const-eval: allow constants to refer to mutable/external memory, but reject such constants as patterns #140942
+448
−373
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rustbot
added
S-waiting-on-review
RalfJung
added
T-lang
|
@rust-lang/lang nominating for FCP following prior discussion in #140653. |
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
const-ref-to-mut
branch
from
f619969 to
9767f96
Compare
This comment has been minimized.
This comment has been minimized.
RalfJung
force-pushed
the
const-ref-to-mut
branch
from
9767f96 to
160cee0
Compare
|
Some changes occurred in src/tools/clippy cc @rust-lang/clippy |
RalfJung
commented
May 12, 2025
RalfJung
force-pushed
the
const-ref-to-mut
branch
from
160cee0 to
e316943
Compare
RalfJung
commented
May 12, 2025
RalfJung
force-pushed
the
const-ref-to-mut
branch
from
e316943 to
6722d4d
Compare
This comment has been minimized.
This comment has been minimized.
|
r? @oli-obk (or someone way more familiar with const-eval) |
RalfJung
force-pushed
the
const-ref-to-mut
branch
2 times, most recently
from
57ea31d to
6e9a7f4
Compare
traviscross
removed
the
T-compiler
|
As discussed in #140653 (comment), this sounds right to me, and I propose that we do it. @rfcbot fcp merge |
|
Team member @traviscross has proposed to merge this. The next step is review by the rest of the tagged team members: Concerns:
Once a majority of reviewers approve (and at most 2 approvals are outstanding), this will enter its final comment period. If you spot a major issue that hasn't been raised at any point in this process, please speak up! cc @rust-lang/lang-advisors: FCP proposed for lang, please feel free to register concerns. |
rfcbot
added
proposed-final-comment-period
bors
added
the
S-waiting-on-bors
|
...but it has conflicts... @bors r- |
bors
added
S-waiting-on-author
|
Yeah, I was waiting for the reference PR to finish so I don't have to rebase N times. |
RalfJung
force-pushed
the
const-ref-to-mut
branch
from
3f818e4 to
bade3fd
Compare
|
@bors r=oli-obk |
bors
added
S-waiting-on-bors
bors
added a commit
that referenced
this pull request
Jun 27, 2025
…rors Rollup of 18 pull requests Successful merges: - #137843 (make RefCell unstably const) - #140942 (const-eval: allow constants to refer to mutable/external memory, but reject such constants as patterns) - #142549 (small iter.intersperse.fold() optimization) - #142637 (Remove some glob imports from the type system) - #142647 ([perf] Compute hard errors without diagnostics in impl_intersection_has_impossible_obligation) - #142700 (Remove incorrect comments in `Weak`) - #142927 (Add note to `find_const_ty_from_env`) - #142967 (Fix RwLock::try_write documentation for WouldBlock condition) - #142986 (Port `#[export_name]` to the new attribute parsing infrastructure) - #143001 (Rename run always ) - #143010 (Update `browser-ui-test` version to `0.20.7`) - #143015 (Add `sym::macro_pin` diagnostic item for `core::pin::pin!()`) - #143033 (Expand const-stabilized API links in relnotes) - #143041 (Remove cache for citool) - #143056 (Move an ACE test out of the GCI directory) - #143059 (Fix 1.88 relnotes) - #143067 (Tracking issue number for `iter_macro`) - #143073 (Fix some fixmes that were waiting for let chains) Failed merges: - #143020 (codegen_fn_attrs: make comment more precise) r? `@ghost` `@rustbot` modify labels: rollup
rust-timer
added a commit
that referenced
this pull request
Jun 27, 2025
Rollup merge of #140942 - RalfJung:const-ref-to-mut, r=oli-obk const-eval: allow constants to refer to mutable/external memory, but reject such constants as patterns This fixes #140653 by accepting code such as this: ```rust static FOO: AtomicU32 = AtomicU32::new(0); const C: &'static AtomicU32 = &FOO; ``` This can be written entirely in safe code, so there can't really be anything wrong with it. We also accept the much more questionable following code, since it looks very similar to the interpreter: ```rust static mut FOO2: u32 = 0; const C2: &'static u32 = unsafe { &mut FOO2 }; ``` Using this without causing UB is at least very hard (the details are unclear since it is related to how the aliasing model deals with the staging of const-eval vs runtime code). If a constant like `C2` is used as a pattern, we emit an error: ``` error: constant BAD_PATTERN cannot be used as pattern --> $DIR/const_refs_to_static_fail.rs:30:9 | LL | BAD_PATTERN => {}, | ^^^^^^^^^^^ | = note: constants that reference mutable or external memory cannot be used as pattern ``` (If you somehow manage to build a pattern with constant `C`, you'd get the same error, but that should be impossible: we don't have a type that can be used in patterns and that has interior mutability.) The same treatment is afforded for shared references to `extern static`, for the same reason: the const evaluation is entirely fine with it, we just can't build a pattern for it -- and when using interior mutability, this can be totally sound. We do still not accept anything where there is an `&mut` in the final value of the const, as that should always require unsafe code and it's hard to imagine a sound use-case that would require this.
