Remove Mutex from GdCellInner

[Yarwin]

What problem does this PR solve?

Currently without experimental threads when user ask for a borrow/mut, we get a cell with user data ("rust part"), lock its state (state being, pretty much, a refcount) with mutex and check if it can be safely handled to the user (i.e. we make sure that if you get &T, it refers to safe &T – i.e. there isn't any active &mut T – and vice versa for&mut T. We allow for re-entrancy with base_mut(), but that's not important for now).

Without experimental-threads ("panicking" access) we don't allow to access binding from other threads than the main one at all (i.e. no data race is possible), while with experimental-threads ("blocking" access) enabled we handle locking/blocking via the thread tracker (i.e. no data race is possible because every thread needs to wait to acquire their borrow) thus this additional lock is just silly.

(and it makes rapier sad!)

Acknowledges etc

Rapier uses version of GdCell without mutex which has been working great despite violating stacked borrows (see: Unsafe Code Guidelines: Stacked Borrows) with MutGuard (both in lilyz and mine versions 😅) and probably data race for non-blocking version 😒.

Miri was Mad

test cell::test::allow_inaccessible_mut_mut ... error: Undefined Behavior: trying to retag from <146066> for Unique permission at alloc47455[0x0], but that tag does not exist in the borrow stack for this location
   --> godot-cell/src/cell.rs:324:14
    |
324 |         drop(guard1);
    |              ^^^^^^
    |              |
    |              this error occurs as part of retag (of a reference/box inside this compound value) at alloc47455[0x0..0x30]
    |              errors for retagging in fields are fairly new; please reach out to us (e.g. at <https://rust-lang.zulipchat.com/#narrow/stream/269128-miri>) if you find this error troubling
    |
    = help: this indicates a potential bug in the program: it performed an invalid operation, but the Stacked Borrows rules it violated are still experimental
    = help: see https://github.com/rust-lang/unsafe-code-guidelines/blob/master/wip/stacked-borrows.md for further information
help: <146066> was created by a Unique retag at offsets [0x0..0x30]
   --> godot-cell/src/cell.rs:306:26
    |
306 |         let mut guard1 = cell.borrow_mut().unwrap();
    |                          ^^^^^^^^^^^^^^^^^^^^^^^^^^
help: <146066> was later invalidated at offsets [0x0..0x30] by a Unique retag
   --> godot-cell/src/guards.rs:220:35
    |
220 |         let cell_state = unsafe { state.as_mut() }.unwrap();
    |                                   ^^^^^^^^^^^^^^
    = note: BACKTRACE (of the first span) on thread `cell::test::all`:
    = note: inside `cell::test::allow_inaccessible_mut_mut` at godot-cell/src/cell.rs:324:14: 324:20

Said custom version can be found there: https://github.com/Yarwin/gdext/tree/custom-rapier-branch.

Version present in this PR obviously avoids this problem by using UnsafeCell for panicking Guards.

Other stuff

It took me a while, since I was experimenting with other approaches for cells (for example AtomicRefCell with atomic usize – allows for access from multiple threads, panics if multiple borrow_mut are requested. Solves some problems – for example editor accessing bindings from non-main thread to check properties – but might cause giant headache when it comes to re-entrancy).

We won't change our approach for a while I guess, so we can remove this silly mutex in a meanwhile 🤷.

---

• Remove Mutex from GdCellInner since it doesn't serve any purpose – without experimental-threads we don't allow to access bindings from threads other than the main one, while blocking cell used with experimental-threads has its own blocking mechanism.
• Use NonNull instead of *mut T for CellState.

[GodotRust]

API docs are being generated and will be shortly available at: https://godot-rust.github.io/docs/gdext/pr-1442

[Bromeon]

Rapier uses version of GdCell without mutex which has been working great despite violating stacked borrows (see: Unsafe Code Guidelines: Stacked Borrows) with MutGuard (both in lilyz and mine versions 😅).

Using UnsafeCell obviously avoids this (theoretical?) problem.

Miri was Mad

This sounds a lot like "we might introduce UB but let's just pray" 😬

Are you sure this is sound? If it is, we should find a way to make it work with miri, no? That's pretty much its purpose, after all...

[Yarwin]

Draft – failing CI is expected but MutGuardBlocking was using CellState's Mutex for blocking (which can cause data races which is UB). I'll probably wrap it in Mutex

[Yarwin]

Are you sure this is sound? If it is, we should find a way to make it work with miri, no? That's pretty much its purpose, after all...

Yes, current version – presented in this PR – is sound and Miri doesn't report anything. The troublesome version is present on custom branch for rapier: https://github.com/Yarwin/gdext/tree/custom-rapier-branch.

[Yarwin]

GdCellInner no longer implements Sync and blocking guards (including a new one, InaccessibleGuardBlocking) use thread_tracker to provide thread safety when using GdCell.

I thought about using Pin<Arc<Mutex<T>>> for GdCellBlocking's inner but it is kinda pointless 🤔 – practically state is going to be guarded by thread_tracker anyway.

We might want to change name of panicking Cell module to single_threaded.

