Post Syndicated from original https://lwn.net/Articles/888693/

Aria Beingessner points out a set of
problems with Rust’s conception of unsafe pointers and proposes some
fixes in this highly detailed post.

Rust currently says this code is totally cool and fine:

    // Masking off a tag someone packed into a pointer:
    let mut addr = my_ptr as usize;
    addr = addr & !0x1; 
    let new_ptr = addr as *mut T;
    *new_ptr += 10;

This is some pretty bog-standard code for messing with tagged pointers, what’s wrong with that?
[…]

For this to possibly work with Pointer Provenance and Alias Analysis, that
stuff must pervasively infect all integers on the assumption that they
might be pointers. This is a huge pain in the neck for people who are
trying to actually formally define Rust’s memory model, and for people who
are trying to build sanitizers for Rust that catch UB. And I assure you
it’s just as much a headache for all the LLVM and C(++) people too.