compiler-errors
added a commit
to compiler-errors/rust
that referenced
this pull request
Jun 27, 2025
… r=oli-obk const checks for lifetime-extended temporaries: avoid 'top-level scope' terminology This error recently got changed in rust-lang#140942 to use the terminology of "top-level scope", but after further discussion in rust-lang/reference#1865 it seems the reference will not be using that terminology after all. So let's also remove it from the compiler again, and let's focus on what actually happens with these temporaries: their lifetime is extended until the end of the program. r? `@oli-obk` `@traviscross`
matthiaskrgr
added a commit
to matthiaskrgr/rust
that referenced
this pull request
Jun 27, 2025
… r=oli-obk const checks for lifetime-extended temporaries: avoid 'top-level scope' terminology This error recently got changed in rust-lang#140942 to use the terminology of "top-level scope", but after further discussion in rust-lang/reference#1865 it seems the reference will not be using that terminology after all. So let's also remove it from the compiler again, and let's focus on what actually happens with these temporaries: their lifetime is extended until the end of the program. r? ``@oli-obk`` ``@traviscross``
rust-timer
added a commit
that referenced
this pull request
Jun 28, 2025
Rollup merge of #143092 - RalfJung:const-check-lifetime-ext, r=oli-obk const checks for lifetime-extended temporaries: avoid 'top-level scope' terminology This error recently got changed in #140942 to use the terminology of "top-level scope", but after further discussion in rust-lang/reference#1865 it seems the reference will not be using that terminology after all. So let's also remove it from the compiler again, and let's focus on what actually happens with these temporaries: their lifetime is extended until the end of the program. r? ``@oli-obk`` ``@traviscross``
github-actions bot
pushed a commit
to rust-lang/miri
that referenced
this pull request
Jun 28, 2025
const checks for lifetime-extended temporaries: avoid 'top-level scope' terminology This error recently got changed in rust-lang/rust#140942 to use the terminology of "top-level scope", but after further discussion in rust-lang/reference#1865 it seems the reference will not be using that terminology after all. So let's also remove it from the compiler again, and let's focus on what actually happens with these temporaries: their lifetime is extended until the end of the program. r? ``@oli-obk`` ``@traviscross``
github-actions bot
pushed a commit
to model-checking/verify-rust-std
that referenced
this pull request
Jul 4, 2025
…mpiler-errors Rollup of 18 pull requests Successful merges: - rust-lang#137843 (make RefCell unstably const) - rust-lang#140942 (const-eval: allow constants to refer to mutable/external memory, but reject such constants as patterns) - rust-lang#142549 (small iter.intersperse.fold() optimization) - rust-lang#142637 (Remove some glob imports from the type system) - rust-lang#142647 ([perf] Compute hard errors without diagnostics in impl_intersection_has_impossible_obligation) - rust-lang#142700 (Remove incorrect comments in `Weak`) - rust-lang#142927 (Add note to `find_const_ty_from_env`) - rust-lang#142967 (Fix RwLock::try_write documentation for WouldBlock condition) - rust-lang#142986 (Port `#[export_name]` to the new attribute parsing infrastructure) - rust-lang#143001 (Rename run always ) - rust-lang#143010 (Update `browser-ui-test` version to `0.20.7`) - rust-lang#143015 (Add `sym::macro_pin` diagnostic item for `core::pin::pin!()`) - rust-lang#143033 (Expand const-stabilized API links in relnotes) - rust-lang#143041 (Remove cache for citool) - rust-lang#143056 (Move an ACE test out of the GCI directory) - rust-lang#143059 (Fix 1.88 relnotes) - rust-lang#143067 (Tracking issue number for `iter_macro`) - rust-lang#143073 (Fix some fixmes that were waiting for let chains) Failed merges: - rust-lang#143020 (codegen_fn_attrs: make comment more precise) r? `@ghost` `@rustbot` modify labels: rollup
traviscross
added
the
relnotes
wip-sync
pushed a commit
to NetBSD/pkgsrc-wip
that referenced
this pull request
Sep 20, 2025
