Use pointer offset instead of deref for A/Rc::into_raw #67339

CAD97 · 2019-12-15T23:09:41Z

Internals thread: https://internals.rust-lang.org/t/rc-and-internal-mutability/11463/2?u=cad97

The current implementation of (A)Rc::into_raw uses the Deref::deref implementation to get the pointer-to-data that is returned. This is problematic in the proposed Stacked Borrow rules, as this only gets shared provenance over the data location. (Note that the strong/weak counts are UnsafeCell (Cell/Atomic) so shared provenance can still mutate them, but the data itself is not.) When promoted back to a real reference counted pointer, the restored pointer can be used for mutation through ::get_mut (if it is the only surviving reference). However, this mutates through a pointer ultimately derived from a &T borrow, violating the Stacked Borrow rules.

There are three known potential solutions to this issue:

Stacked Borrows is wrong, liballoc is correct.
Fully admit (A)Rc as an "internal mutability" type and store the data payload in an UnsafeCell like the strong/weak counts are. (Note: this is not needed generally since the RcBox/ArcInner is stored behind a shared NonNull which maintains shared write provenance as a raw pointer.)
Adjust into_raw to do direct manipulation of the pointer (like from_raw) so that it maintains write provenance and doesn't derive the pointer from a reference.

This PR implements the third option, as recommended by @RalfJung.

Potential future work: provide as_raw and clone_raw associated functions to allow the &T -> (A)Rc<T> pattern to be used soundly without creating (A)Rc from references.

CAD97 · 2019-12-16T00:08:57Z

Oh right, fat pointers...

(sorry for the number of force pushes: until I get fully moved over to my new PC the one I'm working on has some messed up dev environment and can't even build rustc fully anymore...)

Mark-Simulacrum · 2019-12-16T00:41:24Z

r? @RalfJung

src/liballoc/rc.rs

RalfJung · 2019-12-16T10:33:27Z

(I'm sick and my backlog is already quite long, no promises when I'll be able to get around to this.)

src/liballoc/rc.rs

RalfJung · 2019-12-22T17:22:32Z

The general approach looks good to me, but I feel this is T-libs territory, so r? @SimonSapin

SimonSapin · 2020-01-15T16:38:07Z

Per curl https://raw.githubusercontent.com/rust-lang/highfive/master/highfive/configs/rust-lang/rust.json|jq .groups.libs|grep @|shuf -n1

r? @sfackler

sfackler · 2020-01-15T16:48:49Z

@bors r+

bors · 2020-01-15T16:48:50Z

📌 Commit eb77f7e has been approved by sfackler

Dylan-DPC-zz · 2020-01-15T17:10:00Z

Oops :D

Dylan-DPC-zz · 2020-01-15T17:10:11Z

r? @sfackler

bors · 2020-01-16T00:47:52Z

⌛ Testing commit eb77f7e with merge e02c475...

@RalfJung

Use pointer offset instead of deref for A/Rc::into_raw Internals thread: https://internals.rust-lang.org/t/rc-and-internal-mutability/11463/2?u=cad97 The current implementation of (`A`)`Rc::into_raw` uses the `Deref::deref` implementation to get the pointer-to-data that is returned. This is problematic in the proposed Stacked Borrow rules, as this only gets shared provenance over the data location. (Note that the strong/weak counts are `UnsafeCell` (`Cell`/`Atomic`) so shared provenance can still mutate them, but the data itself is not.) When promoted back to a real reference counted pointer, the restored pointer can be used for mutation through `::get_mut` (if it is the only surviving reference). However, this mutates through a pointer ultimately derived from a `&T` borrow, violating the Stacked Borrow rules. There are three known potential solutions to this issue: - Stacked Borrows is wrong, liballoc is correct. - Fully admit (`A`)`Rc` as an "internal mutability" type and store the data payload in an `UnsafeCell` like the strong/weak counts are. (Note: this is not needed generally since the `RcBox`/`ArcInner` is stored behind a shared `NonNull` which maintains shared write provenance as a raw pointer.) - Adjust `into_raw` to do direct manipulation of the pointer (like `from_raw`) so that it maintains write provenance and doesn't derive the pointer from a reference. This PR implements the third option, as recommended by @RalfJung. Potential future work: provide `as_raw` and `clone_raw` associated functions to allow the [`&T` -> (`A`)`Rc<T>` pattern](https://internals.rust-lang.org/t/rc-and-internal-mutability/11463/2?u=cad97) to be used soundly without creating (`A`)`Rc` from references.

bors · 2020-01-16T04:24:21Z

☀️ Test successful - checks-azure
Approved by: sfackler
Pushing e02c475 to master...

rust-highfive assigned Mark-Simulacrum Dec 15, 2019