Clarify one-past-the-end pointer validity#154370
Clarify one-past-the-end pointer validity#154370justanotheranonymoususer wants to merge 2 commits into
Conversation
|
r? @scottmcm rustbot has assigned @scottmcm. Use Why was this reviewer chosen?The reviewer was selected based on:
|
| /// | ||
| /// * If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some | ||
| /// [allocation], and the entire memory range between `self` and the result must be in | ||
| /// [allocation], and the entire memory range between `self` and the result (not including result) must be in |
There was a problem hiding this comment.
for sub the self argument is after the result, so this would need to be not including self, right? also "memory range from the result to self (exclusive)" reads a bit more fluently to me.
There was a problem hiding this comment.
For sub, not sure if the note is relevant because the pointer isn't moving forward. If non-zero and non-wraparound, you can't end up in the one-past-the-end situation anyway.
For "not including result" vs "exclusive", for me as not a native speaker, my version is clearer, but I can change. Let me know.
There was a problem hiding this comment.
"not including result" is missing an article: "not including the result". And that's quite verbose, so I too would prefer "exclusive".
There was a problem hiding this comment.
Changed
|
@rustbot reroll |
|
@joboet ping :) anything still needs to be done? |
| /// | ||
| /// * If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some | ||
| /// [allocation], and the entire memory range between `self` and the result must be in | ||
| /// [allocation], and the entire memory range between `self` and the result (not including result) must be in |
There was a problem hiding this comment.
"not including result" is missing an article: "not including the result". And that's quite verbose, so I too would prefer "exclusive".
|
Reminder, once the PR becomes ready for a review, use |
|
|
@rustbot ready |
|
r? RalfJung |
|
|
|
Cc @rust-lang/opsem That's a good point -- ranges are by default left-inclusive right-exclusive in Rust, but this should be made explicit. |
|
|
||
| * If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some | ||
| [allocation], and the entire memory range between `self` and the result must be in | ||
| [allocation], and the entire memory range between `self` and the result (exclusive) must be in |
There was a problem hiding this comment.
Actually this is wrong. If the offset is negative, it's inclusive the result and exclusive self. Or put differently, it's always min(self, result) .. max(self, result).
@rustbot author
|
I give up, please take it from here
…On Wed, May 13, 2026 at 12:43 PM Ralf Jung ***@***.***> wrote:
***@***.**** commented on this pull request.
------------------------------
In library/core/src/ptr/docs/offset.md
<#154370 (comment)>:
> @@ -11,7 +11,7 @@ If any of the following conditions are violated, the result is Undefined Behavio
"wrapping around"), must fit in an `isize`.
* If the computed offset is non-zero, then `self` must be [derived from][crate::ptr#provenance] a pointer to some
-[allocation], and the entire memory range between `self` and the result must be in
+[allocation], and the entire memory range between `self` and the result (exclusive) must be in
Actually this is wrong. If the offset is negative, it's inclusive the
result and exclusive self. Or put differently, it's always min(self,
result) .. max(self, result).
@rustbot <https://github.com/rustbot> author
*View changes since the review
<https://triagebot.infra.rust-lang.org/gh-changes-since/rust-lang/rust/154370/8a703520e80d87d4423c01f9d4fbc9e5f6533a02..eec5e111f282991e526dd16e680c28be46627573>*
—
Reply to this email directly, view it on GitHub
<#154370 (review)>,
or unsubscribe
<https://github.com/notifications/unsubscribe-auth/ABMDRPC6ZOUZAAP2VR4RHYT42Q7TLAVCNFSM6AAAAACW67ESM6VHI2DSMVQWIX3LMV43YUDVNRWFEZLROVSXG5CSMV3GSZLXHM2DEOBQGMZDGOBYGQ>
.
Triage notifications on the go with GitHub Mobile for iOS
<https://apps.apple.com/app/apple-store/id1477376905?ct=notification-email&mt=8&pt=524675>
or Android
<https://play.google.com/store/apps/details?id=com.github.android&referrer=utm_campaign%3Dnotification-email%26utm_medium%3Demail%26utm_source%3Dgithub>.
You are receiving this because you authored the thread.Message ID:
***@***.***>
|
|
That's fair, thanks for taking a stab! We should improve our docs here, but it's not easy to get such docs right. I opened a PR at #156666. |
Clarify meaning of ranges in pointer offset docs Supersedes rust-lang#154370
Clarify meaning of ranges in pointer offset docs Supersedes rust-lang/rust#154370
Clarify meaning of ranges in pointer offset docs Supersedes rust-lang/rust#154370
It's documented that
vec.as_ptr().add(vec.len())is safe, but the main safety condition wasn't clear enough.