|
19 | 19 | //! pointer. The following points are only concerned with non-zero-sized accesses. |
20 | 20 | //! * A [null] pointer is *never* valid. |
21 | 21 | //! * For a pointer to be valid, it is necessary, but not always sufficient, that the pointer be |
22 | | -//! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocated |
23 | | -//! object] it is derived from; a pointer is dereferenceable if the memory range of the given size |
24 | | -//! starting at the pointer is entirely contained within the bounds of that allocated object. Note |
25 | | -//! that in Rust, every (stack-allocated) variable is considered a separate allocated object. |
| 22 | +//! *dereferenceable*. The [provenance] of the pointer is used to determine which [allocation] |
| 23 | +//! it is derived from; a pointer is dereferenceable if the memory range of the given size |
| 24 | +//! starting at the pointer is entirely contained within the bounds of that allocation. Note |
| 25 | +//! that in Rust, every (stack-allocated) variable is considered a separate allocation. |
26 | 26 | //! * All accesses performed by functions in this module are *non-atomic* in the sense |
27 | 27 | //! of [atomic operations] used to synchronize between threads. This means it is |
28 | 28 | //! undefined behavior to perform two concurrent accesses to the same location from different |
|
31 | 31 | //! be used for inter-thread synchronization, regardless of whether it is acting on |
32 | 32 | //! Rust memory or not. |
33 | 33 | //! * The result of casting a reference to a pointer is valid for as long as the |
34 | | -//! underlying object is live and no reference (just raw pointers) is used to |
| 34 | +//! underlying allocation is live and no reference (just raw pointers) is used to |
35 | 35 | //! access the same memory. That is, reference and pointer accesses cannot be |
36 | 36 | //! interleaved. |
37 | 37 | //! |
|
96 | 96 | //! |
97 | 97 | //! [valid value]: ../../reference/behavior-considered-undefined.html#invalid-values |
98 | 98 | //! |
99 | | -//! ## Allocated object |
| 99 | +//! ## Allocation |
100 | 100 | //! |
101 | | -//! An *allocated object* is a subset of program memory which is addressable |
| 101 | +//! An *allocation* is a subset of program memory which is addressable |
102 | 102 | //! from Rust, and within which pointer arithmetic is possible. Examples of |
103 | | -//! allocated objects include heap allocations, stack-allocated variables, |
| 103 | +//! allocations include heap allocations, stack-allocated variables, |
104 | 104 | //! statics, and consts. The safety preconditions of some Rust operations - |
105 | 105 | //! such as `offset` and field projections (`expr.field`) - are defined in |
106 | | -//! terms of the allocated objects on which they operate. |
| 106 | +//! terms of the allocations on which they operate. |
107 | 107 | //! |
108 | | -//! An allocated object has a base address, a size, and a set of memory |
109 | | -//! addresses. It is possible for an allocated object to have zero size, but |
110 | | -//! such an allocated object will still have a base address. The base address |
111 | | -//! of an allocated object is not necessarily unique. While it is currently the |
112 | | -//! case that an allocated object always has a set of memory addresses which is |
| 108 | +//! An allocation has a base address, a size, and a set of memory |
| 109 | +//! addresses. It is possible for an allocation to have zero size, but |
| 110 | +//! such an allocation will still have a base address. The base address |
| 111 | +//! of an allocation is not necessarily unique. While it is currently the |
| 112 | +//! case that an allocation always has a set of memory addresses which is |
113 | 113 | //! fully contiguous (i.e., has no "holes"), there is no guarantee that this |
114 | 114 | //! will not change in the future. |
115 | 115 | //! |
116 | | -//! Allocated objects must behave like "normal" memory: in particular, reads must not have |
117 | | -//! side-effects, and writes must become visible to other threads using the usual synchronization |
118 | | -//! primitives. |
