Comment on `Rc` abort-guard strategy without naming unrelated fn
`wrapped_add` is used, not `checked_add`, so avoid mentioning specific fn calls that may vary slightly based on "whatever produces the best code" and focus on things that will remain constant into the future.
Consistent trait bounds for ExtractIf Debug impls
Closes#137654. Refer to that issue for a table of the **4** different impl signatures we previously had in the standard library for Debug impls of various ExtractIf iterator types.
The one we are standardizing on is the one so far only used by `alloc::collections::linked_list::ExtractIf`, which is _no_ `F: Debug` bound, _no_ `F: FnMut` bound, only `T: Debug` bound.
This PR applies the following signature changes:
```diff
/* alloc::collections::btree_map */
pub struct ExtractIf<'a, K, V, F, A = Global>
where
- F: 'a + FnMut(&K, &mut V) -> bool,
Allocator + Clone,
impl Debug for ExtractIf<'a, K, V, F,
+ A,
>
where
K: Debug,
V: Debug,
- F: FnMut(&K, &mut V) -> bool,
+ A: Allocator + Clone,
```
```diff
/* alloc::collections::btree_set */
pub struct ExtractIf<'a, T, F, A = Global>
where
- T: 'a,
- F: 'a + FnMut(&T) -> bool,
Allocator + Clone,
impl Debug for ExtractIf<'a, T, F, A>
where
T: Debug,
- F: FnMut(&T) -> bool,
A: Allocator + Clone,
```
```diff
/* alloc::collections::linked_list */
impl Debug for ExtractIf<'a, T, F,
+ A,
>
where
T: Debug,
+ A: Allocator,
```
```diff
/* alloc::vec */
impl Debug for ExtractIf<'a, T, F, A>
where
T: Debug,
- F: Debug,
A: Allocator,
- A: Debug,
```
```diff
/* std::collections::hash_map */
pub struct ExtractIf<'a, K, V, F>
where
- F: FnMut(&K, &mut V) -> bool,
impl Debug for ExtractIf<'a, K, V, F>
where
+ K: Debug,
+ V: Debug,
- F: FnMut(&K, &mut V) -> bool,
```
```diff
/* std::collections::hash_set */
pub struct ExtractIf<'a, T, F>
where
- F: FnMut(&T) -> bool,
impl Debug for ExtractIf<'a, T, F>
where
+ T: Debug,
- F: FnMut(&T) -> bool,
```
I have made the following changes to bring these types into better alignment with one another.
- Delete `F: Debug` bounds. These are especially problematic because Rust closures do not come with a Debug impl, rendering the impl useless.
- Delete `A: Debug` bounds. Allocator parameters are unstable for now, but in the future this would become an API commitment that we do not debug-print a representation of the allocator when printing an iterator.
- Delete `F: FnMut` bounds. Requires `hashbrown` PR: https://github.com/rust-lang/hashbrown/pull/616. **API commitment:** we commit to not doing RefCell voodoo inside ExtractIf to have some way for its Debug impl (which takes &self) to call a FnMut closure, if this is even possible.
- Add `T: Debug` bounds (or `K`/`V`), even on Debug impls that do not currently make use of them, but might in the future. **Breaking change.** Must backport into Rust 1.87 (current beta) or do a de-stabilization PR in beta to delay those types by one release.
- Render using `debug_struct` + `finish_non_exhaustive`, instead of `debug_tuple`.
- Do not render the _entire_ underlying collection.
- Show a "peek" field indicating the current position of the iterator.
Correct `extract_if` sample equivalent.
Tracking issue: https://github.com/rust-lang/rust/issues/43244
Original PR: #133265
The sample code marked as equivalent in the doc comment isn't currently equivalent. Given the same predicate and range, if your vector were `[1, 2, 3, 3, 3, 3, 3, 3, 4, 5, 6]`, then all of the 3s would be removed. `i` is only incremented when an element is dropped, but `range.end` is unchanged, so the items shift down. I got very confused when reading the docs and trying to square this sample code with the explanation of how the function works.
Fortunately, the real `extract_if()` does not have this problem. I've added an `end` variable to align the behavior. I've also taken the opportunity to simplify the predicate, which now just matches odd numbers, and to pad out the vec of numbers to line up the zero-indexed range with the integers in the vec.
r? the8472
Implement a lint for implicit autoref of raw pointer dereference - take 2
*[t-lang nomination comment](https://github.com/rust-lang/rust/pull/123239#issuecomment-2727551097)*
This PR aims at implementing a lint for implicit autoref of raw pointer dereference, it is based on #103735 with suggestion and improvements from https://github.com/rust-lang/rust/pull/103735#issuecomment-1370420305.
The goal is to catch cases like this, where the user probably doesn't realise it just created a reference.
