-
Notifications
You must be signed in to change notification settings - Fork 1.6k
Announcing the Safe-Transmute Project Group #2835
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Merged
Merged
Changes from all commits
Commits
File filter
Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
There are no files selected for viewing
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,116 @@ | ||
| - Feature Name: `project-safe-transmute` | ||
| - Start Date: 2019-12-06 | ||
| - RFC PR: [rust-lang/rfcs#0000](https://github.com/rust-lang/rfcs/pull/0000) | ||
| - Rust Issue: [rust-lang/rust#0000](https://github.com/rust-lang/rust/issues/0000) | ||
|
|
||
| # Summary | ||
| [summary]: #summary | ||
|
|
||
| To form a project group with the purpose of designing subsequent RFCs around the | ||
| topic of safe transmute between types. | ||
| * This RFC explicitly builds off of processes introduced in the [FFI unwinding project | ||
| group RFC](https://github.com/rust-lang/rfcs/pull/2797/files) | ||
| * The primary goal of the group is to determine how to replace most uses of | ||
| [`std::mem::transmute`][transmute] with safe alternatives. | ||
| * Subsequent goals may include extending other language features that are made possible | ||
| with safe transmute including safe reading of union fields | ||
|
|
||
| # Motivation | ||
| [motivation]: #motivation | ||
|
|
||
| Transmuting one type to another type and vice versa in Rust is extremely dangerous --- | ||
| so much so that the docs for [std::mem::transmute][transmute] are essentially a long | ||
| list of how to avoid doing so. However, transmuting is often times necessary especially | ||
| in lower level contexts where copy of bytes is prohibitively expensive. For instance, | ||
| in extremely performance-sensitive use cases, it may be necessary to transmute from | ||
| bytes instead of explicitly copying bytes from a buffer into a struct. | ||
|
|
||
| Because of this fact, [many][zerocopy] [external][safe-transmute] [crates][bytemuck] | ||
| have been developed to tackle this issue, but no single crate has managed to solidify | ||
| itself as a clear favorite in this space. Additionally, while it is possible to improve | ||
| on unsafe transmute considerably in libraries, having such facilities in the standard | ||
| library opens up the possibility of bringing safe constructs to even more currently | ||
| unsafe features. | ||
|
|
||
| For these reasons, we plan on learning from the prior art to implement a standard way of | ||
| transmuting types in a safe way. | ||
|
|
||
| ## Details of the safe transmute project group | ||
|
|
||
| [Repository][repository] | ||
|
|
||
| Initial shepherds: | ||
|
|
||
| * [rylev (Ryan)](https://github.com/rylev) | ||
|
|
||
| Lang team liaisons: | ||
|
|
||
| * [joshtriplett (Josh)](https://github.com/joshtriplett) | ||
|
|
||
| ### Charter | ||
| [charter]: #charter | ||
|
|
||
| The safe transmute project group has the following initial scope: | ||
|
|
||
| * to define APIs for allowing zero copy transmute between types in a completely | ||
| memory safe manner | ||
|
|
||
| Once this scope has been reached, the team may continue working on features that are | ||
| natural extensions of safe transmute like safe reading on union fields. | ||
|
|
||
| ### Constraints and considerations | ||
|
|
||
| In its work, the project-group should consider various constraints and | ||
| considerations: | ||
|
|
||
| * That this feature is meant for performance sensitive workloads | ||
| * That safety is of the upmost importance as there is already a way to | ||
| transmute using unsafe APIs | ||
|
|
||
| ### Participation in the project group | ||
|
|
||
| Like any Rust group, the safe transmute project group intends to operate | ||
| in a public and open fashion and welcomes participation. Visit the | ||
| [repository][repository] for more details. | ||
|
|
||
| # Drawbacks | ||
| [drawbacks]: #drawbacks | ||
|
|
||
| * It is possible that the scope of this endeavor is not large enough to warrant a | ||
| separate project group. | ||
| * It can be argued that the design space has not been fully explored as evidenced by | ||
| the many crates that address the issue without one being the clear "go to", and thus | ||
| this issue should be left to libraries for further iteration. We believe that while | ||
| there is no clear winner among existing crates, they are stable enough, small enough | ||
| and share enough implementation characteristics to be ready for the community to | ||
| rally around one design direction in the standard library. | ||
|
|
||
| # Prior art | ||
| [prior-art]: #prior-art | ||
|
|
||
| The formation of the project group was first discussed in the [FFI unwind | ||
| project group RFC][ffi unwind]. As is state in that RFC, this working group can be | ||
| considered a precursor to the current ["shepherded project group" proposal][shepherd]. | ||
|
|
||
| # Unresolved questions and Future possibilities | ||
| [unresolved-questions]: #unresolved-questions | ||
|
|
||
| Since this RFC merely formalizes the creation of the project group, it | ||
| intentionally leaves all technical details within the project's scope | ||
| unresolved. | ||
|
|
||
| # Future possibilities | ||
| [future-possibilities]: #future-possibilities | ||
|
|
||
| The project group will start with a fairly [limited scope][charter], but if the | ||
| initial effort to design and stabilize APIs for safe transmute between types, | ||
| there is at least one other area that can be expanded upon by this group: safe reading | ||
| of union fields. | ||
|
|
||
| [transmute]: https://doc.rust-lang.org/std/mem/fn.transmute.html | ||
| [ffi unwind]: https://github.com/rust-lang/rfcs/pull/2797 | ||
| [zerocopy]: https://docs.rs/zerocopy | ||
| [safe-transmute]: https://docs.rs/safe-transmute | ||
| [bytemuck]: https://docs.rs/bytemuck | ||
| [shepherd]: http://smallcultfollowing.com/babysteps/blog/2019/09/11/aic-shepherds-3-0/ | ||
| [repository]: https://github.com/rust-lang/project-safe-transmute | ||
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Uh oh!
There was an error while loading. Please reload this page.