from Hacker News

totally_safe_transmute, Line-by-Line (2021)

by iafisher on 1/8/24, 9:38 PM with 40 comments

  • by petsfed on 1/8/24, 10:45 PM

    I appreciate that "totally_safe_transmute" carries some connotation that this is not a "safe" transmute, but rather a suspiciously specific denial.

  • by pcfwik on 1/9/24, 12:19 AM

    Also possible to do directly in the "safe" type system, without messing around with /proc/mem: https://zyedidia.github.io/blog/posts/5-safe-transmute/

  • by Pesthuf on 1/8/24, 10:56 PM

    Why don't the safe file I/O operations panic when /proc/self/mem is opened for writing? I understand why they don't want to make all of File I/O unsafe just for edge cases like this, but shouldn't this be handled at runtime?

  • by jiggawatts on 1/8/24, 10:40 PM

    This is cute, but I hope it never turns up in any real codebase!

    There’s an updated version with Windows support and better performance: https://github.com/John2143/totally-speedy-transmute/

    What worries me is this macro, which “smuggles” the unsafe keyword past the forbid(unsafe_code) flag: https://github.com/John2143/totally-speedy-transmute/blob/ma...

    In my mind, this kind of capability makes Rust crate safety scanning and associated metadata worthless as currently implemented.

    Package management tools ought to store code instead of binaries, and perform safety checks to via instrumented compilers.

  • by api on 1/8/24, 11:54 PM

    This is a really weird hack to say the least. More like a flex showing that the author can implement transmute without unsafe than something you’d really use.

  • by quotemstr on 1/9/24, 3:01 AM

    /proc/self/mem is the moral equivalent of `unsafe`. Of course you can do arbitrary things with it. Why would anyone be surprised? You could use https://man7.org/linux/man-pages/man2/process_vm_readv.2.htm.... You could fork and ptrace. You can do any number of weird things.

    Every day that goes by is a day I think we should make a beeline to CHERI even when we have "safe" languages.

  • by o11c on 1/8/24, 11:54 PM

    `process_vm_writev` would be simpler.

  • by kazinator on 1/8/24, 11:19 PM

    C doesn't provide any reinterpretation operator, and the C++ one's name is a misnomer.

    Casts are conversion: a new value is produced based on an existing one.

    Reinterpretation requires a value to be in memory, and to be accessed using an lvalue of a different type. Most situations of this kind are undefined behavior.