Do aliasing mutable raw pointers (*mut T) cause undefined behaviour?

Question

&mut T and &mut T results in a compilation error; this is great, it's objectively wrong to borrow mutably twice.

Is *mut T and*mut T undefined behaviour or is this a perfectly valid thing to do? That is, is mutable pointer aliasing valid?

What makes it even worse is that &mut T and *mut T actually compiles and works as intended, I can modify a value through the reference, the pointer, and then the reference again... but I've seen someone say that it's undefined behaviour. Yeah, "someone said so" is the only information I have.

Here's what I tested:

fn main() {
    let mut value: u8 = 42;

    let r: &mut u8 = &mut value;
    let p: *mut u8 = r as *mut _;

    *r += 1;

    unsafe { *p += 1; }

    *r -= 1;

    unsafe { *p -= 1; }

    println!("{}", value);
}

and of course, the main point of question:

Note — Thanks to trentcl for pointing out this example actually causes a copy when creating p2. This can be confirmed by replacing u8 with a non-Copy type. The compiler then complains about a move. Sadly, this does not get me closer to the answer, only reminds me that I can get unintended behaviour without it being undefined behaviour, simply because of Rust's move semantics.

fn main() {
    let mut value: u8 = 42;

    let p1: *mut u8 = &mut value as *mut _;
    // this part was edited, left in so it's easy to spot
    // it's not important how I got this value, what's important is that it points to same variable and allows mutating it
    // I did it this way, hoping that trying to access real value then grab new pointer again, would break something, if it was UB to do this
    //let p2: *mut u8 = &mut unsafe { *p1 } as *mut _;
    let p2: *mut u8 = p1;

    unsafe {
        *p1 += 1;
        *p2 += 1;
        *p1 -= 1;
        *p2 -= 1;
    }

    println!("{}", value);
}

Both yield:

Does this imply that two mutable pointers pointing to the same location and being dereferenced at different times is not undefined behaviour?

I don't think testing this on compiler is a good idea to begin with, as undefined behaviour could have anything happen, even printing 42 as if nothing is wrong. I mention it anyway as this is one of things I tried, hoping to get an objective answer.

I have no clue how to write a test that could force erratic behaviour that would make it dead obvious that this doesn't work because it's not used as intended, if that's even possible to do so.

I'm aware that this is very likely to be undefined behaviour and break in a multithreaded environment no matter what. I would expect a more detailed answer than that, though, especially if mutable pointer aliasing IS NOT undefined behaviour. (This would in fact be awesome, because while I use Rust for reasons like everyone else - memory safety, to say the least... I expect to still retain a shotgun that I could point anywhere, without it being locked onto my feet. I can have aliased "mutable pointers" without blowing my feet off in C.)

This is a question about whether I can, not about whether I should. I want to dive head-on into unsafe Rust, just to learn about it, but it feels like there's not enough information unlike in "horrible" languages like C about what's undefined behaviour and what's not.