Pkgsrc changes: * Adjust patches to adapt to upstream changes and new versions. * assosicated checksums Upstream changes relative to 1.89.0: Version 1.90 (2025-09-18) ========================== Language -------- - [Split up the `unknown_or_malformed_diagnostic_attributes` lint] (rust-lang/rust#140717). This lint has been split up into four finer-grained lints, with `unknown_or_malformed_diagnostic_attributes` now being the lint group that contains these lints: 1. `unknown_diagnostic_attributes`: unknown to the current compiler 2. `misplaced_diagnostic_attributes`: placed on the wrong item 3. `malformed_diagnostic_attributes`: malformed attribute syntax or options 4. `malformed_diagnostic_format_literals`: malformed format string literal - [Allow constants whose final value has references to mutable/external memory, but reject such constants as patterns] (rust-lang/rust#140942) - [Allow volatile access to non-Rust memory, including address 0] (rust-lang/rust#141260) Compiler -------- - [Use `lld` by default on `x86_64-unknown-linux-gnu`] (rust-lang/rust#140525). - [Tier 3 `musl` targets now link dynamically by default] (rust-lang/rust#144410). Affected targets: - `mips64-unknown-linux-muslabi64` - `powerpc64-unknown-linux-musl` - `powerpc-unknown-linux-musl` - `powerpc-unknown-linux-muslspe` - `riscv32gc-unknown-linux-musl` - `s390x-unknown-linux-musl` - `thumbv7neon-unknown-linux-musleabihf` Platform Support ---------------- - [Demote `x86_64-apple-darwin` to Tier 2 with host tools] (rust-lang/rust#145252) Refer to Rust's [platform support page][platform-support-doc] for more information on Rust's tiered platform support. [platform-support-doc]: https://doc.rust-lang.org/rustc/platform-support.html Libraries --------- - [Stabilize `u*::{checked,overflowing,saturating,wrapping}_sub_signed`] (rust-lang/rust#126043) - [Allow comparisons between `CStr`, `CString`, and `Cow<CStr>`] (rust-lang/rust#137268) - [Remove some unsized tuple impls since unsized tuples can't be constructed] (rust-lang/rust#138340) - [Set `MSG_NOSIGNAL` for `UnixStream`] (rust-lang/rust#140005) - [`proc_macro::Ident::new` now supports `$crate`.] (rust-lang/rust#141996) - [Guarantee the pointer returned from `Thread::into_raw` has at least 8 bytes of alignment] (rust-lang/rust#143859) Stabilized APIs --------------- - [`u{n}::checked_sub_signed`] (https://doc.rust-lang.org/stable/std/primitive.usize.html#method.checked_sub_signed) - [`u{n}::overflowing_sub_signed`] (https://doc.rust-lang.org/stable/std/primitive.usize.html#method.overflowing_sub_signed) - [`u{n}::saturating_sub_signed`] (https://doc.rust-lang.org/stable/std/primitive.usize.html#method.saturating_sub_signed) - [`u{n}::wrapping_sub_signed`] (https://doc.rust-lang.org/stable/std/primitive.usize.html#method.wrapping_sub_signed) - [`impl Copy for IntErrorKind`] (https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Copy-for-IntErrorKind) - [`impl Hash for IntErrorKind`] (https://doc.rust-lang.org/stable/std/num/enum.IntErrorKind.html#impl-Hash-for-IntErrorKind) - [`impl PartialEq<&CStr> for CStr`] (https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3C%26CStr%3E-for-CStr) - [`impl PartialEq<CString> for CStr`] (https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCString%3E-for-CStr) - [`impl PartialEq<Cow<CStr>> for CStr`] (https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CStr) - [`impl PartialEq<&CStr> for CString`] (https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3C%26CStr%3E-for-CString) - [`impl PartialEq<CStr> for CString`] (https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCStr%3E-for-CString) - [`impl PartialEq<Cow<CStr>> for CString`] (https://doc.rust-lang.org/stable/std/ffi/struct.CString.html#impl-PartialEq%3CCow%3C'_,+CStr%3E%3E-for-CString) - [`impl PartialEq<&CStr> for Cow<CStr>`] (https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3C%26CStr%3E-for-Cow%3C'_,+CStr%3E) - [`impl PartialEq<CStr> for Cow<CStr>`] (https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCStr%3E-for-Cow%3C'_,+CStr%3E) - [`impl PartialEq<CString> for Cow<CStr>`] (https://doc.rust-lang.org/stable/std/borrow/enum.Cow.html#impl-PartialEq%3CCString%3E-for-Cow%3C'_,+CStr%3E) These previously stable APIs are now stable