This really is a interesting example, and I think it does in some sense "feel" like it or something like it ought to be allowed. I think it is generally fine to say that your specific code is UB (in my mind at least is pretty flagrantly mutates something that has had a shared reference taken which is invalid) as long as there is a clear guideline for what should be done instead. Specifically, regardless of how ugly the resultant code is, it should definitely be possible to create a value of that specific Node type (no changes like requiring it to be more generic or giving it repr(C)) using unsafe code that is cyclic in the way you describe.
This is the best I was able to come up with. As long as UnfinishedNode and Node are layout-compatible (which is a guarantee I think we can choose to provide, though we don't right now), this should do the same thing as your code without undefined behaviour.
I think I would be in favor of a strong enough guarantee about struct layout to make this sort of code work (possibly with some extra annotations). I don't think this would be at all onerous, though it might get in the way of struct layout randomization; I don't actually think it will though. As a specific strawman proposal designed to be extra conservative:
Two monomorphised types S and T are layout-compatible if any of the following hold.
S = TSis arepr(transparent)wrapper aroundS2andS2andTare layout-compatible.Tis arepr(transparent)wrapper aroundT2andT2andSare layout-compatible.SandTare both built-in pointer types (&mut,&,*mut,*const) and the pointer payloads are either- Both
Sized, - Both slices,
- The same trait
- Both
SandTare bothstructs with the same number of fields and, when paired up in declaration order, every pair of fields- Contain layout-compatible types
- Have the same name (this is a bit extreme, but I wanted to be conservative)
SandTare compatible according torepr(C)or other specific representation rules (e.g.packed,repron enums, etc.)
If we made those guarantees, I think the cyclic data-structure use case is not too heinous to deal with.
The primary difficulty is that it is really hard to maintain data dependency chains and make sure that you don't track things the way they were at the source level. Yes, it is painful to not be able to remove the dead cast, but that will be easily cleaned up later, and without it, you have to be sure to not break a different part of the chain. The traditional (well, I mean the one I've seen in multiple places; this isn't really old enough to have tradition) example is
fn foo() -> i32 {
let mut x = 2;
let ptr = &mut x as *mut i32 as usize; // does not escape
bar(ptr - ptr);
x
}
Now bar in some sense has been passed the pointer, and unless you want to deal with some complicated questions of what information content certain values leak about the pointer, you need to let bar access x. But then you can't rewrite ptr - ptr to 0. Complicating pointer-to-integer casts is annoying, but it seems to me like the least bad option.
See also the sort-of-tangent to the Types as Contracts discussion which I think did a great job of demonstrating the tradeoffs.
Additionally, I don't think it would cause any confusion past the AST, as I'm imagining that the lowering from AST to MIR would lower a reference-to-pointer cast as two statements in the MIR: a (brand-new) PushRaw operation and then a transmute to do the actual cast. Then, the compiler would be free to remove the cast, just not the PushRaw which has side effects. The PushRaw in some sense acts like a compiler barrier - it prevents certain movement of operations, but when MIR gets lowered to LLVM, it would just disappear.
This is just a MIR-level model, so it is fine if LLVM removes the cast - we just can't remove it (or, well, the push of Raw, which is a bit different) before lowering to LLVM. We do need to be careful to compile to valid LLVM, but as long as MIR undefined behaviour is a superset of LLVM undefined behaviour, which it should be since we throw away a bunch of extra information, then LLVM will generate valid code.