-
Notifications
You must be signed in to change notification settings - Fork 12.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Clarify and restrict when {Arc,Rc}::get_unchecked_mut
is allowed.
#101310
Clarify and restrict when {Arc,Rc}::get_unchecked_mut
is allowed.
#101310
Conversation
(rust-highfive has picked a reviewer for you, use r? to override) |
This comment has been minimized.
This comment has been minimized.
TBH, I don't like allowing implicit shared mutability via |
cc @RalfJung: does this look reasonable to you? |
This sounds reasonable, but might be good to get @CAD97 or @SimonSapin to take a look, who are more familiar with Rc/Arc internals than I am. |
I'm also iffy at this point on whether we should be treating However, I do agree that this is sufficient to close the documented soundness hole, and that any looser use should probably be using The only additional case I'd consider allowing intrinsically is when some So to be explicit: this is a clear improvement to the current documentation/guarantees. |
Hey! It looks like you've submitted a new PR for the library teams! If this PR contains changes to any Examples of
|
548b0cb
to
9e7df81
Compare
9e7df81
to
734f724
Compare
r? libs |
Given how finicky they are to use correctly, at this point I’d be in favor of removing these functions entirely and perhaps replace them with |
@bors r+ rollup This seems OK and we have some sign-offs from other folks, we can iterate on other designs (e.g., UniueArc/Rc) later. |
…iaskrgr Rollup of 9 pull requests Successful merges: - rust-lang#101310 (Clarify and restrict when `{Arc,Rc}::get_unchecked_mut` is allowed.) - rust-lang#104461 (Fix building of `aarch64-pc-windows-gnullvm`) - rust-lang#104487 (update ntapi dep to remove future-incompat warning) - rust-lang#104504 (Add a detailed note for missing comma typo w/ FRU syntax) - rust-lang#104581 (rustdoc: remove unused JS IIFE from main.js) - rust-lang#104632 (avoid non-strict-provenance casts in libcore tests) - rust-lang#104634 (move core::arch into separate file) - rust-lang#104641 (replace unusual grammar) - rust-lang#104643 (add examples to chunks remainder methods. ) Failed merges: r? `@ghost` `@rustbot` modify labels: rollup
(Tracking issue for
{Arc,Rc}::get_unchecked_mut
: #63292)(I'm using
Rc
in this comment, but it applies forArc
all the same).As currently documented,
Rc::get_unchecked_mut
can lead to unsoundness when multipleRc
/Weak
pointers to the same allocation exist. The current documentation only requires that otherRc
/Weak
pointers to the same allocation "must not be dereferenced for the duration of the returned borrow". This can lead to unsoundness in (at least) two ways: variance, andRc<str>
/Rc<[u8]>
aliasing. (playground link).This PR changes the documentation of
Rc::get_unchecked_mut
to restrict usage to when allRc<T>
/Weak<T>
have the exact sameT
(including lifetimes). I believe this is sufficient to prevent unsoundness, while still allowingget_unchecked_mut
to be called on an aliasedRc
as long as the safety contract is upheld by the caller.Alternatives
Rc
/Weak
inner types. (This was mentioned in the tracking issue). This may be too complicated to clearly express in the documentation.Rc
/Weak
pointers, i.e. it is required that get_mut would returnSome(_)
. (This was also mentioned in the tracking issue). There is at least one codebase that this would cause to become unsound (here, where additional locking is used to ensure unique access to an aliasedRc<T>
; I saw this because it was linked on the tracking issue).