Require opting in to repr-less types? #358
Comments
|
The goal of this feature is to ensure that customers using zerocopy to serialize and deserialize values are doing so consistently. But to achieve this, a I'm on the fence about whether this ergonomic tax is justified by its benefits. |
|
I wonder whether we can just do a more limited analysis - we warn or error if you derive on a type with no repr, and we provide an attribute to silence the warning/error. That's it. No recursive analysis or extra trait. You're still relying on your nested types to do the right thing. It's more like a Clippy lint - "are you sure you meant to do this? Doing this is often just an oversight on the part of the programmer." We'd need to figure out how to design the API to make it clear that this is just a lint and not a guarantee, but I think that'd be a good middle ground. |
|
If we're aiming for a lint, perhaps a lint would be best! We could either:
The benefit of a lint is that the diagnostic could be much better and actually explain things like platform-specific alignment. |
|
Would Clippy accept a lint that depends on knowing about zerocopy? |
|
Also, FWIW, those approaches would not be particularly discoverable. The advantage of doing it ourselves is that we could warn by default. It's exactly the users who wouldn't think to enable such a lint manually who are likely to make this sort of mistake. |
Specifically for zerocopy? No, but this is a general problem. Even bytemuck doesn't account for layout fluctuations caused by platform-specific alignment.
Our derives can check for the explicit presence/absence of |
My concern isn't about |
It wouldn't; clippy would only need a general #[derive(FromBytes)]
struct Foo(Bar, Baz);additionally emit: #[deny(clippy::missing_repr)]
const _: () = {
struct Foo(Bar, Baz);
};...which would trigger the clippy lint. |
|
Oh very clever... But maybe, instead, we could have it be a rustc lint (also allow-by-default)? If it's a Clippy lint, it would only trigger for users running Clippy. |
|
I've started a zulip topic to discuss. A rustc lint would be ideal, but the bar there is higher for getting it totally right on our first go. |
Some of our derives support types without reprs because they're not required for soundness. This can be useful if you don't care about layout stability (and perhaps you care about allowing the compiler to make layout optimizations), but it's a big footgun: it makes it easy to accidentally write code which depends upon type layout without realizing it.
Perhaps we should require users who wish to not use reprs to opt-in to this behavior; something like:
This would be a semver-breaking change, but a minor one, and our error message could suggest the
allowto steer users in the right direction.Note one important subtlety: On its own, this isn't sufficient: if a struct contains another type with a non-stable representation, then even if the outer struct is, e.g.,
repr(C), it isn't sufficient to guarantee the stability of the outer type's layout.It seems unlikely, but perhaps we could also have zerocopy-derive emit a warning that users can
allowusing rustc's built-in machinery. According to this documentation, warnings are not currently supported except on nightly, so this may be a non-starter.The text was updated successfully, but these errors were encountered: