Bug 1831467 - Avoid more UB from transmuting a ref to a ref with interior mutability. r=emilio, a=dsmith

glandium · glandium · commit d4175c7e4cf3 · 2023-07-17T11:38:56.000-04:00
aka one specific change in LLVM 16 introducing UB in Rust, take 3? 4? This time, we have multiple types like: #[xpcom(implement(nsISomething))] struct Foo { foo: RefCell<Something>, } impl Foo { fn from_interface(obj: &nsISomething) -> &Self { unsafe { ::std::mem::transmute(obj) } } } At first glance, this looks innocuous. But the problem is that nsISomething, as far as LLVM is informed by Rust, is readonly, but Foo, via the RefCell, has interious mutability. LLVM ends up assuming that any mutability that happens to that returned &Foo can't happen, and removes it. This is yet another case where rust-lang/rust#111229 would save our feet from this footgun LLVM 16 added and that the rust compiler doesn't help us prevent the least. Differential Revision: https://phabricator.services.mozilla.com/D183569 *** Bug 1831467 fix comment a=dsmith
diff --git a/xpcom/idl-parser/xpidl/rust.py b/xpcom/idl-parser/xpidl/rust.py
@@ -445,6 +445,21 @@ def print_rust_bindings(idl, fd, relpath):
     ///
     /// XPCOM interfaces in general are not safe to send across threads.
     __nosync: ::std::marker::PhantomData<::std::rc::Rc<u8>>,
+
+    // Make the rust compiler aware that there might be interior mutability
+    // in what actually implements the interface. This works around UB
+    // introduced by
+    // https://github.com/llvm/llvm-project/commit/01859da84bad95fd51d6a03b08b60c660e642a4f
+    // that a rust lint would make blatantly obvious, but doesn't exist.
+    // (See https://github.com/rust-lang/rust/issues/111229).
+    // This prevents optimizations, but those optimizations weren't available
+    // before rustc switched to LLVM 16, and they now cause problems because
+    // of the UB.
+    // Until there's a lint available to find all our UB, it's simpler to
+    // avoid the UB in the first place, at the cost of preventing optimizations
+    // in places that don't cause UB. But again, those optimizations weren't
+    // available before.
+    __maybe_interior_mutability: ::std::cell::UnsafeCell<[u8; 0]>,
 }
 
 // Implementing XpCom for an interface exposes its IID, which allows for easy
