Fix Arc::downgrade locking logic

Author: EFanZh

library/alloc/src/raw_rc.rs

@@ -27,11 +27,18 @@ use crate::string::String;
 use crate::vec::Vec;
 
 pub unsafe trait RcOps {
-    unsafe fn inc_ref(count: &UnsafeCell<usize>);
-    unsafe fn dec_ref(count: &UnsafeCell<usize>) -> bool;
+    unsafe fn inc_strong(strong_count: &UnsafeCell<usize>);
+    unsafe fn dec_strong(strong_count: &UnsafeCell<usize>) -> bool;
+
+    unsafe fn inc_weak(weak_count: &UnsafeCell<usize>);
+    unsafe fn dec_weak(weak_count: &UnsafeCell<usize>) -> bool;
+
     unsafe fn upgrade(strong_count: &UnsafeCell<usize>) -> bool;
+    unsafe fn downgrade(weak_count: &UnsafeCell<usize>);
+
     unsafe fn lock_strong_count(strong_count: &UnsafeCell<usize>) -> bool;
     unsafe fn unlock_strong_count(strong_count: &UnsafeCell<usize>);
+
     unsafe fn is_unique(strong_count: &UnsafeCell<usize>, weak_count: &UnsafeCell<usize>) -> bool;
 
     #[cfg(not(no_global_oom_handling))]
@@ -356,26 +363,14 @@ where
         unsafe { Self::from_raw_parts(self.ptr, self.alloc.clone()) }
     }
 
-    unsafe fn clone_unchecked<R>(&self) -> Self
-    where
-        A: Clone,
-        R: RcOps,
-    {
-        unsafe {
-            R::inc_ref(self.weak_count_unchecked());
-
-            self.clone_without_inc_ref()
-        }
-    }
-
     pub unsafe fn clone<R>(&self) -> Self
     where
         A: Clone,
         R: RcOps,
     {
         unsafe {
             if !self.is_dangling() {
-                R::inc_ref(self.weak_count_unchecked());
+                R::inc_weak(self.weak_count_unchecked());
             }
 
             self.clone_without_inc_ref()
@@ -402,7 +397,7 @@ where
         R: RcOps,
     {
         unsafe {
-            if R::dec_ref(self.weak_count_unchecked()) {
+            if R::dec_weak(self.weak_count_unchecked()) {
                 self.deallocate();
             }
         };
@@ -741,7 +736,7 @@ where
         R: RcOps,
     {
         unsafe {
-            R::inc_ref(self.strong_count());
+            R::inc_strong(self.strong_count());
 
             Self::from_weak(self.weak.clone_without_inc_ref())
         }
@@ -762,7 +757,7 @@ where
     }
 
     pub unsafe fn increment_strong_count<R: RcOps>(ptr: NonNull<T>) {
-        unsafe { R::inc_ref(strong_count_ptr_from_value_ptr(ptr.cast()).as_ref()) };
+        unsafe { R::inc_strong(strong_count_ptr_from_value_ptr(ptr.cast()).as_ref()) };
     }
 
     #[inline(never)]
@@ -780,7 +775,7 @@ where
         R: RcOps,
     {
         unsafe {
-            if R::dec_ref(self.strong_count()) {
+            if R::dec_strong(self.strong_count()) {
                 self.drop_slow::<R>();
             }
         };
@@ -791,7 +786,11 @@ where
         A: Clone,
         R: RcOps,
     {
-        unsafe { self.weak.clone_unchecked::<R>() }
+        unsafe {
+            R::downgrade(self.weak_count());
+
+            self.weak.clone_without_inc_ref()
+        }
     }
 
     pub unsafe fn get_mut_unchecked(&mut self) -> &mut T {

library/alloc/src/rc.rs

@@ -279,37 +279,53 @@ where
     move |raw_weak: &RawWeak<T, A>| f(unsafe { mem::transmute(raw_weak) })
 }
 
-enum RcOps {}
+unsafe fn inc_ref(count: &UnsafeCell<usize>) {
+    let count = unsafe { &mut *count.get() };
+    let strong = *count;
 
-unsafe impl raw_rc::RcOps for RcOps {
-    unsafe fn inc_ref(count: &UnsafeCell<usize>) {
-        let count = unsafe { &mut *count.get() };
-        let strong = *count;
+    // We insert an `assume` here to hint LLVM at an otherwise
+    // missed optimization.
+    // SAFETY: The reference count will never be zero when this is
+    // called.
+    unsafe { hint::assert_unchecked(strong != 0) };
+
+    let strong = count.wrapping_add(1);
+
+    *count = strong;
 
