Fix unsoundness issues (mem::zeroed / ManuallyDrop -> MaybeUninit)

[cynecx]

Several libs in crossbeam contain unsound code (eg. Block::new). This PR fixes them and requires a MSRV upgrade to 1.36.

[ghost]

Thank you for the PR! Is it still in progress? Looks good to merge to me :)

We also have some instances of uninitialized memory in bounded queues (files array.rs and array_queue.rs) where it would be good to use MaybeUninit.

[cynecx]

@stjepang Well, the issue is the MSRV bump to 1.36 (MaybeUninit), that's why I've opened this as a draft. So you are saying that we should go ahead with the MSRV bump?

We also have some instances of uninitialized memory in bounded queues (files array.rs and array_queue.rs) where it would be good to use MaybeUninit.

Yes, I will update them shortly and mark this PR ready for review then :).

[cynecx]

@stjepang There is a failure in crossbeam's array flavoured channel: travis.

---- drops stdout ----
thread 'main' panicked at 'assertion failed: `(left == right)`
  left: `9336`,
 right: `9338`', crossbeam-channel/tests/array.rs:533:9
note: Run with `RUST_BACKTRACE=1` environment variable to display a backtrace.

The MaybeUninit unsoundness fix should be right, unless I am missing something?

EDIT:

nvm I think I missed something, pushing the fix in a moment.

[cynecx]

@stjepang It's ready for review now.

[cynecx]

This PR is ready now.

[cynecx]

Friendly neighborhood ping.

[taiki-e]

fyi: by using https://crates.io/crates/maybe-uninit crate, we can avoid the MSRV bump (like smallvec 0.6 did)

[spacejam]

@taiki-e that seems really appealing to me. maybe-uninit seems like a pretty lightweight crate, 0 dependencies and over 1 million downloads since its fairly recent release in November 2019. Some pretty large projects rely on this crate and it's nice to avoid the transitive MSRV bump decision if they would otherwise be willing to update. This then allows a larger number of Rust users of unsafe code to make more progress when running miri. (that is actually what led me here - I want to use miri on more parts of sled).

[ghost]

I think we should just bump the minimum Rust version and consider publishing crossbeam 1.0 soon. A lot of unsafe code in crossbeam is really dealing with uninitialized memory so it's important we start using MaybeUninit ASAP.

[spacejam]

one final consideration, @stjepang mentioned to me yesterday that rayon lags by a year. bumping MSRV to 1.36 means they need to wait until July 4 2020 before they can reduce their reliance on the uninitialized usage here. By using the maybe-uninit crate as a stopgap measure until july 4, it's possible for crossbeam to do a non-breaking patch update that silently reduces risk for more users. but, I'm not the one maintaining this, so I'll duck out at this point. although, if using that crate is a desired solution, I'm happy to implement it real quick since I'm an unemployed hobo.

[cynecx]

@spacejam’s reasoning is really convincing. ping @stjepang.

[jonhoo]

I would love to see this land so that miri will work on downstream crates like https://github.com/jonhoo/flurry too!

[jonhoo]

@jeehoonkang @stjepang what are next steps for this PR? I think we need your decision for who to best move forward. It'd probably be good to land this PR in one form or another sooner rather than later.

[jeehoonkang]

I prefer maybe-uninit to bumping MSRV. It looks like a fine temporary measure we can take.

[jonhoo]

Thanks! @cynecx, do you have the time to update the PR to use maybe-uninit?

[cynecx]

@jonhoo Sure :) The changes should be up in an hour(-ish)!

[cynecx]

A question though, instead of adding maybe-uninit to each crate, should I just put it in crossbeam-utils and export a type-alias (MaybeUninit)? This would have a benefit, that future updates would simply have to change the type-alias in order to change the underlying MaybeUninit implementation. Also most of the affected crates are already having crossbeam-utils as a dependency, so that we just have to add the maybe-uninit dependency in crossbeam-utils. Thoughts?

[jonhoo]

I would keep it separate, since (I think) it's weird for crossbeam-utils crate to publicly expose that type alias. If it could expose it just to other crossbeam crates, then sure, but I don't think that's really an option.

[cuviper]

If you reexport it, it becomes part of the public API, including the fact that it's identical to maybe-uninit's type. You'd have to wrap it in a newtype to avoid that equality, to let you freely change the impl.

[cynecx]

I hope it's okay if I force-push now to address the merge-conflict? Because that will mess-up the review for sure xD.

Whatever, seems like the review boxed are marked outdated anyway.

[jeehoonkang]

Thanks!

bors r+

[bors]

Build succeeded

• continuous-integration/travis-ci/push

[jonhoo]

@jeehoonkang Nice, thanks! What's the plan for next release between this and #466 ? Would be good to land something soon to get those out.