Remove non-interior mutability from generic types #587
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
madsmtm
added
enhancement
madsmtm
force-pushed
the
non-mut
branch
2 times, most recently
from
b6563b7
to
a0454fb
Compare
madsmtm
force-pushed
the
rework-cargo-features
branch
5 times, most recently
from
3d26587
to
0ee1323
Compare
madsmtm
changed the title
madsmtm
force-pushed
the
non-mut
branch
6 times, most recently
from
973b04b
to
032b698
Compare
madsmtm
commented
Sep 4, 2024
Comment on lines
-92
to
29
| T: Message, | ||
| { | ||
| // SAFETY: The collection had mutable ownership over the object, and since | ||
| // the object will never again be accessed from the collection, we can | ||
| // convert it to `Retained<T>`. | ||
| pub(crate) fn retain<T: Message>(obj: &T) -> Retained<T> { | ||
| // SAFETY: TODO | ||
| unsafe { Retained::retain(obj as *const T as *mut T).unwrap_unchecked() } |
There was a problem hiding this comment.
Currently unsound, but won't be after we're done removing mutability.
Affects NSEnumerator, NSArray, NSDictionary, NSSet and the mutable variants. This removes all `_mut` methods and `Mut` iterators, as these are now both unsound and unnecessary. Most methods are also converted to `_retained` variants, as returning references is unsound if the collection is mutated. `_unchecked` variants are provided as alternatives instead. At the same time, we remove a bunch of helper methods that are now unnecessary, including `from_vec`. Finally, we add a fuzz target for ensuring that the safe methods do catch mutation mistakes.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Part of #563.
Remove non-interior mutability from NSEnumerator, NSArray, NSDictionary, NSSet and the mutable variants.
I've run the new
mut_while_iterfuzz target for using AFL++ ~8 hours with 8 parallel processes, and using libFuzzer for ~7 hours with 6 parallel processes, to test whether Foundation's mutation detection is precise enough to catch all errors, such that we can declare it sound.A concrete place where this will be useful is Winit, which stores a
RefCell<Retained<NSMutableAttributedString>>inside of a subclass ofNSViewto track marked text, but theRefCellhere should be completely unnecessary.