Rewrite safety requirements for Allocator impls#157801
Open
theemathas wants to merge 2 commits into
Open
Conversation
rustbot
added
S-waiting-on-review
theemathas
added
A-allocators
theemathas
commented
Jun 12, 2026
Comment on lines
+152
to
+155
| /// until that memory block is [*invalidated*]. The implementor must also | ||
| /// not violate this invariant of `Allocator` via allocator equivalences | ||
| /// that are in the implementor's control (e.g., via a misbehaving | ||
| /// `impl Clone for Box<MyAllocator>`). |
Contributor
Author
There was a problem hiding this comment.
Any ideas on how to better word this?
I define the concept of "equivalent allocators", in order to be able
to talk about cloning allocators, and to give commonsense guarantees
about stdlib `Allocator` impls.
I define the concept of "invalidating a memory block" in order to be
able to talk about users not being allowed to use a block of allocated
memory after its allocator is "gone".
An `Allocator` implementation is now allowed to invalidate its
allocations when the allocator is mutated or when a lifetime in the
allocator type expires.
Mutation of an `Allocator` should sensibly be allowed to invalidate its
allocations. For example, the `bumpalo` crates has a `Bump::reset`
method that takes `&mut self` and invalidates all past allocations.
Accesses via `&` still must not invalidate past allocations since,
for example, `Box` provides `&` access to the allocator.
I still had the "allocator destructor" clause as a separate clause from
the `&mut` clause, to avoid questions about whether drop glue of types
that don't implement `Drop` but have fields that implement `Drop` counts
as creating a `&mut` to the whole thing.
The "lifetime expiry" clause closes a hole/ambiguity on when an
allocator is considered to be "dropped" if it does not have a
destructor. Additionally, this clause matches what is required for
`Box::into_pin` and `{Rc, Arc}::pin` to be sound. (Those methods have an
`A: 'static` bound to prevent allocating via a `&MyAllocator` and then
running `MyAllocator`'s destructor.)
theemathas
force-pushed
the
allocator-safety-rewrite
branch
from
2861839 to
d9b90b0
Compare
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
This comment was marked as resolved.
nia-e
reviewed
Jun 12, 2026
This comment was marked as resolved.
This comment was marked as resolved.
Contributor
Author
|
Talked in DMs with @nia-e, and we agreed that we should use a symmetric relationship, since that is easier to explain to users. If a library needs an asymmetric relationship, they can define their own concept with their own name, and that library can add that extra promise for their allocators on top of the requirements of |
theemathas
added
needs-fcp
clarfonthey
reviewed
Jun 12, 2026
Comment on lines
+90
to
+92
| /// Note: Currently, the interaction between cloning and unsize-coercing allocators | ||
| /// is unsound, and there is ongoing discussion on how to revise the `Allocator` trait | ||
| /// to fix this. See [#156920]. |
Contributor
There was a problem hiding this comment.
Personally, I would be in favour of just incorporating AllocatorEq and AllocatorClone into whichever PR does these wording changes, since that fixes the problem and feels like a more reasonable way to do it.
That way, we require implementing those two traits to prove sound equivalence.
nia-e
approved these changes
Jun 15, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
View all comments
This PR supersedes #156544.
cc #157428, #156920
cc @nia-e
r? @Amanieu (reviewer of #156544)
I define the concept of "equivalent allocators", in order to be able to talk about cloning allocators, and to give commonsense guarantees about stdlib
Allocatorimpls.I define the concept of "invalidating a memory block" in order to be able to talk about users not being allowed to use a block of allocated memory after its allocator is "gone".
An
Allocatorimplementation is now allowed to invalidate its allocations when the allocator is mutated or when a lifetime in the allocator type expires.Mutation of an
Allocatorshould sensibly be allowed to invalidate its allocations. For example, thebumpalocrates has aBump::resetmethod that takes&mut selfand invalidates all past allocations. Accesses via&still must not invalidate past allocations since, for example,Boxprovides&access to the allocator.I still had the "allocator destructor" clause as a separate clause from the
&mutclause, to avoid questions about whether drop glue of types that don't implementDropbut have fields that implementDropcounts as creating a&mutto the whole thing.The "lifetime expiry" clause closes a hole/ambiguity on when an allocator is considered to be "dropped" if it does not have a destructor. Additionally, this clause matches what is required for
Box::into_pinand{Rc, Arc}::pinto be sound. (Those methods have anA: 'staticbound to prevent allocating via a&MyAllocatorand then runningMyAllocator's destructor.)