From 7fcdb93cf55ad7ddfd07f5265b363379ae16b3b6 Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 12 Mar 2019 13:41:12 +0100 Subject: [PATCH 1/2] Note that NonNull does not launder shared references for mutation --- src/libcore/ptr.rs | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs index 53d4197603068..a3cf8b63483f8 100644 --- a/src/libcore/ptr.rs +++ b/src/libcore/ptr.rs @@ -2874,6 +2874,15 @@ impl<'a, T: ?Sized> From> for Unique { /// Usually this won't be necessary; covariance is correct for most safe abstractions, /// such as Box, Rc, Arc, Vec, and LinkedList. This is the case because they /// provide a public API that follows the normal shared XOR mutable rules of Rust. +/// +/// Notice that `NonNull` has a `From` instance for `&T`. However, this does +/// not change the fact that mutating through a (pointer derived from a) shared +/// reference is undefined behavior unless the mutation happens inside an +/// [`UnsafeCell`]. When using this `From` instance without an `UnsafeCell`, +/// it is your responsibility to ensure that `as_mut` is never called, and `as_ptr` +/// is never used for mutation. +/// +/// [`UnsafeCell`]: ../cell/struct.UnsafeCell.html #[stable(feature = "nonnull", since = "1.25.0")] #[repr(transparent)] #[rustc_layout_scalar_valid_range_start(1)] From 8ec8639bf3f8c7b17d91028f698abc3067cd56ea Mon Sep 17 00:00:00 2001 From: Ralf Jung Date: Tue, 12 Mar 2019 13:44:09 +0100 Subject: [PATCH 2/2] expand --- src/libcore/ptr.rs | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs index a3cf8b63483f8..19648fe76cf9d 100644 --- a/src/libcore/ptr.rs +++ b/src/libcore/ptr.rs @@ -2878,7 +2878,8 @@ impl<'a, T: ?Sized> From> for Unique { /// Notice that `NonNull` has a `From` instance for `&T`. However, this does /// not change the fact that mutating through a (pointer derived from a) shared /// reference is undefined behavior unless the mutation happens inside an -/// [`UnsafeCell`]. When using this `From` instance without an `UnsafeCell`, +/// [`UnsafeCell`]. The same goes for creating a mutable reference from a shared +/// reference. When using this `From` instance without an `UnsafeCell`, /// it is your responsibility to ensure that `as_mut` is never called, and `as_ptr` /// is never used for mutation. ///