```rust
pub struct Test {
data: [u8],
}
pub fn test_len(t: *const Test) -> usize {
unsafe { (*t).data.len() } // this calls <[T]>::len(&self)
}
```
Since #103735 already went 2 times through T-lang, where they T-lang ended-up asking for a more restricted version (which is what this PR does), I would prefer this PR to be reviewed first before re-nominating it for T-lang.
----
Compared to the PR it is as based on, this PR adds 3 restrictions on the outer most expression, which must either be:
1. A deref followed by any non-deref place projection (that intermediate deref will typically be auto-inserted)
2. A method call annotated with `#[rustc_no_implicit_refs]`.
3. A deref followed by a `addr_of!` or `addr_of_mut!`. See bottom of post for details.
There are several points that are not 100% clear to me when implementing the modifications:
- ~~"4. Any number of automatically inserted deref/derefmut calls." I as never able to trigger this. Am I missing something?~~ Fixed
- Are "index" and "field" enough?
----
cc `@JakobDegen` `@WaffleLapkin`
r? `@RalfJung`
try-job: dist-various-1
try-job: dist-various-2
Create `Atomic<T>` type alias (rebase)
Rebase of #130543.
Additional changes:
- Switch from `allow` to `expect` for `private_bounds` on `AtomicPrimitive`
- Unhide `AtomicPrimitive::AtomicInner` from docs, because rustdoc shows the definition `pub type Atomic<T> = <T as AtomicPrimitive>::AtomicInner;` and generated links for it.
- `NonZero` did not have this issue, because they kept the new alias private before the direction was changed.
- Use `Atomic<_>` in more places, including inside `Once`'s `Futex`. This is possible thanks to https://github.com/rust-lang/rust-clippy/pull/14125
The rest will either get moved back to #130543 or #130543 will be closed in favor of this instead.
---
* ACP: https://github.com/rust-lang/libs-team/issues/443#event-14293381061
* Tracking issue: #130539
Update safety documentation for `CString::from_ptr` and `str::from_boxed_utf8_unchecked`
## PR Description
This PR addresses missing safety documentation for two APIs:
**1. alloc::ffi::CStr::from_raw**
- `Alias`: The pointer must not be aliased (accessed via other pointers) during the reconstructed CString's lifetime.
- `Owning`: Calling this function twice on the same pointer and creating two objects with overlapping lifetimes, introduces two alive owners of the same memory. This may result in a double-free.
- `Dangling`: The prior documentation required the pointer to originate from CString::into_raw, but this constraint is incomplete. A validly sourced pointer can also cause undefined behavior (UB) if it becomes dangling. A simple Poc for this situation:
```
use std::ffi::CString;
use std::os::raw::c_char;
fn create_dangling() -> *mut c_char {
let local_ptr: *mut c_char = {
let valid_data = CString::new("valid").unwrap();
valid_data.into_raw()
};
unsafe {
let _x = CString::from_raw(local_ptr);
}
local_ptr
}
fn main() {
let dangling = create_dangling();
unsafe {let _y = CString::from_raw(dangling);} // Cause UB!
}
```
**2. alloc::str::from_boxed_utf8_unchecked**
- `ValidStr`: Bytes must contain a valid UTF-8 sequence.
Stabilise `std::ffi::c_str`
This finished FCP in #112134 but never actually got a stabilisation PR. Since the FCP in #120048 recently passed to add the `os_str` module, it would be nice to also merge this too, to ensure that both get added in the next version.
Note: The added stability attributes which *somehow* were able to be omitted before (rustc bug?) were added based on the fact that they were added in 302551388b, which ended up in 1.85.0.
Closes: https://github.com/rust-lang/rust/issues/112134
r? libs-api
I found these by grepping for `&[a-z_\.]*\.clone()`, i.e. expressions
like `&a.b.clone()`, which are sometimes unnecessary clones, and also
looking at clones nearby to cases like that.
fix incorrect type in cstr `to_string_lossy()` docs
Restoring what it said prior to commit 67065fe in which it was changed incorrectly with no supporting explanation.
Closes#139835.
Replace last `usize` -> `ptr` transmute in `alloc` with strict provenance API
This replaces the `usize -> ptr` transmute in `RawVecInner::new_in` with a strict provenance API (`NonNull::without_provenance`).
The API is changed to take an `Alignment` which encodes the non-null constraint needed for `Unique` and allows us to do the construction safely.
Two internal-only APIs were added to let us avoid UB-checking in this hot code: `Layout::alignment` to get the `Alignment` type directly rather than as a `usize`, and `Unique::from_non_null` to create `Unique` in const context without a transmute.
Switch some rustc_on_unimplemented uses to diagnostic::on_unimplemented
The use on the SliceIndex impl appears unreachable, there is no mention of "vector indices" in any test output and I could not get it to show up in error messages.