| 116 | +//! Allocations must behave like "normal" memory: in particular, reads must not |
| 117 | +//! have side-effects, and writes must become visible to other threads using the |
| 118 | +//! usual synchronization primitives. |
119 | 119 | //! |
120 | | -//! For any allocated object with `base` address, `size`, and a set of |
| 120 | +//! For any allocation with `base` address, `size`, and a set of |
121 | 121 | //! `addresses`, the following are guaranteed: |
122 | 122 | //! - For all addresses `a` in `addresses`, `a` is in the range `base .. (base + |
123 | 123 | //! size)` (note that this requires `a < base + size`, not `a <= base + size`) |
|
127 | 127 | //! - `size <= isize::MAX` |
128 | 128 | //! |
129 | 129 | //! As a consequence of these guarantees, given any address `a` within the set |
130 | | -//! of addresses of an allocated object: |
| 130 | +//! of addresses of an allocation: |
131 | 131 | //! - It is guaranteed that `a - base` does not overflow `isize` |
132 | 132 | //! - It is guaranteed that `a - base` is non-negative |
133 | 133 | //! - It is guaranteed that, given `o = a - base` (i.e., the offset of `a` within |
134 | | -//! the allocated object), `base + o` will not wrap around the address space (in |
| 134 | +//! the allocation), `base + o` will not wrap around the address space (in |
135 | 135 | //! other words, will not overflow `usize`) |
136 | 136 | //! |
137 | 137 | //! [`null()`]: null |
|
143 | 143 | //! and the freed memory gets reallocated before your read/write (in fact this is the |
144 | 144 | //! worst-case scenario, UAFs would be much less concerning if this didn't happen!). |
145 | 145 | //! As another example, consider that [`wrapping_offset`] is documented to "remember" |
146 | | -//! the allocated object that the original pointer points to, even if it is offset far |
147 | | -//! outside the memory range occupied by that allocated object. |
| 146 | +//! the allocation that the original pointer points to, even if it is offset far |
| 147 | +//! outside the memory range occupied by that allocation. |
148 | 148 | //! To rationalize claims like this, pointers need to somehow be *more* than just their addresses: |
149 | 149 | //! they must have **provenance**. |
150 | 150 | //! |
|
164 | 164 | //! writes. Note that this can interact with the other components, e.g. a pointer might permit |
165 | 165 | //! mutation only for a subset of addresses, or only for a subset of its maximal timespan. |
166 | 166 | //! |
167 | | -//! When an [allocated object] is created, it has a unique Original Pointer. For alloc |
| 167 | +//! When an [allocation] is created, it has a unique Original Pointer. For alloc |
168 | 168 | //! APIs this is literally the pointer the call returns, and for local variables and statics, |
169 | 169 | //! this is the name of the variable/static. (This is mildly overloading the term "pointer" |
170 | 170 | //! for the sake of brevity/exposition.) |
171 | 171 | //! |
172 | | -//! The Original Pointer for an allocated object has provenance that constrains the *spatial* |
| 172 | +//! The Original Pointer for an allocation has provenance that constrains the *spatial* |
173 | 173 | //! permissions of this pointer to the memory range of the allocation, and the *temporal* |
174 | 174 | //! permissions to the lifetime of the allocation. Provenance is implicitly inherited by all |
175 | 175 | //! pointers transitively derived from the Original Pointer through operations like [`offset`], |
|
197 | 197 | //! provenance since they access an empty range of memory. |
198 | 198 | //! |
199 | 199 | //! * It is undefined behavior to [`offset`] a pointer across a memory range that is not contained |
200 | | -//! in the allocated object it is derived from, or to [`offset_from`] two pointers not derived |
201 | | -//! from the same allocated object. Provenance is used to say what exactly "derived from" even |
| 200 | +//! in the allocation it is derived from, or to [`offset_from`] two pointers not derived |
| 201 | +//! from the same allocation. Provenance is used to say what exactly "derived from" even |
