Send/Sync audit for libcollections

[edwardw]

In the process, also replaces two raw mutable pointers with Unique to
spell out the ownership semantics.

cc #22709

[rust-highfive]

r? @pcwalton

(rust_highfive has picked a reviewer for you, use r? to override)

[edwardw]

r? @huonw

[Gankra]

IIIII'm not sure this is sound. RawItems is basically for draining values out of an allocation, but doesn't actually own its allocation. Sending this seems unsound?

Also RawItems is 100% internal, so I don't think it needs Send/Sync (only exported inside of MoveTraversalImpl, but you impl Send/Sync on that already).

[edwardw]

Good catch. I assumed RawItems is safe since it has Iterator and DoubleEndedIterator implementations which take &mut self. But by closer inspection, the real mutations are all in unsafe block. MoveTraversalImpl is also a very good point.

Comment addressed.

[alexcrichton]

Perhaps this could store Unique<T> instead?

[edwardw]

Done and then I tweaked the implementation to match Iter, which kills pointer all together.

[alexcrichton]

These unsafe impl blocks can be removed now, right?

[edwardw]

Indeed.

[edwardw]

r? @alexcrichton

[alexcrichton]

I think we tend to prefer avoiding transmute wherever possible, could this be written as Some(&mut *(elem as *mut _))?

[edwardw]

Done.

[alexcrichton]

Can you also add some tests to ensure that we don't regress in these aspects?

[edwardw]

Hmm, seems I've tackled problem the wrong way. Test-driven would be better here. Will rework the patch.

[edwardw]

An extensive test was added. r? @alexcrichton @huonw

[alexcrichton]

Shouldn't these be unnecessary? I would figure that slice::Iter would implement these as appropriate

[edwardw]

Currently it isn't. This can be removed, however, after libcore is properly Sync and Send audited. A FIXME maybe?

[alexcrichton]

Nice test! Sorry for being so pedantic about these, but this feels like an extra level of unsafety I want to be sure we tread carefully with. To me there are a bunch more unsafe impl blocks than I would have expected originally. I would consider something like the following steps for considering whether to mark something with unsafe impl:

1. Are there any interior unsafe pointers or UnsafeCell types? If not, then the problem lies in the constituent types, not at the top-level.
2. Can any unsafe pointers be represented by other abstractions? For example Unique is one but there may be other helper structs as well.

Along those lines, some of the structures marked with unsafe impl fall into (1) where they don't contain unsafe things and the problem seems to lie in the underlying abstractions. I think we already got all the instances of (2).

Does that make sense?

[alexcrichton]

@edwardw ah it seems you responded as I was responding! Would it be possible to go ahead and "audit" the relevant portions of libcore ahead of time? It should just involve dealing with slice::Iter for now (you don't have to do the whole audit of course). It's generally preferable to not have an intermediate state where lots of stuff is "slated for deletion"

[edwardw]

Certainly. That leaves only RawItems business. I'll wait Mr. @gankro to confirm that one.

[alexcrichton]

T: Sync => T: Send

[huonw]

Sync is correct; Iter<T> is essentially the same as &T.

[alexcrichton]

Oh wow that is subtle, looks like I should read this again.

[alexcrichton]

@bors: r+ 6849006

[bors]

⌛ Testing commit 6849006 with merge a5214e4...

[bors]

☀️ Test successful - auto-linux-32-nopt-t, auto-linux-32-opt, auto-linux-64-nopt-t, auto-linux-64-opt, auto-linux-64-x-android-t, auto-mac-32-opt, auto-mac-64-nopt-t, auto-mac-64-opt, auto-win-32-nopt-t, auto-win-32-opt, auto-win-64-nopt-t, auto-win-64-opt