diff options
| author | Matthias Krüger <matthias.krueger@famsik.de> | 2022-11-20 23:50:26 +0100 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2022-11-20 23:50:26 +0100 |
| commit | b4513ce6f835ed3f5c34a3ddc745d8cd3198cbf2 (patch) | |
| tree | 489b4a96bbf05ccbf66a5d7416bba84405eb472f /tests/codegen/src-hash-algorithm/src-hash-algorithm-sha256.rs | |
| parent | a28f3c88e50a77bc2a91889241248c4543854e61 (diff) | |
| parent | 734f7244723f579433b7defcd1fd1c2e66406737 (diff) | |
| download | rust-b4513ce6f835ed3f5c34a3ddc745d8cd3198cbf2.tar.gz rust-b4513ce6f835ed3f5c34a3ddc745d8cd3198cbf2.zip | |
Rollup merge of #101310 - zachs18:rc_get_unchecked_mut_docs_soundness, r=Mark-Simulacrum
Clarify and restrict when `{Arc,Rc}::get_unchecked_mut` is allowed.
(Tracking issue for `{Arc,Rc}::get_unchecked_mut`: #63292)
(I'm using `Rc` in this comment, but it applies for `Arc` all the same).
As currently documented, `Rc::get_unchecked_mut` can lead to unsoundness when multiple `Rc`/`Weak` pointers to the same allocation exist. The current documentation only requires that other `Rc`/`Weak` pointers to the same allocation "must not be dereferenced for the duration of the returned borrow". This can lead to unsoundness in (at least) two ways: variance, and `Rc<str>`/`Rc<[u8]>` aliasing. ([playground link](https://play.rust-lang.org/?version=nightly&mode=debug&edition=2021&gist=d7e2d091c389f463d121630ab0a37320)).
This PR changes the documentation of `Rc::get_unchecked_mut` to restrict usage to when all `Rc<T>`/`Weak<T>` have the exact same `T` (including lifetimes). I believe this is sufficient to prevent unsoundness, while still allowing `get_unchecked_mut` to be called on an aliased `Rc` as long as the safety contract is upheld by the caller.
## Alternatives
* A less strict, but still sound alternative would be to say that the caller must only write values which are valid for all aliased `Rc`/`Weak` inner types. (This was [mentioned](https://github.com/rust-lang/rust/issues/63292#issuecomment-568284090) in the tracking issue). This may be too complicated to clearly express in the documentation.
* A more strict alternative would be to say that there must not be any aliased `Rc`/`Weak` pointers, i.e. it is required that get_mut would return `Some(_)`. (This was also mentioned in the tracking issue). There is at least one codebase that this would cause to become unsound ([here](https://github.com/kaimast/lsm-rs/blob/be5a164d770d850d905e510e2966ad4b1cc9aa5e/src/memtable.rs#L166), where additional locking is used to ensure unique access to an aliased `Rc<T>`; I saw this because it was linked on the tracking issue).
Diffstat (limited to 'tests/codegen/src-hash-algorithm/src-hash-algorithm-sha256.rs')
0 files changed, 0 insertions, 0 deletions