Auto merge of rust-lang#56161 - RalfJung:vecdeque-stacked-borrows, r=SimonSapin

bors · bors · commit 9fe5cb534224 · 2018-12-13T07:12:19.000Z
VecDeque: fix for stacked borrows `VecDeque` violates a version of stacked borrows where creating a shared reference is not enough to make a location *mutably accessible* from raw pointers (and I think that is the version we want). There are two problems: * Creating a `NonNull<T>` from `&mut T` goes through `&T` (inferred for a `_`), then `*const T`, then `NonNull<T>`. That means in this stricter version of Stacked Borrows, we cannot actually write to such a `NonNull` because it was created from a shared reference! This PR fixes that by going from `&mut T` to `*mut T` to `*const T`. * `VecDeque::drain` creates the `Drain` struct by *first* creating a `NonNull` from `self` (which is an `&mut VecDeque`), and *then* calling `self.buffer_as_mut_slice()`. The latter reborrows `self`, asserting that `self` is currently the unique pointer to access this `VecDeque`, and hence invalidating the `NonNull` that was created earlier. This PR fixes that by instead using `self.buffer_as_slice()`, which only performs read accesses and creates only shared references, meaning the raw pointer (`NonNull`) remains valid. It is possible that other methods on `VecDeque` do something similar, miri's test coverage of `VecDeque` is sparse to say the least. Cc @nikomatsakis @gankro
diff --git a/src/liballoc/collections/vec_deque.rs b/src/liballoc/collections/vec_deque.rs
@@ -1026,7 +1026,10 @@ impl<T> VecDeque<T> {
             iter: Iter {
                 tail: drain_tail,
                 head: drain_head,
-                ring: unsafe { self.buffer_as_mut_slice() },
+                // Crucially, we only create shared references from `self` here and read from
+                // it.  We do not write to `self` nor reborrow to a mutable reference.
+                // Hence the raw pointer we created above, for `deque`, remains valid.
+                ring: unsafe { self.buffer_as_slice() },
             },
         }
     }
diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs
@@ -2848,14 +2848,14 @@ impl<T: ?Sized> fmt::Pointer for Unique<T> {
 #[unstable(feature = "ptr_internals", issue = "0")]
 impl<'a, T: ?Sized> From<&'a mut T> for Unique<T> {
     fn from(reference: &'a mut T) -> Self {
-        Unique { pointer: unsafe { NonZero(reference as _) }, _marker: PhantomData }
+        Unique { pointer: unsafe { NonZero(reference as *mut T) }, _marker: PhantomData }
     }
 }
 
 #[unstable(feature = "ptr_internals", issue = "0")]
 impl<'a, T: ?Sized> From<&'a T> for Unique<T> {
     fn from(reference: &'a T) -> Self {
-        Unique { pointer: unsafe { NonZero(reference as _) }, _marker: PhantomData }
+        Unique { pointer: unsafe { NonZero(reference as *const T) }, _marker: PhantomData }
     }
 }
 
@@ -3058,14 +3058,14 @@ impl<T: ?Sized> From<Unique<T>> for NonNull<T> {
 impl<'a, T: ?Sized> From<&'a mut T> for NonNull<T> {
     #[inline]
     fn from(reference: &'a mut T) -> Self {
-        NonNull { pointer: unsafe { NonZero(reference as _) } }
+        NonNull { pointer: unsafe { NonZero(reference as *mut T) } }
     }
 }
 
 #[stable(feature = "nonnull", since = "1.25.0")]
 impl<'a, T: ?Sized> From<&'a T> for NonNull<T> {
     #[inline]
     fn from(reference: &'a T) -> Self {
-        NonNull { pointer: unsafe { NonZero(reference as _) } }
+        NonNull { pointer: unsafe { NonZero(reference as *const T) } }
     }
 }

Original file line number	Diff line number	Diff line change
`@@ -1026,7 +1026,10 @@ impl<T> VecDeque<T> {`
`1026`	`1026`	`iter: Iter {`
`1027`	`1027`	`tail: drain_tail,`
`1028`	`1028`	`head: drain_head,`
`1029`		`- ring: unsafe { self.buffer_as_mut_slice() },`
	`1029`	+ // Crucially, we only create shared references from `self` here and read from
	`1030`	+ // it. We do not write to `self` nor reborrow to a mutable reference.
	`1031`	+ // Hence the raw pointer we created above, for `deque`, remains valid.
	`1032`	`+ ring: unsafe { self.buffer_as_slice() },`
`1030`	`1033`	`},`
`1031`	`1034`	`}`
`1032`	`1035`	`}`
Original file line number	Diff line number	Diff line change
`@@ -2848,14 +2848,14 @@ impl<T: ?Sized> fmt::Pointer for Unique<T> {`
`2848`	`2848`	`#[unstable(feature = "ptr_internals", issue = "0")]`
`2849`	`2849`	`impl<'a, T: ?Sized> From<&'a mut T> for Unique<T> {`
`2850`	`2850`	`fn from(reference: &'a mut T) -> Self {`
`2851`		`- Unique { pointer: unsafe { NonZero(reference as _) }, _marker: PhantomData }`
	`2851`	`+ Unique { pointer: unsafe { NonZero(reference as *mut T) }, _marker: PhantomData }`
`2852`	`2852`	`}`
`2853`	`2853`	`}`
`2854`	`2854`
`2855`	`2855`	`#[unstable(feature = "ptr_internals", issue = "0")]`
`2856`	`2856`	`impl<'a, T: ?Sized> From<&'a T> for Unique<T> {`
`2857`	`2857`	`fn from(reference: &'a T) -> Self {`
`2858`		`- Unique { pointer: unsafe { NonZero(reference as _) }, _marker: PhantomData }`
	`2858`	`+ Unique { pointer: unsafe { NonZero(reference as *const T) }, _marker: PhantomData }`
`2859`	`2859`	`}`
`2860`	`2860`	`}`
`2861`	`2861`
`@@ -3058,14 +3058,14 @@ impl<T: ?Sized> From<Unique<T>> for NonNull<T> {`
`3058`	`3058`	`impl<'a, T: ?Sized> From<&'a mut T> for NonNull<T> {`
`3059`	`3059`	`#[inline]`
`3060`	`3060`	`fn from(reference: &'a mut T) -> Self {`
`3061`		`- NonNull { pointer: unsafe { NonZero(reference as _) } }`
	`3061`	`+ NonNull { pointer: unsafe { NonZero(reference as *mut T) } }`
`3062`	`3062`	`}`
`3063`	`3063`	`}`
`3064`	`3064`
`3065`	`3065`	`#[stable(feature = "nonnull", since = "1.25.0")]`
`3066`	`3066`	`impl<'a, T: ?Sized> From<&'a T> for NonNull<T> {`
`3067`	`3067`	`#[inline]`
`3068`	`3068`	`fn from(reference: &'a T) -> Self {`
`3069`		`- NonNull { pointer: unsafe { NonZero(reference as _) } }`
	`3069`	`+ NonNull { pointer: unsafe { NonZero(reference as *const T) } }`
`3070`	`3070`	`}`
`3071`	`3071`	`}`