Extending lifetime of stack variable to 'static

andresovela · October 28, 2023, 3:06pm

The concrete question would be, if you have a variable on the stack of a function that never returns, is it safe to extend its lifetime to 'static using transmute?

fn main() -> ! {
    let x = 42;

    // Safety: This function never returns, therefore the reference is valid
    // until the end of the program
    let x = unsafe { make_static(&x) };

    loop {
        take_static_ref(x);
    }
}

fn take_static_ref(x: &'static i32) {
    println!("{x}");
}


unsafe fn make_static<T>(t: &T) -> &'static T {
    core::mem::transmute(t)
}

jeanas · October 28, 2023, 3:20pm

It's been debated, not sure if it has been resolved.

github.com/rust-lang/unsafe-code-guidelines

Soundness conflicts

opened 09:40AM - 24 Nov 22 UTC

RalfJung

Sometimes it happens that two unsafe-using libraries are sound in isolation, but… unsound when combined. Each time that happens, Rust has to decide which side to consider sound. Ultimately this boils down to precisely specifying the safety invariants of all our types -- but doing that requires something like [RustBelt](https://plv.mpi-sws.org/rustbelt/popl18/), so it is hard to have that discussion in full generality. (Also that would involve T-types at least as much as WG-UCG / T-opsem.) But meanwhile, it would be good to collect the cases of these conflicts here that we find out there in the wild. The most famous case of this is of course leakpocalypse: `Rc` vs pre-Rust-1.0-scoped-threads, which famously got decided in favor of `Rc` (and `mem::forget`). Another case is that without `union` and `ManuallyDrop`, [`josephine` would be sound](https://internals.rust-lang.org/t/rust-1-20-caused-pinning-to-become-incorrect/6695). Again the resolution for the ecosystem is clearly in favor of `union`s and `ManuallyDrop`. **The point of this thread is *not* to discuss any of these conflicts and figure out which side we want to bless. It is solely to collect the known cases in a central location.** * take_mut vs partial-borrow: see [here](https://github.com/rust-lang/rfcs/pull/1736#issuecomment-1311564676) for details and discussion. * mk_static vs Stack Tokens: see [reddit](https://www.reddit.com/r/rust/comments/z2jk23/comment/ixlglft/?utm_source=share&utm_medium=web2x&context=3) for details. * `Pin` is seriously under-specified and probably has quite a few of these conflicts, [here is one](https://internals.rust-lang.org/t/pre-rfc-field-projection/17383/66). * "Partial move out of `Drop` type" vs a pattern that assumes that exactly that does not happen (coming up in [this RFC](https://github.com/rust-lang/rfcs/pull/3466)).

https://www.reddit.com/r/rust/comments/z2jk23/a_better_way_to_borrow_in_rust_stack_tokens/?rdt=44776

SkiFire13 · October 28, 2023, 3:25pm

It's not enough for the function to never return, it also need to never unwind (i.e. never panic), otherwise stack variables will be dropped during the unwind and the static reference will become invalid.

In my opinion your example is much better solved by leaking a Box.

andresovela · October 28, 2023, 3:28pm

I'm working on firmware that has no allocator available, so this is not an option in my case.

mdHMUpeyf8yluPfXI · October 28, 2023, 3:34pm

It is unsound because you can mutate the value behind the shared reference, which is UB. You can check this with MIRI on the playground.

fn main() -> ! {
    let mut a = 42;

    let x = unsafe { make_static(&a) };
    dbg!(x);
    a = 43;
    let y = unsafe { make_static(&a) };

    dbg!(x);
    dbg!(y);
    
    loop {}
}

unsafe fn make_static<T>(t: &T) -> &'static T {
    core::mem::transmute(t)
}

SkiFire13 · October 28, 2023, 3:37pm

Then I guess you won't call this function more than once. In that case have you considered using a static, potentially in combination with an OnceCell for initialization?

andresovela · October 28, 2023, 3:40pm

It seems this problem goes away if you remove the mut from a. Would that make the code sound?

Then I'd add this variable is immutable to the safety comments too.

mdHMUpeyf8yluPfXI · October 28, 2023, 3:42pm

No, it could have interior mutability, like Cell.

andresovela · October 28, 2023, 3:49pm

Why does interior mutability affect the soundness of the code? If there was unsoundness in the code with interior mutability, the code would be unsound with or without the transmute, wouldn't it? The transmute is just extending the lifetime of the variable, nothing else.

steffahn · October 28, 2023, 3:58pm

This is probably sound; I wonder if a crate for this exists:

fn with_static<T: 'static>(
    mut x: T,
    f: impl FnOnce(&'static mut T) -> std::convert::Infallible, // <- type `!` not allowed here on stable Rust
) -> ! {
    let _guard = Guard;
    struct Guard;
    impl Drop for Guard {
        fn drop(&mut self) {
            // must not make it beyond this point!
            std::process::abort();
            // might need a no_std alternative if you don't have std
            // e.g. double-panic should abort reliably, too
        }
    }
    // sound, because `_guard` ensures this call can never be left, even with unwinding
    let static_ref: &'static mut T = unsafe { &mut *(&mut x as *mut T) };
    #[allow(unreachable_code)]
    match f(static_ref) {}
}

usage:

fn take_static_ref(x: &'static i32) {
    println!("{x}");
}

fn main() -> ! {
    with_static(42, |x| {
        loop {
            take_static_ref(x);
        }
    })
}

Edit: Glancing at the mk_static API discussed in the article linked above, this seems different and avoids the soundness conflicts AFAICT, because we’re taking the value that’s supposed to be made to “live forever” by-value, not by-reference.

andresovela · October 28, 2023, 3:59pm

I think it might be possible to wrap everything in a struct and make it all static. I'll see if it is possible and I can get rid of those unsafe calls.

mdHMUpeyf8yluPfXI · October 28, 2023, 4:22pm

The static reference destroys the relationship between a RefMut and it's RefCell. No let mut a needed!.

use std::cell::RefMut;
use std::cell::RefCell;

fn main() -> ! {
    let a = RefCell::new(42);
    
    let x: &'static RefCell<i32> = unsafe { make_static(&a) };
    dbg!(x);
    
    let y: &'static RefMut<'static, i32> = unsafe { make_static(&x.borrow_mut()) };
    drop(a);

    dbg!(y);
    
    loop {}
}

unsafe fn make_static<T>(t: &T) -> &'static T {
    core::mem::transmute(t)
}

andresovela · October 28, 2023, 4:35pm

I see, I think I understand. Thank you for your answers

peter9477 · October 29, 2023, 7:03pm

As he's doing embedded (no-std and even no alloc) work, there's a good chance he's also doing panic = 'abort' in his Cargo.toml and can therefore ignore unwinding concerns.