Document valid pointer and Box transmutations#2282
Open
traviscross wants to merge 6 commits into
Open
Conversation
The pointer-to-pointer cast rules and the wide-pointer validity rule both speak of the *metadata* of a pointer, but we hadn't explicitly defined the term (even though we had defined the contents of that metadata). Let's do that and link to it.
We refer to the unsized tail of a type, but we hadn't defined it. Let's do that and link to the definition.
traviscross
force-pushed
the
TC/box-transmute-validity
branch
from
e75977e to
b624dd7
Compare
| * Pointers to trait objects also store a pointer to a vtable. | ||
| * [Pointer types] to <abbr title="dynamically sized types">DSTs</abbr> are sized but have twice the size of pointers to sized types, since they also store *metadata*: | ||
| * Pointers to slices store the number of elements; pointers to `str` store the length in bytes. | ||
| * Pointers to trait objects store a pointer to a vtable. |
Member
There was a problem hiding this comment.
Comparing notes with https://doc.rust-lang.org/nightly/std/ptr/trait.Pointee.html#pointer-metadata, I think the only missing piece is the "unsized / last field" indirection for indirectly unsized types.
| * The [metadata] of a wide reference, [`Box<T>`], or raw pointer must match the type of the unsized tail: | ||
| * The [metadata] of a wide reference, [`Box<T>`], or raw pointer must match the type of the [unsized tail]: | ||
| * `dyn Trait` metadata must be a pointer to a compiler-generated vtable for `Trait`. (For raw pointers, this requirement remains a subject of some debate.) | ||
| * Slice (`[T]`) metadata must be a valid `usize`. Furthermore, for wide references and [`Box<T>`], slice metadata is invalid if it makes the total size of the pointed-to value bigger than `isize::MAX`. |
Member
There was a problem hiding this comment.
- This is missing the
strcase. - The "invalid if total size" seems like it applies more generally to all metadata, including indirectly stored size metadata in the vtable? Though that becomes complicated since it depends on a deref to determine that the original thing is valid.
Contributor
Author
There was a problem hiding this comment.
(As context for others, this is preexisting text.)
On the first point, thanks; I've added that.
On the second, the text requires that, for dyn Trait, the "metadata must be a pointer to a compiler-generated vtable for Trait". Given that, think we still need to place further requirements on its contents?
| tail: T, | ||
| } | ||
| // Pointers to two types share a layout when the types are both sized, | ||
| // both have a slice or `str` tail, or both have a trait object tail. |
Member
There was a problem hiding this comment.
Hm, I guess the pointers would share a layout even under -Zrandomize-layout? Though that may not guarantee transmutes are sound (since alignment could change).
traviscross
force-pushed
the
TC/box-transmute-validity
branch
from
b624dd7 to
5a667b1
Compare
ehuss
reviewed
Jun 9, 2026
| <!-- Editor Note: This is nowhere close to an exhaustive list --> | ||
|
|
||
| r[lang-types.box.transmute] | ||
| For types `T` and `U` such that `*mut T` and `*mut U` have the same layout (per [layout.pointer.parametric]) and a [pointer-to-pointer cast] from `*mut T` to `*mut U` is permitted, transmuting a `Box<T>` to a `Box<U>`, where both boxes use the global allocator, is sound when both of the following hold: |
Contributor
There was a problem hiding this comment.
Just curious, why "global" here?
Member
There was a problem hiding this comment.
Box with a custom allocator is not necessarily going to put the allocator in the same place -- e.g. under -Zrandomize-layout -- for different value types, so I don't think we can make this guarantee. Maybe it can be made for 1-ZST allocators? Not sure...
We guarantee various things about the layout of pointers and references, but we'd made no guarantees of equivalence between two pointers to distinct unsized types that differ in the unsized tail. Let's make some useful guarantees about this.
Our rules for `as` casts document which pointer-to-pointer casts are valid. For unsized types, this validity is based on the compatibility of the pointer metadata. Using this and our layout equivalences, we can define when a pointer transmute will produce the same pointer value as would a cast. Let's define that.
We hadn't documented when it's sound to transmute a `Box<T>` to a `Box<U>`. Now that we've documented when `*mut T` and `*mut U` can be assumed to have the same layout, let's use that to document when this transmute is sound.
The validity rule for the metadata of a wide reference, `Box<T>`, or raw pointer mentions `dyn Trait` and slice but had omitted `str`. Let's fix that.
traviscross
force-pushed
the
TC/box-transmute-validity
branch
from
5a667b1 to
6ca17b8
Compare
rustbot
added
the
S-waiting-on-review
Contributor
Author
|
cc @RalfJung |
traviscross
added
I-lang-nominated
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is best reviewed commit by commit.
Related to:
Boxrust#155597