Note that NonNull does not launder shared references for mutation

author Ralf Jung <post@ralfj.de>

Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)

committer Ralf Jung <post@ralfj.de>

Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)
author Ralf Jung <post@ralfj.de>
Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)
committer Ralf Jung <post@ralfj.de>
Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)
diff --git a/src/libcore/ptr.rs b/src/libcore/ptr.rs

index 53d41976030685c74620b76c1ee565b2dfef414c..a3cf8b63483f88368013597ef625e75d5c4e8a91 100644 (file)
--- a/src/libcore/ptr.rs
+++ b/src/libcore/ptr.rs
@@ -2874,6 +2874,15 @@ fn from(p: NonNull<T>) -> Self {
  /// Usually this won't be necessary; covariance is correct for most safe abstractions,
  /// such as Box, Rc, Arc, Vec, and LinkedList. This is the case because they
  /// provide a public API that follows the normal shared XOR mutable rules of Rust.
+///
+/// Notice that `NonNull<T>` has a `From` instance for `&T`. However, this does
+/// not change the fact that mutating through a (pointer derived from a) shared
+/// reference is undefined behavior unless the mutation happens inside an
+/// [`UnsafeCell<T>`]. When using this `From` instance without an `UnsafeCell<T>`,
+/// it is your responsibility to ensure that `as_mut` is never called, and `as_ptr`
+/// is never used for mutation.
+///
+/// [`UnsafeCell<T>`]: ../cell/struct.UnsafeCell.html
  #[stable(feature = "nonnull", since = "1.25.0")]
  #[repr(transparent)]
  #[rustc_layout_scalar_valid_range_start(1)]
author	Ralf Jung <post@ralfj.de>
	Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)
committer	Ralf Jung <post@ralfj.de>
	Tue, 12 Mar 2019 12:41:12 +0000 (13:41 +0100)