offset_from: "the difference must fit in an isize" is a corollary · model-checking/verify-rust-std@6f80604 (original) (raw)
`@@ -761,38 +761,21 @@ impl<T: ?Sized> NonNull {
`
761
761
`///
`
762
762
`/// # Safety
`
763
763
`///
`
764
``
`-
/// If any of the following conditions are violated, the result is Undefined
`
765
``
`-
/// Behavior:
`
``
764
`+
/// If any of the following conditions are violated, the result is Undefined Behavior:
`
766
765
`///
`
767
``
`` -
/// * Both self
and origin
must be either in bounds or one
``
768
``
`-
/// byte past the end of the same [allocated object].
`
``
766
`` +
/// * self
and origin
must either
``
769
767
`///
`
770
``
`-
/// * Both pointers must be derived from a pointer to the same object.
`
771
``
`-
/// (See below for an example.)
`
``
768
`+
/// * both be derived from a pointer to the same [allocated object], and the memory range between
`
``
769
`+
/// the two pointers must be either empty or in bounds of that object. (See below for an example.)
`
``
770
`+
/// * or both be derived from an integer literal/constant, and point to the same address.
`
772
771
`///
`
773
772
`/// * The distance between the pointers, in bytes, must be an exact multiple
`
774
773
`` /// of the size of T
.
``
775
774
`///
`
776
``
`` -
/// * The distance between the pointers, in bytes, cannot overflow an isize
.
``
777
``
`-
///
`
778
``
`-
/// * The distance being in bounds cannot rely on "wrapping around" the address space.
`
779
``
`-
///
`
780
``
`` -
/// Rust types are never larger than isize::MAX
and Rust allocations never wrap around the
``
781
``
`` -
/// address space, so two pointers within some value of any Rust type T
will always satisfy
``
782
``
`-
/// the last two conditions. The standard library also generally ensures that allocations
`
783
``
`` -
/// never reach a size where an offset is a concern. For instance, Vec
and Box
ensure they
``
784
``
`` -
/// never allocate more than isize::MAX
bytes, so ptr_into_vec.offset_from(vec.as_ptr())
``
785
``
`-
/// always satisfies the last two conditions.
`
786
``
`-
///
`
787
``
`-
/// Most platforms fundamentally can't even construct such a large allocation.
`
788
``
`-
/// For instance, no known 64-bit platform can ever serve a request
`
789
``
`-
/// for 263 bytes due to page-table limitations or splitting the address space.
`
790
``
`-
/// However, some 32-bit and 16-bit platforms may successfully serve a request for
`
791
``
`` -
/// more than isize::MAX
bytes with things like Physical Address
``
792
``
`-
/// Extension. As such, memory acquired directly from allocators or memory
`
793
``
`-
/// mapped files may be too large to handle with this function.
`
794
``
`` -
/// (Note that [offset
] and [add
] also have a similar limitation and hence cannot be used on
``
795
``
`-
/// such large allocations either.)
`
``
775
`+
/// As a consequence, the absolute distance between the pointers, in bytes, computed on
`
``
776
`` +
/// mathematical integers (without "wrapping around"), cannot overflow an isize
. This is
``
``
777
`+
/// implied by the in-bounds requirement, and the fact that no allocated object can be larger
`
``
778
`` +
/// than isize::MAX
bytes.
``
796
779
`///
`
797
780
`/// The requirement for pointers to be derived from the same allocated object is primarily
`
798
781
`` /// needed for const
-compatibility: the distance between pointers into different allocated
``