What is the real difference between `*const T` and `*mut T` raw pointers?

matklad · 2017-10-29T20:04:13.276Z

Hello!

I’d like too know what are the exact differences between *const T and *mut T types, what guarantees they provide and what invariants the programmer must maintain. i find documentation on the topic a bit thin:

Non-exhaustive list of “properties to remember” in Rust book: https://doc.rust-lang.org/book/first-edition/raw-pointers.html
A similar list in the second edition https://doc.rust-lang.org/book/second-edition/ch19-01-unsafe-rust.html
A bit of important info about variance in nomicon: https://doc.rust-lang.org/nomicon/subtyping.html
Nothing in the reference

Here is what I think is true about *const T and *mut T. Please correct me if I am wrong and confirm, if I am right.

It’s not UB to cast between *const T and *mut T.
*const T is variant and *mut T is invariant over T.
1) implies that 2) is the single real difference between them.

So if you are using raw pointers to implement a data structure (that is, not for FFI), you can pretty much use any of *const or *mut, provided that variance is correct. You may even have to use *const for “mutable” data if you need variance. The prime example of this is a Unique<T> type, which is logically an owning-raw pointer. It stores *const T to be variant over T, but give access to T via *mut.

If you are using raw pointers for FFI (as parameter and return types of extern “C” functions), then *const vs *mut is purely a question of documenting intent, and does not affect the generated code at all. However, documenting intent is important, because C and C++ have a rule that you can’t mutate a constant object.

mbrubeck · 2017-10-29T20:52:14.874Z

Your understanding matches mine, for what it’s worth.

If you are using raw pointers for FFI (as parameter and return types of extern “C” functions), then *const vs *mut is purely a question of documenting intent, and does not affect the generated code at all. However, documenting intent is important, because C and C++ have a rule that you can’t mutate a constant object.

This rule is somewhat reflected on the Rust side, in that &T will coerce to *const T but not to *mut T. The only safe way to get a *mut T from an immutable T is to cast through an intermediate *const T. (Though as you noted, the possibility of this cast means that this difference is only ergonomic.)

torkleyy · 2018-03-28T11:05:31.269Z

Now I have a case where I’m not quite sure which raw pointer to use.

I have a pointer that

needs to be passed over language boundaries
most likely involves interior mutability
is a “subtype” (as in the way you do sub-typing in C, not in Rust) of the actual passed value, as shown in the following snippet

#[repr(C)]
pub struct RawObject {
    f_ptr: unsafe extern "C" fn(*const/mut RawObject, i32) -> i32,
    // the actual pointed-to object has some more fields
}

Should I use *const RawObject or *mut RawObject when passing or storing such a pointer?

jdm · 2018-03-28T15:35:18.658Z

The rule of thumb I follow is whether the members of the structure will be mutated by the code that receives that argument. If any writes could occur, requiring a *mut RawObject makes that clear.

torkleyy · 2018-03-28T18:15:31.576Z

The code that receives the argument won’t mutate it, but the it might be mutated by the callback function it contains.

jdm · 2018-03-29T04:25:45.886Z

Sounds like the callback deserves a *mut argument, then!

scottmcm · 2018-03-31T04:47:53.542Z

I wonder whether the convention here will eventually just become Option<ptr::NonNull<T>> and *const-vs-*mut will disappear entirely…

matklad · 2018-03-31T07:16:50.458Z

@scottmcm probably! I am not sure if you can use Option<NonNull> for ffi though?

scottmcm · 2018-03-31T07:35:05.436Z

matklad:

I am not sure if you can use Option for ffi though?

You can in some cases! Things like the following are already fairly common:

extern "C" {
    pub fn foo(x: Option<&i32>);
}

matklad · 2018-03-31T08:15:29.755Z

Argh, sanitaizer ate my NonNull

I know that Option by itself is allowed in ffi, but what about NonNull?

scottmcm · 2018-04-01T05:01:00.843Z

Ah, makes sense Looks like it trips the lint, at least:

warning: `extern` block uses type `std::option::Option<std::ptr::NonNull<i32>>` which is not FFI-safe: enum has no representation hint
 --> src/lib.rs:5:19
  |
5 |     pub fn bar(x: Option<NonNull<i32>>);
  |                   ^^^^^^^^^^^^^^^^^^^^
  |
  = note: #[warn(improper_ctypes)] on by default
  = help: consider adding a #[repr(...)] attribute to this enum

Its docs do say that "Option<NonNull<T>> has the same size as *mut T", though, so it’d almost work…

Ah, there’s an issue about it:

github.com/rust-lang/rust

Issue: Use of ptr::NonNull in FFI

opened by kornelski on 2018-03-20

I think it would be interesting to use ptr::NonNull to explicitly document FFI arguments that aren't allowed to be NULL, so...

A-ffi C-enhancement T-libs

matklad · 2019-01-16T16:45:44.014Z

Today I’ve stumbled on this PR, which suggest that using *const where *mut is expected might be unsound (at least, that’s what relnotes say?)

Is this really unsound though? In my current view of the world, this is not unsound (by itself). What matters is how did you get that pointer. If you originally had an &mut __m256i then using *const or *mut should be OK. If you originally had an &__m256i, then both are unsound.

cc @RalfJung

ExpHP · 2019-01-16T17:30:48.297Z

My thoughts on that:

It takes quite a lot for an unsafe fn to be considered unsound!
Assuming that variance is the only difference, it’s irrelevant here because __m256i is not generic.
The fact that &T coerces to *const T does make the signature surprising and dangerous.

Unless there’s something peculiar about SIMD types that I don’t know about, I wouldn’t take that PR and its relnotes too literally; I feel the author may have used the word “unsound” too hastily.

glaebhoerl · 2019-01-16T17:50:11.858Z

(See also, apparently people really don’t like the idea of Option<NonNull<T>> for FFI.)

TimDiekmann · 2019-01-17T00:18:19.003Z

scottmcm:

extern "C" {
    pub fn foo(x: Option<&i32>);
}

Is this really allowed?

matklad · 2019-01-17T07:15:59.868Z

Yes. Optional reference is ffi safe (documented here https://doc.rust-lang.org/nomicon/other-reprs.html) and i32 is ffi safe (currently undocumented https://github.com/rust-lang-nursery/nomicon/issues/23, but, for example, c_int is defined as i32 on some platforms: https://docs.rs/libc/0.2.47/libc/type.c_int.html).

ahmedcharles · 2019-01-18T18:34:04.604Z

I think you missed the other distinction between *const and *mut, which is that *p = ... works on one but not on the other. Personally, I find that to be very useful. I’m glad that it’s not UB to cast between them. The UB should happen when writing to memory that’s read-only, not when casting the pointer.

RalfJung · 2019-01-20T08:56:18.322Z

matklad:

Is this really unsound though? In my current view of the world, this is not unsound (by itself). What matters is how did you get that pointer. If you originally had an &mut __m256i then using *const or *mut should be OK. If you originally had an &__m256i , then both are unsound.

I agree. *const T and *mut T are equivalent in terms of UB.

However, as @ExpHP wrote

ExpHP:

The fact that &T coerces to *const T does make the signature surprising and dangerous.

Using *const T could lead to people thinking they can pass in an &T, and that would be UB.

earthengine · 2019-01-20T22:26:00.406Z

So may I ask a question.

*const UnsafeCell<T> is isomorphic to *mut T for sure. Are they just the same?

(if you turn &T into *const UnsafeCell<T> you also get UB, so use *const UnsafeCell<T> in signature is not that dangerous)

Amanieu · 2019-01-21T01:49:29.882Z

*const T and *mut T are both equivalent to usize from a safety point of view. This is easy to see when you can cast any random integer into a raw pointer using only safe code.