in const contexts: - [`<[T]>::reverse`] (https://doc.rust-lang.org/stable/std/primitive.slice.html#method.reverse) - [`f32::floor`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.floor) - [`f32::ceil`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.ceil) - [`f32::trunc`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.trunc) - [`f32::fract`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.fract) - [`f32::round`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round) - [`f32::round_ties_even`] (https://doc.rust-lang.org/stable/std/primitive.f32.html#method.round_ties_even) - [`f64::floor`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.floor) - [`f64::ceil`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.ceil) - [`f64::trunc`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.trunc) - [`f64::fract`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.fract) - [`f64::round`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round) - [`f64::round_ties_even`] (https://doc.rust-lang.org/stable/std/primitive.f64.html#method.round_ties_even) Cargo ----- - [Add `http.proxy-cainfo` config for proxy certs] (rust-lang/cargo#15374) - [Use `gix` for `cargo package`] (rust-lang/cargo#15534) - [feat(publish): Stabilize multi-package publishing] (rust-lang/cargo#15636) Rustdoc ----- - [Add ways to collapse all impl blocks] (rust-lang/rust#141663). Previously the "Summary" button and "-" keyboard shortcut would never collapse `impl` blocks, now they do when shift is held - [Display unsafe attributes with `unsafe()` wrappers] (rust-lang/rust#143662) Compatibility Notes ------------------- - [Use `lld` by default on `x86_64-unknown-linux-gnu`] (rust-lang/rust#140525). See also <https://blog.rust-lang.org/2025/09/01/rust-lld-on-1.90.0-stable/>. - [Make `core::iter::Fuse`'s `Default` impl construct `I::default()` internally as promised in the docs instead of always being empty] (rust-lang/rust#140985) - [Set `MSG_NOSIGNAL` for `UnixStream`] (rust-lang/rust#140005) This may change program behavior but results in the same behavior as other primitives (e.g., stdout, network sockets). Programs relying on signals to terminate them should update handling of sockets to handle errors on write by exiting. - [On Unix `std::env::home_dir` will use the fallback if the `HOME` environment variable is empty] (rust-lang/rust#141840) - We now [reject unsupported `extern "{abi}"`s consistently in all positions] (rust-lang/rust#142134). This primarily affects the use of implementing traits on an `extern "{abi}"` function pointer, like `extern "stdcall" fn()`, on a platform that doesn't support that, like aarch64-unknown-linux-gnu. Direct usage of these unsupported ABI strings by declaring or defining functions was already rejected, so this is only a change for consistency. - [const-eval: error when initializing a static writes to that static] (rust-lang/rust#143084) - [Check that the `proc_macro_derive` macro has correct arguments when applied to the crate root] (rust-lang/rust#143607)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This fixes #140653 by accepting code such as this:
This can be written entirely in safe code, so there can't really be anything wrong with it.
We also accept the much more questionable following code, since it looks very similar to the interpreter:
Using this without causing UB is at least very hard (the details are unclear since it is related to how the aliasing model deals with the staging of const-eval vs runtime code).
If a constant like
C2is used as a pattern, we emit an error:(If you somehow manage to build a pattern with constant
C, you'd get the same error, but that should be impossible: we don't have a type that can be used in patterns and that has interior mutability.)The same treatment is afforded for shared references to
extern static, for the same reason: the const evaluation is entirely fine with it, we just can't build a pattern for it -- and when using interior mutability, this can be totally sound.We do still not accept anything where there is an
&mutin the final value of the const, as that should always require unsafe code and it's hard to imagine a sound use-case that would require this.