_init_mut() }

https://doc.rust-lang.org/std/mem/union.MaybeUninit.html#method.assume_init_mut

Calling this when the content is not yet fully initialized causes undefined behavior

unsafe { &mut (*self).start as *mut T };

There's a better way to do this now, with std:::ptr::addr_of_mut. That line of code you wrote could be UB for uninitialized fields, I don't know if that's been decided yet.

I contributed some docs for how to initialize a MaybeUninit<Struct> in the Initializing a struct field-by-field section

eko · February 28, 2021, 8:22pm

Can't you use this instead?

#![feature(maybe_uninit_ref)]
#![allow(unused_unsafe)]
use core::mem::MaybeUninit;

pub struct Range {
	pub start: i32
}

pub unsafe fn partial_default(this: &mut MaybeUninit<Range>) {
    let this = unsafe { &mut *this.assume_init_mut() };
    let start = 0;
    let start_ptr = &mut this.start;
    *start_ptr = start;
}

JeffBurdges · February 28, 2021, 8:23pm

I made a copy-paste error from the other discussion, oops. Avoiding assume_init_mut is actually the point.

I'd missed that even *self breaks, not sure if it breaks Drop. Yes, addr_of_mut heads the right direction, thanks!

mbrubeck · February 28, 2021, 10:33pm

See also: Need for -> operator for Unsafe Code Guidelines

system · May 29, 2021, 10:34pm

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.

Topic		Replies	Views
Computing raw pointers to fields Unsafe Code Guidelines	3	4372	December 22, 2024
Pre-RFC: Struct/union raw pointer field access language design	11	2105	April 2, 2020
Why is transmuting raw pointers considered safe? language design	54	1760	June 10, 2021
Raw pointer ergonomics	22	1851	May 3, 2023
Array reference from raw parts missing? libs	7	745	November 10, 2022

Raw pointer field projection

Related topics