ptr-to-byte

Author: RalfJung

wip/memory-interface.md

@@ -11,6 +11,7 @@ The interface is also opinionated in several ways; this is not intended to be ab
 For example, it explicitly acknowledges that pointers are not just integers and that uninitialized memory is special (both are true for C and C++ as well but you have to read the standard very careful, and consult non-normative defect report responses, to see this).
 Another key property of the interface presented below is that it is *untyped*.
 This encodes the fact that in Rust, *operations are typed, but memory is not*---a key difference to C and C++ with their type-based strict aliasing rules.
+At the same time, the memory model provides a *side-effect free* way to turn pointers into "raw bytes", which is *not* [the direction C++ is moving towards](http://www.open-std.org/jtc1/sc22/wg14/www/docs/n2364.pdf), so we might have to revisit this choice later.
 
 ## Pointers
 
@@ -36,7 +37,7 @@ enum Byte<Pointer> {
         /// The pointer of which this is a byte.
         ptr: Pointer,
         /// Which byte of the pointer this is.
-        /// `idx` will always be in `0..size_of::<usize>()`.
+        /// `idx` will always be in `0..PTR_SIZE`.
         idx: u8,
     }
 }
@@ -48,21 +49,39 @@ On a 32-bit system, the sequence of 4 bytes representing `ptr: Pointer` is:
 [PtrFragment { ptr, idx: 0 }, PtrFragment { ptr, idx: 1 }, PtrFragment { ptr, idx: 2 }, PtrFragment { ptr, idx: 3 }]
 ```
 
+Based on the `PtrToInt` trait (see below), we can turn every initialized `Byte` into an integer in `0..256`:
+
+```rust
+impl<Pointer: PtrToInt> Byte<Pointer> {
+    fn as_int(self) -> Option<u8> {
+        match self {
+            Byte::Raw(int) => Some(int),
+            Byte::Uninit => None,
+            Byte::PtrFragment { ptr, idx } =>
+                ptr.get_byte(idx),
+        }
+    }
+}
+```
+
 ## Memory interface
 
 The Rust memory interface is described by the following (not-yet-complete) trait definition:
 
 ```rust
 /// *Note*: All memory operations can be non-deterministic, which means that
 /// executing the same operation on the same memory can have different results.
-/// We also let all operations potentially mutated memory. For example, reads
+/// We also let all operations potentially mutate memory. For example, reads
 /// actually do change the current state when considering concurrency or
 /// Stacked Borrows.
 /// And finally, all operations are fallible (they return `Result`); if they
 /// fail, that means the program caused UB.
 trait Memory {
     /// The type of pointer values.
-    type Pointer;
+    type Pointer: Copy + PtrToInt;
+
+    /// The size of pointer values.
+    const PTR_SIZE: u64;
 
     /// Create a new allocation.
     fn allocate(&mut self, size: u64, align: u64) -> Result<Self::Pointer, Error>;
@@ -79,13 +98,16 @@ trait Memory {
     /// Offset the given pointer.
     fn offset(&mut self, ptr: Self::Pointer, offset: u64, mode: OffsetMode) -> Result<Self::Pointer, Error>;
 
-    /// Cast the given pointer to an integer.
-    fn ptr_to_int(&mut self, ptr: Self::Pointer) -> Result<u64, Error>;
-
     /// Cast the given integer to a pointer.
     fn int_to_ptr(&mut self, int: u64) -> Result<Self::Pointer, Error>;
 }
 
+/// The `Pointer` type must know how to extract its bytes, *without any access to the `Memory`*.
+trait PtrToInt {
+    /// Get the `idx`-th byte of the pointer.  `idx` must be in `0..PTR_SIZE`.
+    fn get_byte(self, idx: u8) -> u8;
+}
+
 /// The rules applying to this pointer offset operation.
 enum OffsetMode {
     /// Wrapping offset; never UB.

wip/value-domain.md

@@ -4,7 +4,8 @@
 
 The purpose of this document is to describe what the set of *all possible values* is in Rust.
 This is an important definition: one key element of a Rust specification will be to define the [representation relation][representation] of every type.
-This relation relates values with lists of bytes, so before we can even start specifying the relation we have to specify the involved domains.
+This relation relates values with lists of bytes: it says, for a given value and list of bytes, if that value is represented by that list.
+However, before we can even start specifying the relation, we have to specify the involved domains.
 `Byte` is defined as part of [the memory interface][memory-interface]; this document is about defining `Value`.
 
 [representation]: https://github.com/rust-lang/unsafe-code-guidelines/blob/master/reference/src/glossary.md#representation
@@ -45,7 +46,7 @@ We show some examples for how one might want to use this `Value` domain to defin
 
 ### `bool`
 
-The value relation for `bool` relates `Bool(true)` with `[Raw(0)]` and `Bool(false)` with [`Raw(1)`], and that's it.
+The value relation for `bool` relates `Bool(b)` with `[bb]` if and only if `bb.as_int() == Some(if b { 1 } else { 0 })`.
 
 ### `()`
 
@@ -72,12 +73,12 @@ It also shows that the actual content of the padding bytes is entirely irrelevan
 
 Reference types are tricky.
 But a possible value relation for sized `T` is:
-A value `Ptr(ptr)` is related to `[PtrFragment { ptr, idx: 0 }, ..., PtrFragment { ptr, idx: N-1 }]` where `N == size_of::<usize>()` if `ptr` is non-NULL and aligned to `align_of::<T>()`.
+A value `Ptr(ptr)` is related to `[PtrFragment { ptr, idx: 0 }, ..., PtrFragment { ptr, idx: PTR_SIZE-1 }]` if `ptr` is non-NULL and appropriately aligned (defining alignment is left open for now).
 
 ### `u8`
 
 For the value representation of integer types, there are two different reasonable choices.
-Certainly, a value `Int(i)` where `i` in `0..256` is related to `[Raw(i as u8)]`.
+Certainly, a value `Int(i)` where `i` in `0..256` is related to `[b]` if `b.as_int() == Some(i)`.
 
 And then, maybe, we also want to additionally say that value `Uninit` is related to `[Uninit]`.
 This essentially corresponds to saying that uninitialized memory is a valid representation of a `u8` value (namely, the uninitialized value).