-        // We insert an `assume` here to hint LLVM at an otherwise
-        // missed optimization.
-        // SAFETY: The reference count will never be zero when this is
-        // called.
-        unsafe { hint::assert_unchecked(strong != 0) };
+    // We want to abort on overflow instead of dropping the value.
+    // Checking for overflow after the store instead of before
+    // allows for slightly better code generation.
+    if intrinsics::unlikely(strong == 0) {
+        intrinsics::abort();
+    }
+}
 
-        let strong = count.wrapping_add(1);
+unsafe fn dec_ref(count: &UnsafeCell<usize>) -> bool {
+    let count = unsafe { &mut *count.get() };
 
-        *count = strong;
+    *count -= 1;
 
-        // We want to abort on overflow instead of dropping the value.
-        // Checking for overflow after the store instead of before
-        // allows for slightly better code generation.
-        if intrinsics::unlikely(strong == 0) {
-            intrinsics::abort();
-        }
+    *count == 0
+}
+
+enum RcOps {}
+
+unsafe impl raw_rc::RcOps for RcOps {
+    unsafe fn inc_strong(strong_count: &UnsafeCell<usize>) {
+        unsafe { inc_ref(strong_count) };
     }
 
-    unsafe fn dec_ref(count: &UnsafeCell<usize>) -> bool {
-        let count = unsafe { &mut *count.get() };
+    unsafe fn dec_strong(strong_count: &UnsafeCell<usize>) -> bool {
+        unsafe { dec_ref(strong_count) }
+    }
 
-        *count -= 1;
+    unsafe fn inc_weak(weak_count: &UnsafeCell<usize>) {
+        unsafe { inc_ref(weak_count) };
+    }
 
-        *count == 0
+    unsafe fn dec_weak(weak_count: &UnsafeCell<usize>) -> bool {
+        unsafe { dec_ref(weak_count) }
     }
 
     unsafe fn upgrade(strong_count: &UnsafeCell<usize>) -> bool {
@@ -324,6 +340,10 @@ unsafe impl raw_rc::RcOps for RcOps {
         }
     }
 
+    unsafe fn downgrade(weak_count: &UnsafeCell<usize>) {
+        unsafe { inc_ref(weak_count) };
+    }
+
     unsafe fn lock_strong_count(strong_count: &UnsafeCell<usize>) -> bool {
         let strong_count = unsafe { &mut *strong_count.get() };
 

library/alloc/src/sync.rs

@@ -24,7 +24,7 @@ use core::pin::{Pin, PinCoerceUnsized};
 use core::ptr::{self, NonNull};
 use core::sync::atomic::Ordering::{Acquire, Relaxed, Release};
 use core::sync::atomic::{self, AtomicUsize};
-use core::{borrow, fmt, intrinsics};
+use core::{borrow, fmt, hint, intrinsics};
 
 #[cfg(not(no_global_oom_handling))]
 use crate::alloc::Layout;
@@ -80,55 +80,71 @@ macro_rules! acquire {
     };
 }
 
-enum RcOps {}
+unsafe fn inc_ref(count: &UnsafeCell<usize>) {
+    let count = unsafe { AtomicUsize::from_ptr(count.get()) };
+
+    // Using a relaxed ordering is alright here, as knowledge of the
+    // original reference prevents other threads from erroneously deleting
+    // the object.
+    //
+    // As explained in the [Boost documentation][1], Increasing the
+    // reference counter can always be done with memory_order_relaxed: New
+    // references to an object can only be formed from an existing
+    // reference, and passing an existing reference from one thread to
+    // another must already provide any required synchronization.
+    //
+    // [1]: (www.boost.org/doc/libs/1_55_0/doc/html/atomic/usage_examples.html)
+    let old_size = count.fetch_add(1, Relaxed);
+
+    // However we need to guard against massive refcounts in case someone is `mem::forget`ing
+    // Arcs. If we don't do this the count can overflow and users will use-after free. This
+    // branch will never be taken in any realistic program. We abort because such a program is
+    // incredibly degenerate, and we don't care to support it.
+    //
+    // This check is not 100% water-proof: we error when the refcount grows beyond `isize::MAX`.
+    // But we do that check *after* having done the increment, so there is a chance here that
+    // the worst already happened and we actually do overflow the `usize` counter. However, that
+    // requires the counter to grow from `isize::MAX` to `usize::MAX` between the increment
+    // above and the `abort` below, which seems exceedingly unlikely.
+    //
+    // This is a global invariant, and also applies when using a compare-exchange loop to increment
+    // counters in other methods.
+    // Otherwise, the counter could be brought to an almost-overflow using a compare-exchange loop,
+    // and then overflow using a few `fetch_add`s.
+    if old_size > MAX_REFCOUNT {
+        intrinsics::abort();
+    }
+}
 
