Use UnsafeCell in ThreadRng

Author: pitdicker

src/thread_rng.rs

@@ -10,7 +10,7 @@
 
 //! Thread-local random number generator
 
-use std::cell::RefCell;
+use std::cell::UnsafeCell;
 use std::rc::Rc;
 
 use {RngCore, CryptoRng, SeedableRng, EntropyRng};
@@ -32,18 +32,18 @@ const THREAD_RNG_RESEED_THRESHOLD: u64 = 32*1024*1024; // 32 MiB
 /// [`thread_rng`]: fn.thread_rng.html
 #[derive(Clone, Debug)]
 pub struct ThreadRng {
-    rng: Rc<RefCell<ReseedingRng<Hc128Core, EntropyRng>>>,
+    rng: Rc<UnsafeCell<ReseedingRng<Hc128Core, EntropyRng>>>,
 }
 
 thread_local!(
-    static THREAD_RNG_KEY: Rc<RefCell<ReseedingRng<Hc128Core, EntropyRng>>> = {
+    static THREAD_RNG_KEY: Rc<UnsafeCell<ReseedingRng<Hc128Core, EntropyRng>>> = {
         let mut entropy_source = EntropyRng::new();
         let r = Hc128Core::from_rng(&mut entropy_source).unwrap_or_else(|err|
                 panic!("could not initialize thread_rng: {}", err));
         let rng = ReseedingRng::new(r,
                                     THREAD_RNG_RESEED_THRESHOLD,
                                     entropy_source);
-        Rc::new(RefCell::new(rng))
+        Rc::new(UnsafeCell::new(rng))
     }
 );
 
@@ -77,23 +77,31 @@ pub fn thread_rng() -> ThreadRng {
     ThreadRng { rng: THREAD_RNG_KEY.with(|t| t.clone()) }
 }
 
+/*
+When could we get more then two active mutable references to `thread_rng`?
+Normally there are only mutable references to the RNG inside `UnsafeCell` inside `next_u32`, `next_u64` etc. Within a single thread (which is the definition of `ThreadRng`), there will only ever be one of these functions active at a time.
+
+A possible scenario where there could be multiple mutable references is if `ThreadRng` is used _inside_ `next_u32` and co. But the three parts that make up `ThreadRng`, a PRNG, `EntropyRng` and the `ReseedingRng` wrapper are all under our control. We just have to ensure none of them use `ThreadRng` internally, which is nonsensical anyway.
+
+Another possible option might be if we where in the middle of `next_u32` (and co.), another thread panics, in this thread destructors start to run, and the destructors make use of `ThreadRng`. Is this a real problem or does panicking work differently?
+*/
 impl RngCore for ThreadRng {
     #[inline(always)]
     fn next_u32(&mut self) -> u32 {
-        self.rng.borrow_mut().next_u32()
+        unsafe { (*self.rng.get()).next_u32() }
     }
 
     #[inline(always)]
     fn next_u64(&mut self) -> u64 {
-        self.rng.borrow_mut().next_u64()
+        unsafe { (*self.rng.get()).next_u64() }
     }
 
     fn fill_bytes(&mut self, bytes: &mut [u8]) {
-        self.rng.borrow_mut().fill_bytes(bytes)
+        unsafe { (*self.rng.get()).fill_bytes(bytes) }
     }
 
     fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), Error> {
-        self.rng.borrow_mut().try_fill_bytes(dest)
+        unsafe { (*self.rng.get()).try_fill_bytes(dest) }
     }
 }