Derive data pointer only after dissolving Box to avoid unsound aliasing.

Author: adamreichold

src/array.rs

@@ -512,18 +512,17 @@ impl<T: Element, D: Dimension> PyArray<T, D> {
         Self::from_owned_ptr(py, ptr)
     }
 
-    pub(crate) unsafe fn from_raw_parts<'py, ID, C>(
+    pub(crate) unsafe fn from_raw_parts<'py, ID>(
         py: Python<'py>,
         dims: ID,
         strides: *const npy_intp,
         data_ptr: *const T,
-        container: C,
+        container: PySliceContainer,
     ) -> &'py Self
     where
         ID: IntoDimension<Dim = D>,
-        PySliceContainer: From<C>,
     {
-        let container = PyClassInitializer::from(PySliceContainer::from(container))
+        let container = PyClassInitializer::from(container)
             .create_cell(py)
             .expect("Failed to create slice container");
 
@@ -679,7 +678,15 @@ impl<T: Element, D: Dimension> PyArray<T, D> {
     pub fn from_owned_array<'py>(py: Python<'py>, mut arr: Array<T, D>) -> &'py Self {
         let (strides, dims) = (arr.npy_strides(), arr.raw_dim());
         let data_ptr = arr.as_mut_ptr();
-        unsafe { Self::from_raw_parts(py, dims, strides.as_ptr(), data_ptr, arr) }
+        unsafe {
+            Self::from_raw_parts(
+                py,
+                dims,
+                strides.as_ptr(),
+                data_ptr,
+                PySliceContainer::from(arr),
+            )
+        }
     }
 
     /// Get a reference of the specified element if the given index is valid.
@@ -1074,7 +1081,15 @@ impl<D: Dimension> PyArray<PyObject, D> {
     pub fn from_owned_object_array<'py, T>(py: Python<'py>, mut arr: Array<Py<T>, D>) -> &'py Self {
         let (strides, dims) = (arr.npy_strides(), arr.raw_dim());
         let data_ptr = arr.as_mut_ptr() as *const PyObject;
-        unsafe { PyArray::from_raw_parts(py, dims, strides.as_ptr(), data_ptr, arr) }
+        unsafe {
+            Self::from_raw_parts(
+                py,
+                dims,
+                strides.as_ptr(),
+                data_ptr,
+                PySliceContainer::from(arr),
+            )
+        }
     }
 }
 

src/convert.rs

@@ -10,6 +10,7 @@ use crate::dtype::Element;
 use crate::error::MAX_DIMENSIONALITY_ERR;
 use crate::npyffi::{self, npy_intp};
 use crate::sealed::Sealed;
+use crate::slice_container::PySliceContainer;
 
 /// Conversion trait from owning Rust types into [`PyArray`].
 ///
@@ -48,11 +49,15 @@ impl<T: Element> IntoPyArray for Box<[T]> {
     type Item = T;
     type Dim = Ix1;
 
-    fn into_pyarray<'py>(mut self, py: Python<'py>) -> &'py PyArray<Self::Item, Self::Dim> {
-        let dims = [self.len()];
+    fn into_pyarray<'py>(self, py: Python<'py>) -> &'py PyArray<Self::Item, Self::Dim> {
+        let container = PySliceContainer::from(self);
+        let dims = [container.len];
         let strides = [mem::size_of::<T>() as npy_intp];
-        let data_ptr = self.as_mut_ptr();
-        unsafe { PyArray::from_raw_parts(py, dims, strides.as_ptr(), data_ptr, self) }
+        // The data pointer is derived only after dissolving `Box` into `PySliceContainer`
+        // to avoid unsound aliasing of Box<[T]> which is currently noalias,
+        // c.f. https://github.com/rust-lang/unsafe-code-guidelines/issues/326
+        let data_ptr = container.ptr as *mut T;
+        unsafe { PyArray::from_raw_parts(py, dims, strides.as_ptr(), data_ptr, container) }
     }
 }
 
@@ -64,7 +69,15 @@ impl<T: Element> IntoPyArray for Vec<T> {
         let dims = [self.len()];
         let strides = [mem::size_of::<T>() as npy_intp];
         let data_ptr = self.as_mut_ptr();
-        unsafe { PyArray::from_raw_parts(py, dims, strides.as_ptr(), data_ptr, self) }
+        unsafe {
+            PyArray::from_raw_parts(
+                py,
+                dims,
+                strides.as_ptr(),
+                data_ptr,
+                PySliceContainer::from(self),
+            )
+        }
     }
 }
 

src/slice_container.rs

@@ -6,8 +6,8 @@ use pyo3::pyclass;
 /// Utility type to safely store `Box<[_]>` or `Vec<_>` on the Python heap
 #[pyclass]
 pub(crate) struct PySliceContainer {
-    ptr: *mut u8,
-    len: usize,
+    pub(crate) ptr: *mut u8,
+    pub(crate) len: usize,
     cap: usize,
     drop: unsafe fn(*mut u8, usize, usize),
 }
@@ -22,13 +22,13 @@ impl<T: Send> From<Box<[T]>> for PySliceContainer {
 
         // FIXME(adamreichold): Use `Box::into_raw` when
         // `*mut [T]::{as_mut_ptr, len}` become stable and compatible with our MSRV.
-        let ptr = data.as_ptr() as *mut u8;
+        let mut data = mem::ManuallyDrop::new(data);
+
+        let ptr = data.as_mut_ptr() as *mut u8;
         let len = data.len();
         let cap = 0;
         let drop = drop_boxed_slice::<T>;
 
-        mem::forget(data);
-
         Self {
             ptr,
             len,
@@ -46,13 +46,13 @@ impl<T: Send> From<Vec<T>> for PySliceContainer {
 
         // FIXME(adamreichold): Use `Vec::into_raw_parts`
         // when it becomes stable and compatible with our MSRV.
-        let ptr = data.as_ptr() as *mut u8;
+        let mut data = mem::ManuallyDrop::new(data);
+
+        let ptr = data.as_mut_ptr() as *mut u8;
         let len = data.len();
         let cap = data.capacity();
         let drop = drop_vec::<T>;
 
-        mem::forget(data);
-
         Self {
             ptr,
             len,