-unsafe impl raw_rc::RcOps for RcOps {
-    unsafe fn inc_ref(count: &UnsafeCell<usize>) {
-        let count = unsafe { AtomicUsize::from_ptr(count.get()) };
+unsafe fn dec_ref(count: &UnsafeCell<usize>) -> bool {
+    let count = unsafe { AtomicUsize::from_ptr(count.get()) };
 
-        // Using a relaxed ordering is alright here, as knowledge of the
-        // original reference prevents other threads from erroneously deleting
-        // the object.
-        //
-        // As explained in the [Boost documentation][1], Increasing the
-        // reference counter can always be done with memory_order_relaxed: New
-        // references to an object can only be formed from an existing
-        // reference, and passing an existing reference from one thread to
-        // another must already provide any required synchronization.
-        //
-        // [1]: (www.boost.org/doc/libs/1_55_0/doc/html/atomic/usage_examples.html)
-        let old_size = count.fetch_add(1, Relaxed);
+    if count.fetch_sub(1, Release) == 1 {
+        acquire!(count);
 
-        // However we need to guard against massive refcounts in case someone is `mem::forget`ing
-        // Arcs. If we don't do this the count can overflow and users will use-after free. This
-        // branch will never be taken in any realistic program. We abort because such a program is
-        // incredibly degenerate, and we don't care to support it.
-        //
-        // This check is not 100% water-proof: we error when the refcount grows beyond `isize::MAX`.
-        // But we do that check *after* having done the increment, so there is a chance here that
-        // the worst already happened and we actually do overflow the `usize` counter. However, that
-        // requires the counter to grow from `isize::MAX` to `usize::MAX` between the increment
-        // above and the `abort` below, which seems exceedingly unlikely.
-        //
-        // This is a global invariant, and also applies when using a compare-exchange loop to increment
-        // counters in other methods.
-        // Otherwise, the counter could be brought to an almost-overflow using a compare-exchange loop,
-        // and then overflow using a few `fetch_add`s.
-        if old_size > MAX_REFCOUNT {
-            intrinsics::abort();
-        }
+        true
+    } else {
+        false
     }
+}
 
-    unsafe fn dec_ref(count: &UnsafeCell<usize>) -> bool {
-        let count = unsafe { AtomicUsize::from_ptr(count.get()) };
+enum RcOps {}
 
-        if count.fetch_sub(1, Release) == 1 {
-            acquire!(count);
+unsafe impl raw_rc::RcOps for RcOps {
+    unsafe fn inc_strong(strong_count: &UnsafeCell<usize>) {
+        unsafe { inc_ref(strong_count) };
+    }
 
-            true
-        } else {
-            false
-        }
+    unsafe fn dec_strong(strong_count: &UnsafeCell<usize>) -> bool {
+        unsafe { dec_ref(strong_count) }
+    }
+
+    unsafe fn inc_weak(weak_count: &UnsafeCell<usize>) {
+        unsafe { inc_ref(weak_count) };
+    }
+
+    unsafe fn dec_weak(weak_count: &UnsafeCell<usize>) -> bool {
+        unsafe { dec_ref(weak_count) }
     }
 
     unsafe fn upgrade(strong_count: &UnsafeCell<usize>) -> bool {
@@ -156,6 +172,39 @@ unsafe impl raw_rc::RcOps for RcOps {
         strong_count.fetch_update(Acquire, Relaxed, checked_increment).is_ok()
     }
 
+    unsafe fn downgrade(weak_count: &UnsafeCell<usize>) {
+        let weak_count = unsafe { AtomicUsize::from_ptr(weak_count.get()) };
+
+        // This Relaxed is OK because we're checking the value in the CAS
+        // below.
+        let mut cur = weak_count.load(Relaxed);
+
+        loop {
+            // check if the weak counter is currently "locked"; if so, spin.
+            if cur == usize::MAX {
+                hint::spin_loop();
+                cur = weak_count.load(Relaxed);
+
+                continue;
+            }
+
+            // We can't allow the refcount to increase much past `MAX_REFCOUNT`.
+            assert!(cur <= MAX_REFCOUNT, "{}", INTERNAL_OVERFLOW_ERROR);
+
+            // NOTE: this code currently ignores the possibility of overflow
+            // into usize::MAX; in general both Rc and Arc need to be adjusted
+            // to deal with overflow.
+
+            // Unlike with Clone(), we need this to be an Acquire read to
+            // synchronize with the write coming from `is_unique`, so that the
+            // events prior to that write happen before this read.
+            match weak_count.compare_exchange_weak(cur, cur + 1, Acquire, Relaxed) {
+                Ok(_) => break,
+                Err(old) => cur = old,
+            }
+        }
+    }
+
     unsafe fn lock_strong_count(strong_count: &UnsafeCell<usize>) -> bool {
         let strong_count = unsafe { AtomicUsize::from_ptr(strong_count.get()) };