In his February 2018 note titled "Memory Safety in Rust: A Case Study with C", Will Crichton wrote:
Rust provides the ability to take ownership of raw pointers, which we do using
slice::from_raw_parts_mut
andBox::from_raw
which tells Rust to treat the memory pointer as a heap-allocated array. After transferring ownership, assuming the memory is valid and of the right size/type, Rust applies its usual memory safety and containment checks.
The relevant part of his code to which the above refers is:
let mut new_data = unsafe {
let ptr = Heap::default()
.alloc(Layout::array::<isize>(new_capacity).unwrap())
.unwrap() as *mut isize;
Box::from_raw(slice::from_raw_parts_mut(ptr, new_capacity))
};
However, the documentation for Box::from_raw
states (emphasis added):
Since the way Box allocates and releases memory is unspecified, the only valid pointer to pass to this function is the one taken from another Box via the
Box::into_raw
function.
For the avoidance of doubt, the (experimental) Heap
API used above to perform memory allocation (since removed in Rust 1.27.0) directly called __rust_alloc
in its alloc
method—and therefore ptr
was not obtained from Box::into_raw
.
Is it valid, albeit unsupported, to pass to Box::from_raw
raw pointers to freshly allocated memory in order to have Rust take ownership of that memory and enforce its usual safety and containment checks? In particular, will Rust deallocate that memory when the arising Box is destroyed?
If not, how can one force Rust to take such ownership of memory allocated other than by its safe methods?
Box::from_raw
with pointer that doesn't come fromBox
, first even if it "could be correct in some case" this could go wrong fast, secondly, I doubt that a good API in C will give you the care to release a resource, except some case where you can just callfree
and I think it's better to callfree
that to guess if box would have too. – Stargateur