libs: Add {Arc,Rc}::{from,into}_inner_raw, use them in std::thread internals

Fixes #224.

Author: RyanGlScott

libs/Patches.md

@@ -269,6 +269,17 @@ into the main commit for that patch, and then the *Update* line can be removed.
   check if the pointer is not equal to each of the individual sentinel values.
   See also the "Avoid raw pointer comparisons" note below.
 
+* Add `{Arc,Rc}::{from,inner}_into_raw` API functions (last applied: January 22, 2026)
+
+  `crucible-mir` is not currently able to simulate the
+  `{Arc,Rc}::{from,inner}_raw` functions, as they rely on non-trivial pointer
+  offsets plus read from type-casted pointers.
+  `{Arc,Rc}::{from,inner}_into_raw` offer alternatives with very similar types,
+  but which are implemented in a Crucible-friendly way. We use these functions
+  in the internals of `std::thread`.
+
+  See also the "`{Arc,Rc}::{from,inner}_into_raw`" below.
+
 # Notes
 
 This section contains more detailed notes about why certain patches are written
@@ -325,3 +336,54 @@ Using the `PartialEq` impl for raw pointers works better in a `crucible-mir`
 context. Instead of raising a simulation error, `crucible-mir` will simply
 return `False` when checking if a `MirReference_Integer` is equal to a valid
 `MirReference`.
+
+## `{Arc,Rc}::{from,into}_inner_raw`
+
+`crucible-mir` is not currently able to simulate the
+`{Arc,Rc}::{from,into}_raw` functions. This is because they subtract a constant
+offset from a `*T` pointer in order to obtain a pointer of type
+`*ArcInner<T>`/`*RcInner<T>`. This sort of pointer arithmetic is permitted in
+Rust, but `crucible-mir`'s memory model is not yet sophisticated enough to
+support this.
+
+As a workaround, we offer `{Arc,Rc}::{from,into}_inner_raw` API functions,
+which work directly on `*ArcInner<T>`/`*RcInner<T>` pointers instead of `*T`
+pointers, thereby avoiding the need for problematic pointer casts. This is not
+a perfect solution, as these functions will not work as drop-in replacements
+for `{Arc,Rc}::{from,into}_raw` in all situations due to the differences in
+types. Where they _do_ work as drop-in replacements are situations where a call
+to `{Arc,Rc}::into_raw` is followed by another call to `{Arc,Rc}::from_raw`,
+without reading the intermediate raw pointer in between. For instance, in the
+following example (taken from the [documentation for
+`Arc::from_raw`](https://doc.rust-lang.org/1.91.0/std/sync/struct.Arc.html#method.from_raw)):
+
+```rs
+use std::sync::Arc;
+
+let x = Arc::new("hello".to_owned());
+let x_ptr = Arc::into_raw(x);
+
+unsafe {
+    // Convert back to an `Arc` to prevent leak.
+    let x = Arc::from_raw(x_ptr);
+    assert_eq!(&*x, "hello");
+
+    // Further calls to `Arc::from_raw(x_ptr)` would be memory-unsafe.
+}
+```
+
+The calls to `Arc::{from,into}_raw` can be replaced with
+`Arc::{from,into}_inner_raw` with no change in functionality. This sort of
+pattern occurs fairly often in practice, so it is worth having at least some
+support for it. For example, the internals of `std::thread` also construct
+`Arc` values in a very similar fashion, so we also patch `std::thread` to use
+`Arc::{from,into}_inner_raw`.
+
+(An API design note: because `{Arc,Rc}::{from,into}_inner_raw` are exposed as
+part of the public API, we must also expose the (previously internal)
+`ArcInner` and `RcInner` types as a consequence.)
+
+Once `crucible-mir` finishes migrating to use `MirAggregate` (see
+https://github.com/GaloisInc/crucible/issues/1499), it should be able to
+simulate `{Arc,Rc}::{from,into}_raw` properly, which would allow us to remove
+`{Arc,Rc}::{from,into}_inner_raw`.

libs/alloc/src/rc.rs

@@ -278,7 +278,8 @@ use crate::vec::Vec;
 // would interfere with otherwise safe [into|from]_raw() of transmutable
 // inner types.
 #[repr(C)]
-struct RcInner<T: ?Sized> {
+#[stable(feature = "rc_raw", since = "1.17.0")]
+pub struct RcInner<T: ?Sized> {
     strong: Cell<usize>,
     weak: Cell<usize>,
     value: T,
@@ -1298,6 +1299,16 @@ impl<T: ?Sized> Rc<T> {
         unsafe { Self::from_raw_in(ptr, Global) }
     }
 
+    /// Like [`from_raw`], except that this function accepts an `RcInner<T>`
+    /// pointer instead of a `T` pointer. This is meant to serve as a
+    /// replacement for [`from_raw`] (to be used in conjunction with
+    /// [`into_inner_raw`]) that is feasible for `crucible-mir` to simulate.
+    #[inline]
+    #[stable(feature = "rc_raw", since = "1.17.0")]
+    pub unsafe fn from_inner_raw(ptr: *const RcInner<T>) -> Self {
+        unsafe { Rc::from_ptr(ptr as *mut RcInner<T>) }
+    }
+
     /// Consumes the `Rc`, returning the wrapped pointer.
     ///
     /// To avoid a memory leak the pointer must be converted back to an `Rc` using
@@ -1322,6 +1333,18 @@ impl<T: ?Sized> Rc<T> {
         Self::as_ptr(&*this)
     }
 
+    /// Like [`into_raw`], except that this function returns an `RcInner<T>`
+    /// pointer instead of a `T` pointer. This is meant to serve as a
+    /// replacement for [`into_raw`] (to be used in conjunction with
+    /// [`from_inner_raw`]) that is feasible for `crucible-mir` to simulate.
+    #[must_use = "losing the pointer will leak memory"]
+    #[stable(feature = "rc_raw", since = "1.17.0")]
+    #[rustc_never_returns_null_ptr]
+    pub fn into_inner_raw(this: Self) -> *const RcInner<T> {
+        let this = ManuallyDrop::new(this);
+        this.ptr.as_ptr() as *const RcInner<T>
+    }
+
     /// Increments the strong reference count on the `Rc<T>` associated with the
     /// provided pointer by one.
     ///

libs/alloc/src/sync.rs

@@ -367,7 +367,8 @@ impl<T: ?Sized, A: Allocator> fmt::Debug for Weak<T, A> {
 // would interfere with otherwise safe [into|from]_raw() of transmutable
 // inner types.
 #[repr(C)]
-struct ArcInner<T: ?Sized> {
+#[stable(feature = "rc_raw", since = "1.17.0")]
+pub struct ArcInner<T: ?Sized> {
     strong: Atomic<usize>,
 
     // the value usize::MAX acts as a sentinel for temporarily "locking" the
@@ -387,7 +388,9 @@ fn arcinner_layout_for_value_layout(layout: Layout) -> Layout {
     Layout::new::<ArcInner<()>>().extend(layout).unwrap().0.pad_to_align()
 }
 
+#[stable(feature = "rc_raw", since = "1.17.0")]
 unsafe impl<T: ?Sized + Sync + Send> Send for ArcInner<T> {}
+#[stable(feature = "rc_raw", since = "1.17.0")]
 unsafe impl<T: ?Sized + Sync + Send> Sync for ArcInner<T> {}
 
 impl<T> Arc<T> {
@@ -1443,6 +1446,16 @@ impl<T: ?Sized> Arc<T> {
         unsafe { Arc::from_raw_in(ptr, Global) }
     }
 
+    /// Like [`from_raw`], except that this function accepts an `ArcInner<T>`
+    /// pointer instead of a `T` pointer. This is meant to serve as a
+    /// replacement for [`from_raw`] (to be used in conjunction with
+    /// [`into_inner_raw`]) that is feasible for `crucible-mir` to simulate.
+    #[inline]
+    #[stable(feature = "rc_raw", since = "1.17.0")]
+    pub unsafe fn from_inner_raw(ptr: *const ArcInner<T>) -> Self {
+        unsafe { Arc::from_ptr(ptr as *mut ArcInner<T>) }
+    }
+
     /// Consumes the `Arc`, returning the wrapped pointer.
     ///
     /// To avoid a memory leak the pointer must be converted back to an `Arc` using
@@ -1467,6 +1480,18 @@ impl<T: ?Sized> Arc<T> {
         Self::as_ptr(&*this)
     }
 
+    /// Like [`into_raw`], except that this function returns an `ArcInner<T>`
+    /// pointer instead of a `T` pointer. This is meant to serve as a
+    /// replacement for [`into_raw`] (to be used in conjunction with
+    /// [`from_inner_raw`]) that is feasible for `crucible-mir` to simulate.
+    #[must_use = "losing the pointer will leak memory"]
+    #[stable(feature = "rc_raw", since = "1.17.0")]
+    #[rustc_never_returns_null_ptr]
+    pub fn into_inner_raw(this: Self) -> *const ArcInner<T> {
+        let this = ManuallyDrop::new(this);
+        this.ptr.as_ptr() as *const ArcInner<T>
+    }
+
     /// Increments the strong reference count on the `Arc<T>` associated with the
     /// provided pointer by one.
     ///

libs/std/src/sync/mod.rs

@@ -180,6 +180,8 @@ pub use core::sync::atomic;
 pub use alloc_crate::sync::UniqueArc;
 #[stable(feature = "rust1", since = "1.0.0")]
 pub use alloc_crate::sync::{Arc, Weak};
+#[stable(feature = "rc_raw", since = "1.17.0")]
+pub use alloc_crate::sync::ArcInner;
 
 // FIXME(sync_nonpoison,sync_poison_mod): remove all `#[doc(inline)]` once the modules are stabilized.
 

libs/std/src/thread/mod.rs

@@ -165,7 +165,7 @@ use crate::marker::PhantomData;
 use crate::mem::{self, ManuallyDrop, forget};
 use crate::num::NonZero;
 use crate::pin::Pin;
-use crate::sync::Arc;
+use crate::sync::{Arc, ArcInner};
 use crate::sync::atomic::{Atomic, AtomicUsize, Ordering};
 use crate::sys::sync::Parker;
 use crate::sys::thread as imp;
@@ -1647,7 +1647,7 @@ impl Thread {
     pub fn into_raw(self) -> *const () {
         // Safety: We only expose an opaque pointer, which maintains the `Pin` invariant.
         let inner = unsafe { Pin::into_inner_unchecked(self.inner) };
-        Arc::into_raw(inner) as *const ()
+        unsafe { Arc::into_inner_raw(inner) as *const () }
     }
 
     /// Constructs a `Thread` from a raw pointer.
@@ -1669,7 +1669,7 @@ impl Thread {
     #[unstable(feature = "thread_raw", issue = "97523")]
     pub unsafe fn from_raw(ptr: *const ()) -> Thread {
         // Safety: Upheld by caller.
-        unsafe { Thread { inner: Pin::new_unchecked(Arc::from_raw(ptr as *const Inner)) } }
+        unsafe { Thread { inner: Pin::new_unchecked(Arc::from_inner_raw(ptr as *const ArcInner<Inner>)) } }
     }
 
     fn cname(&self) -> Option<&CStr> {