BUG: Add test showing how downcasting to CFArray is unsound

[faern]

This PR is not intended to me merged directly. It adds a test that causes undefined behavior without using unsafe {}. So it's more to show the problem and discuss a solution.

The problem here is that if you have a CFArray<X> you can cast it up to a CFType and then down to a CFArray<Y> for any Y: TCFType. It never checks that the elements in the array are of type Y or not. At this point CFArray::iter will happily give out &Y references, while in fact the pointers backing those objects are pointing to XRef instances. So doing anything with the &Y will likely cause invalid memory access.

How do we solve this?

Ping @jrmuizel

---

This change is 

[faern]

I pushed another test, showing how this problem originates at TCFType::instance_of. Where

CFArray<X>::instance_of::<CFArray<Y>>()

Does return true in all cases.
I don't think the instance_of problem can be used to cause undefined behavior though. But it's still a strange situation.

[jrmuizel]

Casting a CFArray to a particular CFArray needs to be unsafe. I'm not yet sure how fix downcast.

[jrmuizel]

If we add a trait that's ConcreteCFType that non-generic CFTypes implement.

We can make downcast become

    pub fn downcast<T: ConcreteCFType>(&self) -> Option<T> {

and then we'd have
impl ConcreteCFType for CFArray<void*>
but not for CFArray

[jrmuizel]

I've put up a fix in #159

[jdm]

We could potentially turn this into a doctest that verifies that it doesn't compile?

[faern]

@jdm How do you create a test that passes if it does not compile?

[jrmuizel]

See https://doc.rust-lang.org/beta/rustdoc/documentation-tests.html

/// ```compile_fail
/// let x = 5;
/// x += 2; // shouldn't compile!
/// ```

[faern]

Updated the test to be a compile_fail doctest. Also fixed the trait bound on downcast_into to prohibit unsound downcasts there as well.

[jrmuizel]

@bors-servo r+

[bors-servo]

📌 Commit 6c63acc has been approved by jrmuizel

[bors-servo]

⌛ Testing commit 6c63acc with merge 2ba1ea2...

[bors-servo]

☀️ Test successful - status-travis
Approved by: jrmuizel
Pushing 2ba1ea2 to master...

[faern]

The downcast_into<T: ConcreteCFType> change here is breaking. But it's just as important for the security as the equivalent on downcast that was performed earlier.