You can create aliased mutable pointers without any `unsafe`, so just creating them must be safe, by definition. Using them is another matter, of course... — rodrigo, Aug 05 '19 at 19:43
Your second example doesn't do what you think: `p1` and `p2` don't alias. [proof](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=1ae3b9b8ef4c532dd4d5b2910ac4503d) — trent, Aug 05 '19 at 19:55
@trentcl Does that imply that it's indeed UB? Because I just tried the obvious way, which is `p2 = p1` like you would do naturally... And then they point to the same memory location, like expected. I don't really understand *that* low level kind of stuff, but this is completely wrong. It copies the value and then...? — , Aug 05 '19 at 20:04
... It actually copies value when dereferencing, [I changed it](https://play.rust-lang.org/?version=stable&mode=release&edition=2018&gist=940eacb177193d32041b717b49b1f992), and it complains about moving out. Is this a gotcha of unsafe Rust and is intended, or part of UB? Assigning a pointer directly (which does not move/copy value), shows same address. I also almost understand why it behaves like that, but also it is what I fear the most, if this is UB, then p2 = p1 will be too, and playing with raw pointers is impossible. — , Aug 05 '19 at 20:11
It's not UB. It's temporary lvalue-promotion -- see [Why is it legal to borrow a temporary?](https://doc.rust-lang.org/book/ch04-02-references-and-borrowing.html#the-rules-of-references) `unsafe { *p1 }` returns a copied `u8` and `&mut` takes a reference to the copy. [You could write the same thing with no `unsafe` or raw pointers at all, although it's obviously not what you intended](https://play.rust-lang.org/?version=stable&mode=debug&edition=2018&gist=c8d3c74b94cfa92dd377c1e2d3df5296). — trent, Aug 05 '19 at 20:32
I see, that was just a bad example by me then. I wrote that part without thinking about Rust's move semantics that do not disappear just because code is unsafe. And the safe version makes that mistake perfectly clear, I indeed would expect it to be copied in there. I'll edit my question with this. Sadly, the question remains the same for values that have really aliased raw pointers. — , Aug 05 '19 at 20:38
The first example is still UB because the compiler needs to take a `&mut` reference to `*p` in order to perform `+=` on it. And yeah, you can't "just" move a (non-`Copy`) type out of a `*mut` pointer, because doing so is even *more* unsafe than just dereferencing the thing -- you need to use `ptr::read` for that. — trent, Aug 05 '19 at 20:39
Using multiple mutable raw pointers to change the same memory location is not UB in Rust, even if these pointers have different types, which would be UB in C++. In a way, you get even more power in Rust than in C++. However, you need to be very careful to never create multiple mutable references at the same time. (I don't have time to expand this to a proper answer and find references, so leaving this as a comment.) — Sven Marnach, Aug 05 '19 at 20:49
@SvenMarnach when you do have time though, could you expand on it, possibly in form of the answer, so whoever finds this can have a clear answer? And yes, multiple references or references alongside pointers, aren't something that should ever happen, that part is clear now. That's why my question is split into 2 parts, one for `&mut and *mut`, and one for `*mut and *mut`. Also, strict aliasing wasn't on my mind at all, but if what you say is true, although it's not something I'd be willing to use, especially after learning not to break it in C++, I'm happy to learn that it's an option. — , Aug 05 '19 at 20:56
@trentcl The surprising bit in the first version of the second example is that `unsafe { &mut *p1 }` is different from `&mut unsafe { *p1 }`. The unsafe block turns the place expression into a value expression, thereby triggering a move. — Sven Marnach, Aug 05 '19 at 21:04
See also [How to use (unsafe) aliasing?](https://stackoverflow.com/q/30406852/155423); [What are the differences between `*const T` and *mut T` raw pointers?](https://stackoverflow.com/q/55664870/155423). — Shepmaster, Aug 06 '19 at 00:27
@SvenManarch I found why it behaves like that. Dereference of a pointer must be contained inside unsafe {}, otherwise the value is attempted to be "moved out" into safe code for safety reasons. This in turn puts all the work on you, which is unsurprisingly the point of using unsafe. [source](https://stackoverflow.com/a/47879906/11877195) — , Aug 06 '19 at 06:48

trent · Accepted Answer · 2019-08-05T23:36:51.533

13

Author's note: The following is an intuitive explanation, not a rigorous one. I don't believe there is a rigorous definition of "aliasing" in Rust right now, but you may find it helpful to read the Rustonomicon chapters on references and aliasing.

The rules of references (&T and &mut T) are simple:

At any given time, you can have either one mutable reference or any number of immutable references.

References must always be valid.

There are no "rules of raw pointers". Raw pointers (*const T and *mut T) can alias anything, anywhere, or they can point to nothing at all.

Undefined behavior can happen when you dereference a raw pointer, implicitly or explicitly turning it into a reference. This reference still must obey the rules of references, even when the & isn't explicit in the source code.

