limit impls of VaArgSafe to just types that are actually safe
#141341
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
| /// Trait which permits the allowed types to be used with [super::VaListImpl::arg]. | ||
| pub unsafe trait VaArgSafe: sealed::Sealed {} | ||
|
|
||
| unsafe impl VaArgSafe for i32 {} |
There was a problem hiding this comment.
Can you add a comment capturing a short form of the justification here? like "variable arguments must be promoted to at least c_int, but Rust doesn't implicitly promote".
There was a problem hiding this comment.
I added a # Safety section to the trait with some extra details, and comments for the (deliberately) missing implementations. Hopefully that is sufficiently clear.
This comment has been minimized.
This comment has been minimized.
8 and 16-bit integers are subject to upcasting in C, and hence are not reliably safe. users should perform their own casting and deal with the consequences
folkertdev
force-pushed
the
limit-VaArgSafe-impls
branch
from
bede725 to
d8a22a2
Compare
|
This PR modifies cc @jieyouxu |
|
cool. @bors r+ rollup |
bors
added
S-waiting-on-bors
bors
added a commit
to rust-lang-ci/rust
that referenced
this pull request
May 21, 2025
…iaskrgr Rollup of 8 pull requests Successful merges: - rust-lang#140526 (docs: Specify that common sort functions sort in an ascending direction) - rust-lang#141230 (std: fix doctest and explain for `as_slices` and `as_mut_slices` in `VecDeque`) - rust-lang#141341 (limit impls of `VaArgSafe` to just types that are actually safe) - rust-lang#141347 (incorrectly prefer builtin `dyn` impls :3) - rust-lang#141351 (Move -Zcrate-attr injection to just after crate root parsing) - rust-lang#141356 (lower bodies' params to thir before the body's value) - rust-lang#141357 (`unpretty=thir-tree`: don't require the final expr to be the body's value) - rust-lang#141363 (Document why we allow escaping bound vars in LTA norm) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
to rust-lang-ci/rust
that referenced
this pull request
May 22, 2025
Rollup merge of rust-lang#141341 - folkertdev:limit-VaArgSafe-impls, r=workingjubilee limit impls of `VaArgSafe` to just types that are actually safe tracking issue: rust-lang#44930 Retrieving 8- or 16-bit integer arguments from a `VaList` is not safe, because such types are subject to upcasting. See rust-lang#61275 (comment) for more detail. This PR also makes the instances of `VaArgSafe` visible in the documentation, and uses a private sealed trait to make sure users cannot create additional impls of `VaArgSafe`, which would almost certainly cause UB. r? `@workingjubilee`
github-actions bot
pushed a commit
to model-checking/verify-rust-std
that referenced
this pull request
May 26, 2025
…r=workingjubilee limit impls of `VaArgSafe` to just types that are actually safe tracking issue: rust-lang#44930 Retrieving 8- or 16-bit integer arguments from a `VaList` is not safe, because such types are subject to upcasting. See rust-lang#61275 (comment) for more detail. This PR also makes the instances of `VaArgSafe` visible in the documentation, and uses a private sealed trait to make sure users cannot create additional impls of `VaArgSafe`, which would almost certainly cause UB. r? `@workingjubilee`
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
tracking issue: #44930
Retrieving 8- or 16-bit integer arguments from a
VaListis not safe, because such types are subject to upcasting. See #61275 (comment) for more detail.This PR also makes the instances of
VaArgSafevisible in the documentation, and uses a private sealed trait to make sure users cannot create additional impls ofVaArgSafe, which would almost certainly cause UB.r? @workingjubilee