202 | 202 | //! means: the lineage of a pointer is traced back to the Original Pointer it descends from, and |
203 | | -//! that identifies the relevant allocated object. In particular, it's always UB to offset a |
| 203 | +//! that identifies the relevant allocation. In particular, it's always UB to offset a |
204 | 204 | //! pointer derived from something that is now deallocated, except if the offset is 0. |
205 | 205 | //! |
206 | 206 | //! But it *is* still sound to: |
|
221 | 221 | //! * Compare arbitrary pointers by address. Pointer comparison ignores provenance and addresses |
222 | 222 | //! *are* just integers, so there is always a coherent answer, even if the pointers are dangling |
223 | 223 | //! or from different provenances. Note that if you get "lucky" and notice that a pointer at the |
224 | | -//! end of one allocated object is the "same" address as the start of another allocated object, |
| 224 | +//! end of one allocation is the "same" address as the start of another allocation, |
225 | 225 | //! anything you do with that fact is *probably* going to be gibberish. The scope of that |
226 | 226 | //! gibberish is kept under control by the fact that the two pointers *still* aren't allowed to |
227 | 227 | //! access the other's allocation (bytes), because they still have different provenance. |
|
374 | 374 | //! integer-to-pointer casts. |
375 | 375 | //! |
376 | 376 | //! [aliasing]: ../../nomicon/aliasing.html |
377 | | -//! [allocated object]: #allocated-object |
| 377 | +//! [allocation]: #allocation |
378 | 378 | //! [provenance]: #provenance |
379 | 379 | //! [book]: ../../book/ch19-01-unsafe-rust.html#dereferencing-a-raw-pointer |
380 | 380 | //! [ub]: ../../reference/behavior-considered-undefined.html |
@@ -1021,7 +1021,7 @@ pub const unsafe fn swap<T>(x: *mut T, y: *mut T) { |
1021 | 1021 | // SAFETY: the caller must guarantee that `x` and `y` are |
1022 | 1022 | // valid for writes and properly aligned. `tmp` cannot be |
1023 | 1023 | // overlapping either `x` or `y` because `tmp` was just allocated |
1024 | | - // on the stack as a separate allocated object. |
| 1024 | + // on the stack as a separate allocation. |
1025 | 1025 | unsafe { |
1026 | 1026 | copy_nonoverlapping(x, tmp.as_mut_ptr(), 1); |
1027 | 1027 | copy(y, x, 1); // `x` and `y` may overlap |
@@ -1140,7 +1140,7 @@ pub const unsafe fn swap_nonoverlapping<T>(x: *mut T, y: *mut T, count: usize) { |
1140 | 1140 | // Going though a slice here helps codegen know the size fits in `isize` |
1141 | 1141 | let slice = slice_from_raw_parts_mut(x, count); |
1142 | 1142 | // SAFETY: This is all readable from the pointer, meaning it's one |
1143 | | - // allocated object, and thus cannot be more than isize::MAX bytes. |
| 1143 | + // allocation, and thus cannot be more than isize::MAX bytes. |
1144 | 1144 | let bytes = unsafe { mem::size_of_val_raw::<[T]>(slice) }; |
1145 | 1145 | if let Some(bytes) = NonZero::new(bytes) { |
1146 | 1146 | // SAFETY: These are the same ranges, just expressed in a different |
@@ -1293,7 +1293,7 @@ pub const unsafe fn replace<T>(dst: *mut T, src: T) -> T { |
1293 | 1293 | // SAFETY: the caller must guarantee that `dst` is valid to be |
1294 | 1294 | // cast to a mutable reference (valid for writes, aligned, initialized), |
1295 | 1295 | // and cannot overlap `src` since `dst` must point to a distinct |
1296 | | - // allocated object. |
| 1296 | + // allocation. |
1297 | 1297 | unsafe { |
1298 | 1298 | ub_checks::assert_unsafe_precondition!( |
1299 | 1299 | check_language_ub, |
@@ -1540,7 +1540,7 @@ pub const unsafe fn read_unaligned<T>(src: *const T) -> T { |
1540 | 1540 | let mut tmp = MaybeUninit::<T>::uninit(); |
1541 | 1541 | // SAFETY: the caller must guarantee that `src` is valid for reads. |
1542 | 1542 | // `src` cannot overlap `tmp` because `tmp` was just allocated on |
1543 | | - // the stack as a separate allocated object. |
| 1543 | + // the stack as a separate allocation. |
1544 | 1544 | // |
1545 | 1545 | // Also, since we just wrote a valid value into `tmp`, it is guaranteed |
1546 | 1546 | // to be properly initialized. |
|
0 commit comments