Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Passing safe references to empty enums

See original GitHub issue

On IRC, @mystor asked me whether it would be illegal to pass around &SafeType or &mut SafeType given this definition:

enum Impossible {}

#[repr(C)]
pub struct SafeType {
    _prohibit_constructor: Impossible
}

In particular, is it ok to have an empty enum “by-value” in a struct in this fashion?

Issue Analytics

State:
Created 7 years ago
Comments:24 (5 by maintainers)

Top GitHub Comments

3reactions

glaebhoerlcommented, Oct 8, 2016

Revisiting my comment from earlier…

References (&T, &mut T) can only be created by referring to a live value of type T. If you have a live value of type !, it is UB by definition. Therefore creating an &! or &mut ! must also be UB. Put another way, if a live value of type &T or &mut T exists, then a live value of type T exists which it refers to, and a live value of type ! is UB, so a live value of type &! or &mut ! is also UB. I don’t see why it has to be any more subtle or complicated than that.

I’m struck anew by what treacherous ground this question of “should it be legal, or should it be undefined behavior” really is. When other people express the sentiment that some particular unsafe hack is “obviously wrong” and shouldn’t be allowed, I’m usually quick to observe that preventing people from doing it is not a realistic possibility – that the only decision we have the power to make is whether to introduce potential security vulnerabilities into peoples’ code when (not if) they do it. In other words, that in these questions we should be attuned to practical consequences at least as much as theoretical elegance. And then here I am, expressing the sentiment that using unsafe code to get a reference to an uninhabited type is obviously wrong and shouldn’t be allowed.

For what it’s worth, I think my feelings on the subject attach more strongly to uninhabited types than to reference types. A live value of an uninhabited type is the very definition of undefined behavior (like GCC’s __builtin_unreachable), what sound type systems everywhere exist to preclude, and the clarity of this really should not be muddied. If this isn’t undefined behavior, then nothing is.

On the other hand, if we say that in the presence of unsafe code, reference types should not always be taken at their word, a principle that just happens to apply uniformly to references to uninhabited types as well as to every other type, that seems like a separate matter. In a tootsie pop model, it seems appropriate that in “safe code”, &! and &mut ! really would be tantamount to !, as per the logical interpretation of reference types, while in “unsafe code”, they would perhaps not be taken so seriously.

0reactions

RalfJungcommented, May 31, 2019

This is now basically being discussed at https://github.com/rust-lang/unsafe-code-guidelines/issues/77: does a reference always have to have a pointee that is valid for its type, or does it “just” have to be aligned and dereferencable?