Tracking allocator: mark `Spinlock::unlock()` as unsafe and provide a safety contract (#2156)

c46a7dbb · s0me0ne-unkn0wn · GitHub · 0c39cf04 · c46a7dbb
Unverified Commit c46a7dbb authored 1 year ago by s0me0ne-unkn0wn Committed by GitHub 1 year ago
--- a/polkadot/node/tracking-allocator/src/lib.rs
+++ b/polkadot/node/tracking-allocator/src/lib.rs
@@ -72,8 +72,11 @@ impl<T> Spinlock<T> {
 		}
 	}

+	// SAFETY: It should be only called from the guard's destructor. Calling it explicitly while
+	// the guard is alive is undefined behavior, as it breaks the security contract of `Deref` and
+	// `DerefMut`, which implies that lock is held at the moment of dereferencing.
 	#[inline]
-	fn unlock(&self) {
+	unsafe fn unlock(&self) {
 		self.lock.store(false, Ordering::Release);
 	}
 }
@@ -97,7 +100,9 @@ impl<T> DerefMut for SpinlockGuard<'_, T> {

 impl<T> Drop for SpinlockGuard<'_, T> {
 	fn drop(&mut self) {
-		self.lock.unlock();
+		// SAFETY: Calling `unlock` is only safe when it's guaranteed no guard outlives the
+		// unlocking point; here, the guard is dropped, so it is safe.
+		unsafe { self.lock.unlock() }
 	}
 }