---

yaml
---
r: 145223
b: refs/heads/try2
c: e12c3bf
h: refs/heads/master
i:
  145221: a1ea35d
  145219: 4680cf0
  145215: 2850ff1
v: v3

Author: thestinger

[refs]

@@ -5,7 +5,7 @@ refs/heads/snap-stage3: 78a7676898d9f80ab540c6df5d4c9ce35bb50463
 refs/heads/try: 519addf6277dbafccbb4159db4b710c37eaa2ec5
 refs/tags/release-0.1: 1f5c5126e96c79d22cb7862f75304136e204f105
 refs/heads/ndm: f3868061cd7988080c30d6d5bf352a5a5fe2460b
-refs/heads/try2: 460021bdf2106ee76daf7d81ec7e50e972e26901
+refs/heads/try2: e12c3bfbf999bb565b45b58ae9475d60c9e63ceb
 refs/heads/dist-snap: ba4081a5a8573875fed17545846f6f6902c8ba8d
 refs/tags/release-0.2: c870d2dffb391e14efb05aa27898f1f6333a9596
 refs/tags/release-0.3: b5f0d0f648d9a6153664837026ba1be43d3e2503

branches/try2/doc/rust.md

@@ -962,24 +962,76 @@ parameters to allow methods with that trait to be called on values
 of that type.
 
 
-#### Unsafe functions
-
-Unsafe functions are those containing unsafe operations that are not contained in an [`unsafe` block](#unsafe-blocks).
-Such a function must be prefixed with the keyword `unsafe`.
+#### Unsafety
 
 Unsafe operations are those that potentially violate the memory-safety guarantees of Rust's static semantics.
-Specifically, the following operations are considered unsafe:
+
+The following language level features cannot be used in the safe subset of Rust:
 
   - Dereferencing a [raw pointer](#pointer-types).
-  - Casting a [raw pointer](#pointer-types) to a safe pointer type.
-  - Calling an unsafe function.
+  - Calling an unsafe function (including an intrinsic or foreign function).
 
-##### Unsafe blocks
+##### Unsafe functions
 
-A block of code can also be prefixed with the `unsafe` keyword, to permit a sequence of unsafe operations in an otherwise-safe function.
-This facility exists because the static semantics of Rust are a necessary approximation of the dynamic semantics.
-When a programmer has sufficient conviction that a sequence of unsafe operations is actually safe, they can encapsulate that sequence (taken as a whole) within an `unsafe` block. The compiler will consider uses of such code "safe", to the surrounding context.
+Unsafe functions are functions that are not safe in all contexts and/or for all possible inputs.
+Such a function must be prefixed with the keyword `unsafe`.
+
+##### Unsafe blocks
 
+A block of code can also be prefixed with the `unsafe` keyword, to permit calling `unsafe` functions
+or dereferencing raw pointers within a safe function.
+
+When a programmer has sufficient conviction that a sequence of potentially unsafe operations is
+actually safe, they can encapsulate that sequence (taken as a whole) within an `unsafe` block. The
+compiler will consider uses of such code safe, in the surrounding context.
+
+Unsafe blocks are used to wrap foreign libraries, make direct use of hardware or implement features
+not directly present in the language. For example, Rust provides the language features necessary to
+implement memory-safe concurrency in the language but the implementation of tasks and message
+passing is in the standard library.
+
+Rust's type system is a conservative approximation of the dynamic safety requirements, so in some
+cases there is a performance cost to using safe code.  For example, a doubly-linked list is not a
+tree structure and can only be represented with managed or reference-counted pointers in safe code.
+By using `unsafe` blocks to represent the reverse links as raw pointers, it can be implemented with
+only owned pointers.
+
+##### Behavior considered unsafe
+
+This is a list of behavior which is forbidden in all Rust code. Type checking provides the guarantee
+that these issues are never caused by safe code. An `unsafe` block or function is responsible for
+never invoking this behaviour or exposing an API making it possible for it to occur in safe code.
+
+* Data races
+* Dereferencing a null/dangling raw pointer
+* Mutating an immutable value/reference, if it is not marked as non-`Freeze`
+* Reads of [undef](http://llvm.org/docs/LangRef.html#undefined-values) (uninitialized) memory
+* Breaking the [pointer aliasing rules](http://llvm.org/docs/LangRef.html#pointer-aliasing-rules)
+  with raw pointers (a subset of the rules used by C)
+* Invoking undefined behavior via compiler intrinsics:
+    * Indexing outside of the bounds of an object with `std::ptr::offset` (`offset` intrinsic), with
+      the exception of one byte past the end which is permitted.
+    * Using `std::ptr::copy_nonoverlapping_memory` (`memcpy32`/`memcpy64` instrinsics) on
+      overlapping buffers
+* Invalid values in primitive types, even in private fields/locals:
+    * Dangling/null pointers in non-raw pointers, or slices
+    * A value other than `false` (0) or `true` (1) in a `bool`
+    * A discriminant in an `enum` not included in the type definition
+    * A value in a `char` which is a surrogate or above `char::MAX`
+    * non-UTF-8 byte sequences in a `str`
+
+##### Behaviour not considered unsafe
+
+This is a list of behaviour not considered *unsafe* in Rust terms, but that may be undesired.
+
+* Deadlocks
+* Reading data from private fields (`std::repr`, `format!("{:?}", x)`)
+* Leaks due to reference count cycles, even in the global heap
+* Exiting without calling destructors
+* Sending signals
+* Accessing/modifying the file system
+* Unsigned integer overflow (well-defined as wrapping)
+* Signed integer overflow (well-defined as two's complement representation wrapping)
 
 #### Diverging functions
 

branches/try2/src/libextra/workcache.rs

@@ -198,6 +198,7 @@ impl Database {
     }
 }
 
+// FIXME #4330: use &mut self here
 #[unsafe_destructor]
 impl Drop for Database {
     fn drop(&mut self) {

branches/try2/src/librustc/middle/trans/base.rs

@@ -2559,7 +2559,10 @@ pub fn get_item_val(ccx: @mut CrateContext, id: ast::NodeId) -> ValueRef {
                             // LLVM type is not fully determined by the Rust type.
                             let (v, inlineable) = consts::const_expr(ccx, expr);
                             ccx.const_values.insert(id, v);
-                            let mut inlineable = inlineable;
+                            if !inlineable {
+                                debug!("%s not inlined", sym);
+                                ccx.non_inlineable_statics.insert(id);
+                            }
                             exprt = true;
 
                             unsafe {
@@ -2575,30 +2578,8 @@ pub fn get_item_val(ccx: @mut CrateContext, id: ast::NodeId) -> ValueRef {
                                     lib::llvm::SetUnnamedAddr(g, true);
                                     lib::llvm::SetLinkage(g,
                                         lib::llvm::InternalLinkage);
-
-                                    // This is a curious case where we must make
-                                    // all of these statics inlineable. If a
-                                    // global is tagged as
-                                    // address_insignificant, then LLVM won't
-                                    // coalesce globals unless they have an
-                                    // internal linkage type. This means that
-                                    // external crates cannot use this global.
-                                    // This is a problem for things like inner
-                                    // statics in generic functions, because the
-                                    // function will be inlined into another
-                                    // crate and then attempt to link to the
-                                    // static in the original crate, only to
-                                    // find that it's not there. On the other
-                                    // side of inlininig, the crates knows to
-                                    // not declare this static as
-                                    // available_externally (because it isn't)
-                                    inlineable = true;
                                 }
 
-                                if !inlineable {
-                                    debug!("%s not inlined", sym);
-                                    ccx.non_inlineable_statics.insert(id);
-                                }
                                 ccx.item_symbols.insert(i.id, sym);
                                 g
                             }

branches/try2/src/librustc/middle/trans/inline.rs

@@ -21,7 +21,6 @@ use std::vec;
 use syntax::ast;
 use syntax::ast_map::path_name;
 use syntax::ast_util::local_def;
-use syntax::attr;
 
 pub fn maybe_instantiate_inline(ccx: @mut CrateContext, fn_id: ast::DefId)
     -> ast::DefId {
@@ -69,12 +68,7 @@ pub fn maybe_instantiate_inline(ccx: @mut CrateContext, fn_id: ast::DefId)
             match item.node {
                 ast::item_static(*) => {
                     let g = get_item_val(ccx, item.id);
-                    // see the comment in get_item_val() as to why this check is
-                    // performed here.
-                    if !attr::contains_name(item.attrs,
-                                            "address_insignificant") {
-                        SetLinkage(g, AvailableExternallyLinkage);
-                    }
+                    SetLinkage(g, AvailableExternallyLinkage);
                 }
                 _ => {}
             }

branches/try2/src/librustpkg/rustpkg.rs

@@ -189,7 +189,6 @@ pub trait CtxMethods {
     fn test(&self);
     fn uninstall(&self, _id: &str, _vers: Option<~str>);
     fn unprefer(&self, _id: &str, _vers: Option<~str>);
-    fn init(&self);
 }
 
 impl CtxMethods for BuildContext {
@@ -320,13 +319,6 @@ impl CtxMethods for BuildContext {
             "test" => {
                 self.test();
             }
-            "init" => {
-                if args.len() != 0 {
-                    return usage::init();
-                } else {
-                    self.init();
-                }
-            }
             "uninstall" => {
                 if args.len() < 1 {
                     return usage::uninstall();
@@ -548,13 +540,6 @@ impl CtxMethods for BuildContext {
         fail!("test not yet implemented");
     }
 
-    fn init(&self) {
-        os::mkdir_recursive(&Path("src"),   U_RWX);
-        os::mkdir_recursive(&Path("lib"),   U_RWX);
-        os::mkdir_recursive(&Path("bin"),   U_RWX);
-        os::mkdir_recursive(&Path("build"), U_RWX);
-    }
-
     fn uninstall(&self, _id: &str, _vers: Option<~str>)  {
         fail!("uninstall not yet implemented");
     }
@@ -703,7 +688,6 @@ pub fn main_args(args: &[~str]) {
                     ~"list"    => usage::list(),
                     ~"prefer" => usage::prefer(),
                     ~"test" => usage::test(),
-                    ~"init" => usage::init(),
                     ~"uninstall" => usage::uninstall(),
                     ~"unprefer" => usage::unprefer(),
                     _ => usage::general()

branches/try2/src/librustpkg/tests.rs

@@ -939,7 +939,6 @@ fn no_rebuilding() {
 }
 
 #[test]
-#[ignore]
 fn no_rebuilding_dep() {
     let p_id = PkgId::new("foo");
     let dep_id = PkgId::new("bar");

branches/try2/src/librustpkg/usage.rs

@@ -148,10 +148,3 @@ and exit code will be redirected.
 Options:
     -c, --cfg      Pass a cfg flag to the package script");
 }
-
-pub fn init() {
-    io::println("rustpkg init name
-
-This makes a new workspace for working on a project named name.
-");
-}

branches/try2/src/librustpkg/util.rs

@@ -33,7 +33,7 @@ use workcache_support::{digest_file_with_date, digest_only_date};
 // you could update the match in rustpkg.rc but forget to update this list. I think
 // that should be fixed.
 static COMMANDS: &'static [&'static str] =
-    &["build", "clean", "do", "info", "init", "install", "list", "prefer", "test", "uninstall",
+    &["build", "clean", "do", "info", "install", "list", "prefer", "test", "uninstall",
       "unprefer"];
 
 

branches/try2/src/libstd/os.rs

@@ -196,7 +196,16 @@ pub fn env() -> ~[(~str,~str)] {
             if (ch as uint == 0) {
                 fail!("os::env() failure getting env string from OS: %s", os::last_os_error());
             }
-            let result = str::raw::from_c_multistring(ch as *libc::c_char, None);
+            let mut curr_ptr: uint = ch as uint;
+            let mut result = ~[];
+            while(*(curr_ptr as *libc::c_char) != 0 as libc::c_char) {
+                let env_pair = str::raw::from_c_str(
+                    curr_ptr as *libc::c_char);
+                result.push(env_pair);
+                curr_ptr +=
+                    libc::strlen(curr_ptr as *libc::c_char) as uint
+                    + 1;
+            }
             FreeEnvironmentStringsA(ch);
             result
         }