box: into_raw, from_raw functions

[stepancheg]

Functions are needed for safety and convenience.

It is a common pattern to use mem::transmute to convert between
Box and raw pointer, like this:

let b = Box::new(3);
let p = mem::transmute(b);
// pass `p` to some C library

After this commit, conversion can be written as:

let p = b.into_raw();

into_raw and from_raw functions are still unsafe, but they are
much safer than mem::transmute, because *raw functions do not
convert between incompatible pointers. For example, this likely
incorrect code can be successfully compiled:

let p: *mut u64 = ...
let b: Box<u32> = mem::transmute(p);

Using from_raw results in compile-time error:

let p: *mut u64 = ...
let b: Box<u32> = Box::from_raw(p); // compile-time error

into_raw and from_raw functions are similar to C++ std::unique_ptr
release function [1] and constructor from pointer [2].

[1] https://en.cppreference.com/w/cpp/memory/unique_ptr/release
[2] https://en.cppreference.com/w/cpp/memory/unique_ptr/unique_ptr

[rust-highfive]

r? @brson

(rust_highfive has picked a reviewer for you, use r? to override)

[brson]

Agree this is a common pattern.

r? @alexcrichton are there any alternate approaches to solving this problem?

If accepted this should have tests for boxed DSTs as well - I'm not actually sure whether they will work or not here.

[Gankra]

I am very in favour of this. transmutes are at best awful for semantics.

[stepancheg]

I suddenly realized, that boxed is not tested, at least not with make check-stage0-alloc. Because mod is declared as:

#[cfg(not(test))]
pub mod boxed;

int liballoc/lib.rs.

How it should be dealt with?

[brson]

@stepancheg This is a tricky case because Box must be a lang item because it currently relies on compiler magic. I'd suggest moving everything but the test mod into an inner impl module with cfg(test). Put these reexports in the boxed module:

#[cfg(not(test))] pub use self::impl::{HEAP, Box};
#[cfg(test)] pub use std::boxed::{HEAP, Box};

This will cause the lang item to be present at the desired path under normal builds and test builds.

[alexcrichton]

We need to be pretty cautious adding inherent methods to Box<T> due to it shadowing any method on T itself. The current practice in the std::rc module is to add std::boxed::foo instead of an inherent method. Adding Box::from_raw seems fine to me, but I find it unusual that *const T is used instead of *mut T.

Could the documentation of these methods also be expanded? It would be useful to explain why the function is unsafe as well.

[stepancheg]

Created separate PR that enables tests: #21446
@brson I decided to move tests into separate mod alloc::boxed_test to avoid reimports that complicate things too much.

[stepancheg]

Updated PR with:

• better docs
• test for Box<Traits> conversion to and from raw pointer
• const replaced with mut in from_raw
• into_raw made global function instead of Box member

[alexcrichton]

It may be worth mentioning that the only valid pointers to pass to this function are those created from boxed::into_raw. I don't think we'd want to bake in any assumptions about how Box is allocated and letting others think that it can be used to free any old malloc memory.

[alexcrichton]

cc @aturon, do you have thoughts about these APIs? Am I perhaps too paranoid about inherent methods on smart pointers?

[stepancheg]

Updated PR with more docs and rebased to master.

[aturon]

I'm happy to move forward with this as an #[unstable] pair of free/static fns, as they are now.

[alexcrichton]

@bors: r+ dadd97c

[alexcrichton]

Thanks!

[sinistersnare]

s/of/or ?

[stepancheg]

@sinistersnare fixed, thanks.

[stepancheg]

Updated with typo fixed. @alexcrichton please, re-r+.

[alexcrichton]

@bors: r+ 5a722f8

[bors]

⌛ Testing commit 5a722f8 with merge ca4b967...

[bors]

☀️ Test successful - auto-linux-32-nopt-t, auto-linux-32-opt, auto-linux-64-nopt-t, auto-linux-64-opt, auto-linux-64-x-android-t, auto-mac-32-opt, auto-mac-64-nopt-t, auto-mac-64-opt, auto-win-32-nopt-t, auto-win-32-opt, auto-win-64-nopt-t, auto-win-64-opt

[phil-opp]

Why *mut T and not Unique<T>? From the documentation of Unique:

A wrapper around a raw *mut T that indicates that the possessor of this wrapper owns the referent.