Output of running miri against current branch:

$ cargo +nightly miri test -p godot-cell --
    Finished `test` profile [unoptimized + debuginfo] target(s) in 0.02s
     Running unittests src/lib.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/godot_cell-5969cd65ba219090)

running 7 tests
test borrow_state::test::poisoned_unset_shared_ref ... ok
test cell::test::allow_inaccessible_mut_mut ... ok
test cell::test::allow_shared_shared ... ok
test cell::test::different_inaccessible ... ok
test cell::test::prevent_mut_mut ... ok
test cell::test::prevent_mut_shared ... ok
test cell::test::prevent_shared_mut ... ok

test result: ok. 7 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.85s

     Running tests/mock/main.rs (target/miri/x86_64-unknown-linux-gnu/debug/deps/mock-8c8972fec9dd3efe)

running 7 tests
test blocking::calls_parallel ... ok
test blocking::calls_parallel_many_parallel ... ok
test blocking::calls_parallel_many_serial ... ok
test blocking::no_mut_panic_on_main ... ok
test blocking::non_blocking_reborrow ... ok
test panicking::all_calls_work ... ok
test panicking::call_works ... ok

test result: ok. 7 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 15.82s

   Doc-tests godot_cell

running 0 tests

test result: ok. 0 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out; finished in 0.00s

[Bromeon]

Thanks a lot! Gave it a preliminary review.

Lots of parts are not really clear to me -- either they rely on implicit assumptions or lack documentation such as safety statements. There are also several code constructs that look suspicious or overly complex. I'm not usually that pedantic about it, but godot-cell is such a central crate that it's important everything is as clear as possible.

[Bromeon]

These were some decent tests, can we at least run them in experimental-threads?

[Yarwin]

They are still included in tests/mock/blocking.rs

[Bromeon]

Needs safety statement. Please keep any safe operation outside this statement.

[Bromeon]

Same here

[Bromeon]

3rd occurrence of this -- maybe extract to unsafe fn. Still needs safety statement for each call, and separate that from other operations instead of one mega chain combining safe/unsafe ops.

[Bromeon]

This looks very convoluted, is there no more straightforward way? Why not at least keep a pointer around instead of 3 times obtaining via &raw?

Are you certain that write is needed here?

ptr could also have a clearer name, since there are so many pointers flying around 🙂

[Yarwin]

fix'd, splitting it into three separate parts was rather poor choice.

I still construct a GdCellInner out of uninitialized box – initialize_ptr function was a little too error prone (and it is easy to introduce UB due to refactor if one would construct fields before the box/pinning).

[Bromeon]

Why the scope if you call get() immediately again?

Is there a chance of aliasing after the { ... } block, or is an exclusive reference otherwise problematic?

[Bromeon]

For standard std::sync::Mutex, the Sync trait is implemented as follows:

  impl<T: ?Sized + Send> Sync for Mutex<T>

T must be Send for Mutex to be Sync. This ensures that the protected data can be accessed safely from multiple threads without causing data races or other unsafe behavior.

Doesn't the same reasoning apply here? I.e. T needs to be Send rather than Send + Sync?

[Yarwin]

Makes sense, I updated the comment – while it could be true for GdCell it certainly doesn't make sense for GdCellBlocking. Logically – T is send, while GdCellBlocking provides Sync – and T can't be sync, since it would allow messing with it outside the GdCellBlocking.

[Bromeon]

Quite a bit of repetitiveness on accessing the inner reference, could become its own method(s). Might or might not reduce the number of unsafe blocks needed 🤔

[Bromeon]

The SAFETY clause should focus on information that makes this impl safe and avoid reduncancies.
I'm not quite sure which one it is here:

• "the only way to access underlying T from multiple thread is via GdCellBlocking" -> is this something that needs to be externally upheld? Or is it guaranteed by the GdCellBlocking API? If the latter, it should maybe be specified how (e.g. through mut guard).

• "T must be only Send" -> clear from signature. Unless you mean it must not be Sync, but then that should be stated explicitly (but I don't see why that would be a requirement).

• " This ensures ... without causing data races or other unsafe behavior." -> that's general soundness in Rust and a consequence of implementing it correctly, not the requirement.

It's not technically wrong what you wrote, but keeping it focused on the exact reasons has less risk of watering down what exactly contributes to this being sound, and as such helps the overall clarity.

[Bromeon]

This is a great safety clause, for example 👍 concise and to the point.

[Bromeon]

I think it's fine to omit this part since you just referenced it.

[Bromeon]

From the docs it's not quite clear why ManuallyDrop<Self> is returned on error, and not Self directly 🤔

[Bromeon]

Please split into individual unsafe blocks and extract all safe operations outside. It will be more verbose, but with a per-unsafe // SAFETY statement also more clear.

For example, as_mut_ptr(), UnsafeCell::new(), Box::into_pin() etc. are all safe.

[Bromeon]

Safety statement missing.

If it gets too repetitive and there's the option to make a safe abstraction, e.g. method, due to invariants of the struct... then that's also an option.

[Bromeon]

See previous comment.

[Bromeon]

Another referencing of cell_state.get() happening, should probably be its own method at this point 🙂

[Yarwin]

Don't merge it in a meanwhile, I need to give it good testing to make sure everything is alright (should be)