unsafe-code-guidelines (original) (raw)

This is a part of #166, needed to unblock rust-lang/rust#121965 and rust-lang/rust#116542.

A type T has "slice tail" if it is unsized and its last field (recursively descending through structs/tuples) is of the shape [U]. For such types, we say that

The validity invariant of the metadata part of *const T and *mut T is exactly the same as that of usize.
The validity invariant of the metadata part of &T and &mut T is that of usize with the further constraint that the total size of a T with that metadata must not exceed isize::MAX.

The representation relation is otherwise that of an integer (so, what happens when the metadata has provenance matches what happens when a usize has provenance -- we haven't decided what exactly that will be, but it should be consistent).

Rationale:

We don't have a choice here, as slice_from_raw_parts is a stable safe function that can construct a wide raw slice pointer with an arbitrary value for its metadata.
This will allow us to add niches in slice metadata.

I think the only possibly controversial point here is that the validity invariant is not the same for metadata of *const [U] and &[U]. However, given that the validity invariant is already not the same for the data part of these (obviously), maybe that's not so surprising?

I am not including vtables in this as I think we have more discussing to do there.

@rust-lang/opsem what do you think? Any objections to moving to FCP swiftly?