Skip to content

Unsoundness of QObjectPinned borrowing #146

New issue
New issue
Open
Open
Unsoundness of QObjectPinned borrowing#146
Labels
C-enhancementCategory: An issue proposing an enhancement or a PR with one.E-hardCall for participation: Experience needed to fix: Hard / a lotI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness
Milestone
std::pin::Pin
@farmaazon

Description

@farmaazon
farmaazon
opened on May 24, 2021

When I dived into the crate's code I found the definition of QObjectPinned::borrow in qmetaobject.rs, which returns just the dereferenced pointer:

    /// Borrow the object
    // FIXME: there are too many cases for which we want reentrance after borrowing
    //pub fn borrow(&self) -> std::cell::Ref<T> { self.0.borrow() }
    #[cfg_attr(feature = "cargo-clippy", allow(clippy::should_implement_trait))]
    pub fn borrow(&self) -> &T {
        unsafe { &*self.0.as_ptr() }
    }

This is a part of the public API, so any user can use it any way: they are able to make and keep one mutable and many immutable reference to same object at the same time, without making any block unsafe, so it perfectly fits the unsoundness definition.

I think the better solution would be having the "commented" version of borrow method (which actually borrows the RefCell content), and as_ptr function to use in places when it is needed (according to the FIXME) - but such places should mark it with proper unsafe section.

Metadata

Metadata

Assignees

No one assigned

    Labels

    C-enhancementCategory: An issue proposing an enhancement or a PR with one.E-hardCall for participation: Experience needed to fix: Hard / a lotI-unsoundIssue: A soundness hole (worst kind of bug), see: https://en.wikipedia.org/wiki/Soundness

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions