From 3f1d7ac4db988aa299337ae141066d79f6cc217d Mon Sep 17 00:00:00 2001 From: Alec Rohloff Date: Fri, 12 Apr 2024 10:45:07 -0400 Subject: [PATCH 1/2] Mitigate MIRI violation --- src/std.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/std.rs b/src/std.rs index 40df429..5c82110 100644 --- a/src/std.rs +++ b/src/std.rs @@ -46,7 +46,8 @@ unsafe impl crate::Impl for StdCriticalSection { // SAFETY: As per the acquire/release safety contract, release can only be called // if the critical section is acquired in the current thread, // in which case we know the GLOBAL_GUARD is initialized. - GLOBAL_GUARD.assume_init_drop(); + #[allow(let_underscore_lock)] + let _ = GLOBAL_GUARD.assume_init_read(); // Note: it is fine to clear this flag *after* releasing the mutex because it's thread local. // No other thread can see its value, there's no potential for races. From 7c729b834c067fa620f16a80d7b690bbd7d80c14 Mon Sep 17 00:00:00 2001 From: Dario Nieuwenhuis Date: Wed, 16 Oct 2024 12:51:19 +0200 Subject: [PATCH 2/2] Expand comments on miri fix. --- src/std.rs | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/src/std.rs b/src/std.rs index 5c82110..c86426f 100644 --- a/src/std.rs +++ b/src/std.rs @@ -46,6 +46,12 @@ unsafe impl crate::Impl for StdCriticalSection { // SAFETY: As per the acquire/release safety contract, release can only be called // if the critical section is acquired in the current thread, // in which case we know the GLOBAL_GUARD is initialized. + // + // We have to `assume_init_read` then drop instead of `assume_init_drop` because: + // - drop requires exclusive access (&mut) to the contents + // - mutex guard drop first unlocks the mutex, then returns. In between those, there's a brief + // moment where the mutex is unlocked but a `&mut` to the contents exists. + // - During this moment, another thread can go and use GLOBAL_GUARD, causing `&mut` aliasing. #[allow(let_underscore_lock)] let _ = GLOBAL_GUARD.assume_init_read();