Generalize the wide-pointer total-size bound#2290
Merged
Merged
Conversation
rustbot
added
the
S-waiting-on-review
This was referenced Jun 16, 2026
This comment has been minimized.
This comment has been minimized.
ehuss
approved these changes
Jun 16, 2026
ehuss
removed
the
S-waiting-on-review
We document that, for references and `Box<T>`, pointed-to values with slice or `str` metadata must be no larger than `isize::MAX`. We hadn't required this for pointed-to values with `dyn` metadata. It's tempting to think this isn't necessary since we separately require that the metadata point to a vtable generated by the compiler, which ensures the encoded size of the erased type is OK. But the bound is on the total size of the pointed-to value, including any sized prefix of a type with an unsized tail. Since the prefix combined with the size in the vtable can push us past the limit, we need the separate restriction. Let's apply the rule to both cases and add an admonition to remind ourselves of why this is needed.
traviscross
force-pushed
the
TC/generalize-wide-pointer-total-size-bound
branch
from
df82d18 to
4a5f81c
Compare
Collaborator
|
This PR was rebased onto a different master commit. Here's a range-diff highlighting what actually changed. Rebasing is a normal part of keeping PRs up to date, so no action is needed—this note is just to help reviewers. |
This was referenced Jun 16, 2026
RalfJung
reviewed
Jun 29, 2026
| * Slice (`[T]`) and `str` metadata must be a valid `usize`. Furthermore, for wide references and [`Box<T>`], this metadata is invalid if it makes the total size of the pointed-to value bigger than `isize::MAX`. | ||
| * Slice (`[T]`) and `str` metadata must be a valid `usize`. | ||
|
|
||
| In addition, for a wide reference or [`Box<T>`], the metadata is invalid if it makes the total size of the pointed-to value (as determined by `size_of_val`) bigger than `isize::MAX`. |
Member
There was a problem hiding this comment.
FWIW I would consider all of this a derived property. It follows from the fact that wide references and Box must be dereferenceable for the actual dynamic size given by their pointee type and metadata, and it is impossible to be dereferenceable for more than isize::MAX bytes as that is the largest an allocation can be.
So, if this is explicitly stated at all, IMO it should only be done non-normatively, as the normative part should avoid such redundancies.
JonathanBrouwer
added a commit
to JonathanBrouwer/rust
that referenced
this pull request
Jun 30, 2026
Update books ## rust-lang/nomicon 1 commits in cc6a6bae8c3bfa389974e533c54694662c1a9de6..5012a37c682b26c4e19433888ed2ca9b129696ca 2026-06-25 10:05:58 UTC to 2026-06-25 10:05:58 UTC - Clarify when safety may rely on correctness (rust-lang/nomicon#523) ## rust-lang/reference 10 commits in 2c27905c15a51983b54d84f050d3bda096194d27..86635e30bf861a038dc197d7e16fd09e7e514e7a 2026-06-25 17:00:32 UTC to 2026-06-16 18:56:35 UTC - use-declarations.md: move example to where it's described (rust-lang/reference#2295) - fix link target (rust-lang/reference#2299) - remove broken text (rust-lang/reference#2297) - type-layout: rewrite `#[repr(C)]` struct layout algorithm (rust-lang/reference#2243) - Fix grammar rules containing or pertaining to bounds (rust-lang/reference#2257) - Document metadata of ptrs to indirectly unsized types (rust-lang/reference#2289) - Generalize the wide-pointer total-size bound (rust-lang/reference#2290) - Cover `str` in the wide-pointer metadata rule (rust-lang/reference#2288) - Define an unsized tail (rust-lang/reference#2287) - Define pointer metadata (rust-lang/reference#2286)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
We document that, for references and
Box<T>, pointed-to values with slice orstrmetadata mustbe no larger than
isize::MAX. We hadn't required this for pointed-to values withdynmetadata.It's tempting to think this isn't necessary since we separately require that the metadata point to
a vtable generated by the compiler, which ensures the encoded size of the erased type is OK.
But the bound is on the total size of the pointed-to value, including any sized prefix of a type
with an unsized tail. Since the prefix combined with the size in the vtable can push us past the
limit, we need the separate restriction.
Let's apply the rule to both cases and add an admonition to remind ourselves of why this is needed.
I'm breaking this out from #2282 so that we can merge the prerequisites before considering the new lang guarantees.
This is stacked on #2286 and #2287 and #2288 and those should be merged first.
cc @ehuss @RalfJung @Mark-Simulacrum