In your first example,

unsafe { *p += 1; }

*p += 1; takes a &mut reference to *p in order to use the += operator, as if you had written

unsafe { AddAssign::add_assign(&mut *p, 1); }

(The compiler does not actually use AddAssign to implement += for u8, but the semantics are the same.)

Because &mut *p is aliased by another reference, namely r, the first rule of references is violated, causing undefined behavior.

Your second example (since editing) is different because there is no reference to alias, only another pointer, and there are no aliasing rules that govern pointers. Therefore, this

let p1: *mut u8 = &mut value;
let p2: *mut u8 = p1;

unsafe {
    *p1 += 1;
    *p2 += 1;
    *p1 -= 1;
    *p2 -= 1;
}

in the absence of any other references to value, is perfectly sound.

edited Aug 05 '19 at 23:36

answered Aug 05 '19 at 20:58

trent

25,033
7
51
90

Thank you. In the last part you mention that in multithreaded case this does not hold (due to data races), I think it's worth mentioning that it, as far as I understand, is cimcurvented by using `AtomicPtr`, as that structure, I'm quoting, `has the same in-memory representation as a *mut T`, and is worth a mention in the answer. – Aug 05 '19 at 21:11
1

@Sahsahae `AtomicPtr` actually solves a different problem: how to synchronize access to the pointer itself (it doesn't synchronize the `T`). But perhaps I conveyed the wrong impression: it's still fine to use `*mut T` in multithreaded contexts, as long as the rules of references are preserved. Synchronizing access requires either atomicity (might as well use `AtomicU8`), or runtime checks (might as well use `Mutex` or `RwLock`). Both atomics and `Mutex`/`RwLock` are implemented using raw pointers. – trent Aug 05 '19 at 21:22
2

As much as I'd like to upvote, I am afraid that this is a tad simplistic. The rule *"At any given time, you can have either one mutable reference or any number of immutable references."* does not rule out having multiple mutable references **in scope**. After all, when borrowing, the original mutable reference is still in scope, you're just not allowed to use it for the time of the borrow. – Matthieu M. Aug 06 '19 at 09:18
@Matthieu I agree. I'm not sure I can make it less simplistic, though, without trying to define in exact terms what's meant by "aliasing" and "liveness", which are pretty poorly defined (at least in official sources). The rule you quote is straight from TRPL. – trent Aug 06 '19 at 12:14
@trentcl: I agree, I think we're hitting the limits of Ralf's work here. I don't necessarily see `*r += 1; unsafe { *p += 1; } *r += 1;` as problematic, as it could be argued that `*p` borrowed `r` for the duration of the statement, then released the borrow before the second increment of `r`. In practice, this seems impractical as the analysis required would be too complicated, but from a temporal point of view it's arguably possible. I think it'd be rejected by Ralf's Stacked Borrows, due the lack of causality, but... – Matthieu M. Aug 06 '19 at 12:44
@MatthieuM.: I don't see why there should be any practical difficulty with having a construct which says "a compiler should behave as though the actions of entering or leaving this block might arbitrarily affect any object whose address has ever escaped". Any loop containing such a construct or calls to a function that contains such a construct would likely perform badly, but if a function performs three loops in sequence and one of them calls a function containing such a construct, that shouldn't affect the performance of the other two. If programmers only use such a construct when... – supercat Aug 06 '19 at 15:28
...there would be no other practical way to do what needs to be done, then the only programs where the performance costs of the construct would be relevant would be those which wouldn't be practical at all in its absence. – supercat Aug 06 '19 at 15:29
@MatthieuM.: Among other things, when doing systems programming, it may be necessary to do things like change memory mappings, etc. and ensure that operations which were relevant under one memory mapping don't get reordered across operations that change mappings. Actually, an even stronger directive that applies to all static objects could be helpful in systems that allow linker control of static object placement. – supercat Aug 06 '19 at 15:34

Do aliasing mutable raw pointers (*mut T) cause undefined behaviour?

1 Answers1

Linked