Region-is-free check is unsound due to a race condition

[dtolnay]

region_buffer/src/lib.rs

Lines 197 to 199 in 45d6c7b

	self.assert_region_is_free(start, end);
	self.ranges.write().unwrap().insert((start, end));

This check is not thread safe. RegionBuffer implements Sync so some other thread may have mutably claimed the same region in between those two lines. This is unsound because you would end up having handed out multiple mutable borrows of the same data.

[dtolnay]

Here is code to trigger the race condition. If you run this a few times with cargo run you will see it sometimes prints COUNT greater than 1 which indicates unsound simultaneous mutable borrows of the same element.

use region_buffer::region_buffer;
use std::sync::{Arc, RwLock};
use std::thread;
use std::time::Duration;

fn main() {
    let rb = Arc::new(RwLock::new(region_buffer![0]));
    let latch = rb.write().unwrap();

    let mut threads = Vec::new();
    for _ in 0..10 {
        let rb = rb.clone();
        threads.push(thread::spawn(move || {
            let rb = rb.read().unwrap();
            rb.get_mut(0)
        }));
    }

    thread::sleep(Duration::from_millis(100));
    drop(latch);

    let mut count = 0;
    for thread in threads {
        if thread.join().is_ok() {
            count += 1;
        }
    }
    println!("COUNT = {}", count);
}

[Aaronepower]

fixed by #5