Detect simultaneous borrow and drop of UnsafeCell

e00E · e00E · commit 841f7986db4b · 2024-04-25T12:22:51.000+02:00
Dropping an UnsafeCell or calling into_inner can be seen as mutable access, which is not allowed to happen while another borrow exists. The downside of this change is the added Drop implementation of UnsafeCell. This restricts some uses of UnsafeCell that were previously allowed related to drop check. I went with an approach using unsafe. It is possible to implement this safely but it has too much overhead. We would have to wrap the data field with Option to allow safely taking. This is fine but we would also need to Box it because the type parameter T is ?Sized, which cannot be put into Option. fixes #349
diff --git a/src/cell/unsafe_cell.rs b/src/cell/unsafe_cell.rs
@@ -1,3 +1,5 @@
+use std::mem::ManuallyDrop;
+
 use crate::rt;
 
 /// A checked version of `std::cell::UnsafeCell`.
@@ -115,7 +117,18 @@ impl<T> UnsafeCell<T> {
 
     /// Unwraps the value.
     pub fn into_inner(self) -> T {
-        self.data.into_inner()
+        // Observe that we have mutable access.
+        self.get_mut();
+
+        // We would like to destructure self. This is not possible because of
+        // the Drop implementation. Work around it using unsafe. Note that we
+        // extract `self.state` even though we don't use it. This prevents it
+        // from leaking.
+        let self_ = ManuallyDrop::new(self);
+        let _state = unsafe { std::ptr::read(&self_.state) };
+        let data = unsafe { std::ptr::read(&self_.data) };
+
+        data.into_inner()
     }
 }
 
@@ -214,6 +227,13 @@ impl<T> From<T> for UnsafeCell<T> {
     }
 }
 
+impl<T: ?Sized> Drop for UnsafeCell<T> {
+    fn drop(&mut self) {
+        // Observe that we have mutable access.
+        self.get_mut();
+    }
+}
+
 impl<T: ?Sized> ConstPtr<T> {
     /// Dereference the raw pointer.
     ///
diff --git a/tests/unsafe_cell.rs b/tests/unsafe_cell.rs
@@ -60,8 +60,11 @@ fn atomic_causality_success() {
     });
 }
 
+// This test is ignored because it causes an abort because of a double panic.
+// More discussion at https://github.com/tokio-rs/loom/issues/350 .
 #[test]
 #[should_panic]
+#[ignore]
 fn atomic_causality_fail() {
     struct Chan {
         data: UnsafeCell<usize>,
@@ -333,3 +336,25 @@ fn unsafe_cell_access_after_sync() {
         }
     });
 }
+
+#[test]
+#[should_panic]
+fn unsafe_cell_access_during_drop() {
+    loom::model(|| {
+        let x = UnsafeCell::new(());
+        let _guard = x.get();
+        drop(x);
+    });
+}
+
+// Unfortunately we cannot repeat the previous test with `into_inner` instead of
+// Drop because it leads to a second panic when UnsafeCell::drop runs and guard
+// is still alive. The second panic leads to an abort.
+
+#[test]
+fn unsafe_cell_into_inner_ok() {
+    loom::model(|| {
+        let x = UnsafeCell::new(0usize);
+        x.into_inner();
+    });
+}
