Is it safe to assume that the `None` variant of `Option<NonNull<dyn T>>` is equivalent to `mem::zeroed()`?

rahotniin · June 6, 2025, 5:29pm

I've been implementing a semi-concurrent hash-map for storing single values of different types, where each value is stored in an Option, as above. Using alloc_zeroed(), would I still have to manaully initialise each bucket in the map with None?

RustyYato · June 6, 2025, 5:36pm

No, the vtable part of the fat pointer in Option<NonNull<dyn T>> is completely unspecified.

rahotniin · June 6, 2025, 5:43pm

Does that mean the Option may match on the Some case, even if it was created using using alloc_zeroed()?

cuviper · June 6, 2025, 5:50pm

None is only guaranteed to be zeros according to the table in the representation docs, which includes NonNull<U> only for U: Sized.

RustyYato · June 6, 2025, 6:12pm

No, it won't match Some however it may also not match None for example, if it requires the vtable pointer in the fat pointer to be non-null. (I think it currently would match None, however there are no guarantees that this continues to work into the future)

rahotniin · June 6, 2025, 6:36pm

Ah, thank you.

kpreid · June 6, 2025, 7:18pm

Note that you’re not allowed to use a zeroed *mut dyn Trait, either:

fn main() {
    let p: *mut dyn core::fmt::Debug = unsafe { core::mem::zeroed() };
    println!("{p:p}");
}

warning: the type `*mut dyn std::fmt::Debug` does not permit zero-initialization
 --> src/main.rs:2:49
  |
2 |     let p: *mut dyn core::fmt::Debug = unsafe { core::mem::zeroed() };
  |                                                 ^^^^^^^^^^^^^^^^^^^
  |                                                 |
  |                                                 this code causes undefined behavior when executed
  |                                                 help: use `MaybeUninit<T>` instead, and only call `assume_init` after initialization is done
  |
  = note: the vtable of a wide raw pointer must be non-null
  = note: `#[warn(invalid_value)]` on by default


thread 'main' panicked at /playground/.rustup/toolchains/nightly-x86_64-unknown-linux-gnu/lib/rustlib/src/rust/library/core/src/panicking.rs:225:5:
aborted execution: attempted to zero-initialize type `*mut dyn std::fmt::Debug`, which is invalid
note: run with `RUST_BACKTRACE=1` environment variable to display a backtrace

I believe it is currently undecided whether, but likely to be true in the future that, the vtable pointer needs to point to a valid vtable in addition to being non-null.

quinedot · June 6, 2025, 7:48pm

The vtable portion of NonNull<dyn T>> (the contained *const dyn T) has a safety requirement of being a valid vtable pointer, and a validity requirement of being word-aligned and non-null.

github.com/rust-lang/rust

Commit to safety rules for dyn trait upcasting

opened 06:02PM - 02 Sep 22 UTC

closed 09:34PM - 18 Dec 24 UTC

nikomatsakis

I-needs-decision T-lang disposition-merge finished-final-comment-period F-trait_upcasting

