Beingessner: Rust's Unsafe Pointer Types Need An Overhaul

Aria Beingessner points out a set ofproblems with Rust's conception of unsafe pointers and proposes somefixes in this highly detailed post.

Rust currently says this code is totally cool and fine:

 // Masking off a tag someone packed into a pointer: let mut addr = my_ptr as usize; addr = addr & !0x1; let new_ptr = addr as *mut T; *new_ptr += 10;

This is some pretty bog-standard code for messing with tagged pointers, what's wrong with that?[...]

For this to possibly work with Pointer Provenance and Alias Analysis, thatstuff must pervasively infect all integers on the assumption that theymight be pointers. This is a huge pain in the neck for people who aretrying to actually formally define Rust's memory model, and for people whoare trying to build sanitizers for Rust that catch UB. And I assure youit's just as much a headache for all the LLVM and C(++) people too.