Skip to content

aliasing rules also apply inside private fields#2304

Open
RalfJung wants to merge 1 commit into
rust-lang:masterfrom
RalfJung:aliasing-in-fields
Open

aliasing rules also apply inside private fields#2304
RalfJung wants to merge 1 commit into
rust-lang:masterfrom
RalfJung:aliasing-in-fields

Conversation

@RalfJung

@RalfJung RalfJung commented Jul 3, 2026

Copy link
Copy Markdown
Member

People might reasonably assume that a reference hidden inside private fields isn't really a reference. Let's make it clear that that's not the case.
This is based on feedback by @jethrogb.

@rustbot rustbot added the S-waiting-on-review Status: The marked PR is awaiting review from a maintainer label Jul 3, 2026
@rustbot

This comment has been minimized.

@RalfJung RalfJung force-pushed the aliasing-in-fields branch from 49af5a1 to 960da81 Compare July 3, 2026 12:40
@rustbot

rustbot commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed.

Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers.

Comment thread src/behavior-considered-undefined.md Outdated
* Breaking the pointer aliasing rules. The exact aliasing rules are not determined yet, but here is an outline of the general principles:

`&T` must point to memory that is not mutated while they are live (except for data inside an [`UnsafeCell<U>`]), and `&mut T` must point to memory that is not read or written by any pointer not derived from the reference and that no other reference points to while they are live. `Box<T>` is treated similar to `&'static mut T` for the purpose of these rules. The exact liveness duration is not specified, but some bounds exist:
`&T` must point to memory that is not mutated while they are live (except for data inside an [`UnsafeCell<U>`]), and `&mut T` must point to memory that is not read or written by any pointer not derived from the reference and that no other reference points to while they are live. `Box<T>` is treated similar to `&'static mut T` for the purpose of these rules. These rules apply to *all* references and `Box<T>`, including those inside private fields.

@RalfJung RalfJung Jul 3, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FWIW all I did is add a single sentence, and then break the liveness part into a separate paragraph. But the newline style makes that very hard to tell from the diff.

EDIT: The "rich" diff makes it fairly clear though.
EDIT2: Now that I did a few more minor edits, the "rich" diff has also fallen apart. In one-sentence-per-line style, the diff would still be very easy to interpret.

View changes since the review

Comment thread src/behavior-considered-undefined.md Outdated
* Breaking the pointer aliasing rules. The exact aliasing rules are not determined yet, but here is an outline of the general principles:

`&T` must point to memory that is not mutated while they are live (except for data inside an [`UnsafeCell<U>`]), and `&mut T` must point to memory that is not read or written by any pointer not derived from the reference and that no other reference points to while they are live. `Box<T>` is treated similar to `&'static mut T` for the purpose of these rules. The exact liveness duration is not specified, but some bounds exist:
`&T` must point to memory that is not mutated while they are live (except for data inside an [`UnsafeCell<U>`]), and `&mut T` must point to memory that is not read or written by any pointer not derived from the reference and that no other reference points to while they are live. `Box<T>` is treated similar to `&'static mut T` for the purpose of these rules. These rules apply to *all* references and `Box<T>`, including those inside private fields.

@jethrogb jethrogb Jul 3, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

including those inside private fields

Hmm this could also be read as "a private field that is a &T", while the intended reading (I believe) is "given &T, fields of T". But I don't know that this addition is particularly useful. I'd rather add a parenthetical for &mut T:

(with no exception for [UnsafeCell<U>])

View changes since the review

@RalfJung RalfJung Jul 3, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this could also be read as "a private field that is a &T"

Yes, that is what is meant.

I'd rather add a parenthetical for &mut T:

If we list all the types that are no exception, we'll never be done.

Note that this edit is about your "I thought this was fine because the reference was never visible to the user". That's what I thought you said anyway.

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can add "no exceptions" without mentioning any particular type. But that's something we could add to every single sentence in the Reference. If people go about randomly assuming exceptions, there's very little we can do.

@RalfJung RalfJung force-pushed the aliasing-in-fields branch from de9c23b to 0b758f2 Compare July 3, 2026 13:57
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

S-waiting-on-review Status: The marked PR is awaiting review from a maintainer

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants