avoid mutable references in critical_section_mutex implementations#6050
Conversation
| @@ -243,9 +243,9 @@ where | |||
| let mut guard = CS2Guard(unsafe { core::mem::zeroed() }); | |||
There was a problem hiding this comment.
While we're here, I think we might be able to replace these core::mem::zeroed() with MaybeUninit of some form, to avoid needing to zero-intialize the structures at each critical section entry.
Looks like the C headers don't zero-initialize:
There was a problem hiding this comment.
(Possibly better to defer this to a separate PR given correctness / performance implications are not related to the exact diff here.)
|
Thanks! There is another followup (pointed out to me by Claude when I asked it to review this), which is that the critical section API allows possible UB by passing the same mutex twice and calling It's already unsafe of course but we should also prevent footguns or at least document them in the safety contract :) |
3 participants
There is a slight technicality in
with_critical_section_mutex2that if the samePyMutexis passed as both arguments, the&mutreferences to the raw ffi mutex internally are UB due to mutable aliasing.Fortunately we can just work with raw pointers here as this is an FFI call. I'm not sure wether the compiler actually will produce exploitable UB in this particular position due to the references being immediately coerced to pointers for the FFI call, but it seems wise to tidy this up.
cc @ngoldbaum
(Credit to Codex security scanning for this discovery.)