This issue proposes a resolution to the last outstanding question blocking `dyn`… upcast. It is also available on [the initiative repository](https://rust-lang.github.io/dyn-upcasting-coercion-initiative/design-discussions/upcast-safety-3.html). ## Background We are trying to enable "upcasts" from a `dyn Trait` to its supertraits: ```rust trait Foo { fn foo_method(&self); } trait Bar: Foo { fn bar_method(&self); } let x: &dyn Bar = /* ... */; let y: &dyn Foo = x; // compiles ``` The key factor for these upcasts is that they require adjusting the vtable. The current implementation strategy is that the vtables for the `Bar` trait embed pointers to a `Foo` vtable within them: ``` +----------------------------+ | Bar vtable for some type T | |----------------------------| | Foo vtable | ----------> +------------------+ | foo_method | -----+ | Foo vtable for T | | bar_method | --+ | |------------------| +----------------------------+ | | | foo_method | ---+ | | +------------------+ | | | | | +---> <T as Foo>::foo_method <-+ v <T as Bar>::bar_method (this diagram is only meant to convey the general idea of the vtable layout, and doesn't represent the exact offsets we would use etc; in fact, with the current implementation, the first supertrait is stored 'inline' and hence no load is required) ``` This way, given a `&dyn Bar` object, we convert its `Bar` vtable to the appropriate `Foo` vtable by loading the appropriate field. Although we don't want to commit to a particular implementation strategy, we do want to leave room for this strategy. One implication is that performing an upcast may require loading from the vtable, which implies that the vtable must be a valid pointer to an actual Rust vtable. Although `&dyn Bar` references would always contain a valid vtable, the same is not necessarily true for a raw pointer like `*const dyn Bar` or `*mut dyn Bar`. In the language today, we only support "noop upcasts" that don't affect the vtable, and these are safe (e.g., converting from `*const dyn Foo + Send` to `*const dyn Foo`). If we extend the set of upcasts to permit vtable-adjusting upcasts, like `*const dyn Bar` to `*const dyn Foo`, this implies that, for safe code at least, all `*const dyn Trait` values must have a valid vtable, so that we know we can safely load the required field and perform the upcast. On the other hand, we do not generally require raw `*mut T` pointers to point to valid data. In fact, we explicitly permit them to have any value, including null, and only require that they point to valid data when they are dereferenced. Because dereferencing a raw pointer is an unsafe operation, it has always been considered safe to expose an arbitrary raw pointer to unsafe code -- the unsafety arises when you take a raw pointer from an unknown source and dereference it, since unless you can trace the origin of that pointer you can't possible guarantee that it is valid to dereference. This brings us to the conflict: * It has historically been safe to "release" a raw pointer to safe code, but not safe to receive one (since you cannot know if it is valid). * It has historically been safe to upcast `*const dyn` values (e.g., `*const dyn Foo + Send` to `*const dyn Foo`). * Unlike the upcasts we are considering now, this upcast does not require changing the vtable at runtime, but the distinction is subtle for end-users. * Moreover, there are future extensions (e.g., upcasting `*const dyn Foo + Bar` to `*const dyn Foo`) that would require adjusting the vtable much like the upcasts currently being stabilized. ## Related future consideration: virtual method calls on raw pointers There have been requests to extend traits with the option to include raw pointer methods: ```rust trait PtrLike { fn is_null(v: *const Self) -> bool; } ``` These methods would be useful when writing unsafe code because having an `&self` method requires satisfying the validity conditions of an `&`-reference, which may not be possible. If we did have such methods, however, it raises the question of whether it would be safe to invoke `is_null` on a `*const dyn PtrLike` reference. Just as with upcasting, invoking a method from the vtable requires loading from the vtable, and hence requires a valid vtable generated by the compiler. The solution we propose in this document also resolves this future dilemma. ## Definitions: validity vs safety invariant We adopt the terms *validity* and *safety* invariant from the [unsafe code guidelines](https://rust-lang.github.io/unsafe-code-guidelines/glossary.html): > The *validity invariant* is an invariant that all data must uphold any time it is accessed or copied in a typed manner. This invariant is known to the compiler and exploited by optimizations such as improved enum layout or eliding in-bounds checks. > > The *safety invariant* is an invariant that safe code may assume all data to uphold. This invariant is used to justify which operations safe code can perform. The safety invariant can be temporarily violated by unsafe code, but must always be upheld when interfacing with unknown safe code. It is not relevant when arguing whether some program has UB, but it is relevant when arguing whether some code safely encapsulates its unsafety -- in other words, it is relevant when arguing whether some library is sound. In short, the *validity invariant* defines a condition that must always be true, even in unsafe code, and the *safety invariant* defines an invariant that unsafe code must guarantee before a value can be released to be used by arbitrary code. ## Contours of the solution space We can fix this conflict in one of two basic ways: First, **we could make vtable-adjusting upcasts casts (and `*Self` method calls) unsafe**. This is difficult to implement and would require changes to the `Coerce` trait, which is already excessively complicated. In exchange, it offers at best marginal benefit: raw `*dyn` pointers can be released to safe code, but safe code can't do anything interesting with them. For this reason, we do not recommend this option. If vtable-adjusting casts (and `*Self` method calls) are