From 7fcdb93cf55ad7ddfd07f5265b363379ae16b3b6 Mon Sep 17 00:00:00 2001
From: Ralf Jung <post@ralfj.de>
Date: Tue, 12 Mar 2019 13:41:12 +0100
Subject: [PATCH] Note that NonNull does not launder shared references for
 mutation

---
 src/libcore/ptr.rs | 9 +++++++++
 1 file changed, 9 insertions(+)

diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs
index 53d4197603068..a3cf8b63483f8 100644
--- a/src/libcore/ptr.rs
+++ b/src/libcore/ptr.rs
@@ -2874,6 +2874,15 @@ impl<'a, T: ?Sized> From<NonNull<T>> for Unique<T> {
 /// Usually this won't be necessary; covariance is correct for most safe abstractions,
 /// such as Box, Rc, Arc, Vec, and LinkedList. This is the case because they
 /// provide a public API that follows the normal shared XOR mutable rules of Rust.
+///
+/// Notice that `NonNull<T>` has a `From` instance for `&T`. However, this does
+/// not change the fact that mutating through a (pointer derived from a) shared
+/// reference is undefined behavior unless the mutation happens inside an
+/// [`UnsafeCell<T>`]. When using this `From` instance without an `UnsafeCell<T>`,
+/// it is your responsibility to ensure that `as_mut` is never called, and `as_ptr`
+/// is never used for mutation.
+///
+/// [`UnsafeCell<T>`]: ../cell/struct.UnsafeCell.html
 #[stable(feature = "nonnull", since = "1.25.0")]
 #[repr(transparent)]
 #[rustc_layout_scalar_valid_range_start(1)]