safe, then the **safety invariant** for `*dyn` types must be that their metadata points to a **fully valid vtable** (i.e., a vtable created by the compiler). This ensures safe code can perform upcasts or dynamic dispatch. This also implies that `std::ptr::null` (which is safe) cannot be extended to `T` where `T: ?Sized` unless further changes are made, since we would need to provide a valid vtable (it would be possible to permit a sentinel value, like null, to be used, but that would imply that upcasting must have a branch, making it less efficient). There are, however, various options for the **validity invariant**, ranging from no invariant to requiring a fully valid vtable at all times. The strict invariants offer some benefits, such as the ability to have a niche for `*dyn` pointers. We survey the options here: | Validity invariant for `*dyn` metadata | Supports niche | Can be initialized with `std::mem::zeroed` | Constant initializer | | -------------------------------------- | -------------- | ------------------------------------------ | -------------------- | | None | | ✅ | ✅ | | Word-aligned | ✅ | ✅ | ✅ | | Word-aligned, non-null | ✅ | | ✅ | | Valid vtable | ✅ | | | Explanations for the column titles: * Validity invariant for `*dyn` metadata -- describes the invariant that applies to the metadata for a `*dyn` value. * Supports niche -- true if there is a niche value so that `sizeof(Option<*const dyn Foo>) == sizeof(*const dyn Foo)`. * Can be initialized with `std::mem::zeroed` -- true if `std::mem::zeroed` can be used to create a valid value (very convenient). This makes it trivial to innitialize a `*const dyn` with a dummy value, though the value cannot be released to safe code. * Constant initializer -- true if there is some constant value for `*const dyn Foo` that satisfies the validity invariant, no matter the trait `Foo`. This makes it easy to initialize a `*const dyn` with a dummy value, though the value cannot be released to safe code. Other points: * `*dyn` values [currently have a niche](https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=bcd18cd3870ba98e2c59b527418f8f68). * Other pointer-like values (such as `fn` and `&`-references) are expected to have a validity invariant of word-aligned, non-null. * Whichever option we use, we can backwards-compatibly move "up the table" and adopt a less-strict validity invariant without introducing UB into any extant programs. ## Proposal The proposal is as follows: * Vtable-adjusting upcasts are **safe operations**. The upcast is UB if performed on a value without a valid vtable * As such, the "safety invariant" requires a **fully valid vtable**. * The "validity invariant" for `*dyn` metadata is not yet defined; the recommendation to the opsem team is that we retain the ability for `*const dyn Foo` to have a niche by requiring the vtable be **word-aligned and non-null** but nothing else ([this clause changed over the course of discussion](https://github.com/rust-lang/rust/issues/101336#issuecomment-1251216579)). Discussion in the opsem team is happening in [here](https://github.com/rust-lang/unsafe-code-guidelines/issues/516). Vtable-adjusting upcasts are defined as: * Trait upcasts that alter the set of methods that can be invoked on the resulting value at runtime (e.g., `dyn Bar` to `dyn Foo` from the introduction). In particular, upcasts that simply add or remove auto-traits are not vtable-adjusting (e.g., `dyn Debug + Send` to `dyn Debug`). This approach... * permits safe upcasting (and method calls, in the future); * preserves the existing niche for `*const dyn`; * is consistent with other validity requirements for "pointer-like" things such as `fn`; The rules also imply that... * valid (i.e., compiler-generated) vtables are only required for a `*dyn` pointer when * the `*dyn` pointer is upcast (or invoke methods); * or, when the `*dyn` pointer is released to arbitrary code, because that code may upcast (or invoke methods). * By implication, extending [`std::ptr::null`](https://doc.rust-lang.org/std/ptr/fn.null.html) to permit `T: ?Sized` would not be safe. ## Possible future changes It may be possible to weaken the validity or safety invariants later, but we risk finding that people have written unsafe code that relies on them. For example, people could build data structures using unions that assume that the vtable pointer is non-null. If we then later permitted a null value, this code could create UB. This is particularly problematic for changes to the safety invariant, since the assumption is that one can take a value which meets the safety invariant and give it to arbitrary code without creating UB (if the value only meets the validity invariant, and not the safety invariant, then you are supposed to audit and control all the code which uses that value, so this is less of a problem). ## Prior links * [Dyn safety write-up](https://rust-lang.github.io/dyn-upcasting-coercion-initiative/design-discussions/upcast-safety-2.html), which includes links to prior write-ups * [Exhaustive set of validity invariants considered](./upcast-safety-3-options.md)

With trait upcasting stabilized, I don't think there's any going back on the safety requirement.

rahotniin · June 6, 2025, 10:20pm

Interestingly, this doesn't produce the same error:

let a: Option<*mut dyn Debug> = unsafe { mem::zeroed() };

scottmcm · June 6, 2025, 10:36pm

That's because it (currently, NOT guaranteed) uses the non-nullness of the vtable to niche-encode the None.

You can see this clearly in the LLVM IR: https://rust.godbolt.org/z/b5a3nhaWP

Topic		Replies	Views
Is it safe to `mem::transmute` from `Option<NonZeroType`> to `ZeroType`?	6	836	January 12, 2023
Is my use of std::mem::zeroed() sound? code review	17	432	December 22, 2024
Soundness of using MaybeUninit<T> for storing arbitrary types	2	507	May 25, 2020
The correct way to generate null pointers to `?Sized` types? help	8	562	October 20, 2023
Is zeroing a repr(Rust) enum UB?	22	1516	September 29, 2021

Is it safe to assume that the `None` variant of `Option<NonNull<dyn T>>` is equivalent to `mem::zeroed()`?

Related topics