fix data race in thread::scope

[RalfJung]

Puts the ScopeData into an Arc so it sticks around as long as we need it.
This means one extra Arc::clone per spawned scoped thread, which I hope is fine.

Fixes #98498
r? @m-ou-se

[rust-highfive]

Hey! It looks like you've submitted a new PR for the library teams!

If this PR contains changes to any rust-lang/rust public library APIs then please comment with @rustbot label +T-libs-api -T-libs to tag it appropriately. If this PR contains changes to any unstable APIs please edit the PR description to add a link to the relevant API Change Proposal or create one if you haven't already. If you're unsure where your change falls no worries, just leave it as is and the reviewer will take a look and make a decision to forward on if necessary.

Examples of T-libs-api changes:

• Stabilizing library features
• Introducing insta-stable changes such as new implementations of existing stable traits on existing stable types
• Introducing new or changing existing unstable library APIs (excluding permanently unstable features / features without a tracking issue)
• Changing public documentation in ways that create new stability guarantees
• Changing observable runtime behavior of library APIs

[danielhenrymantilla]

Hmm, I raced with your PR, @RalfJung 😅: #98504. At least now we can freely pick between the Arc and the UnsafeCell approaches

[CAD97]

Removing a lifetime parameter from a stable item is API breaking, is it not?

[RalfJung]

Oh, I didn't realize this is public. oops

[CAD97]

For my own confidence: PhantomData<&'scope> is the correct existing variance here. (The lifetime variances involved in this API is subtle and controlled by PhantomData, not just normal references.)

[m-ou-se]

This looks like a good fix for the issue. We could look into a solution without an Arc later, although I doubt it matters much.

Thanks!

@bors r+

[bors]

📌 Commit 846bba4616e70ae9275e947eb450deb7a82f0a79 has been approved by m-ou-se

[m-ou-se]

@bors r-

[m-ou-se]

The PhantomData<&'scope T> in ScopedJoinHandle results in slightly different behavior. It's correct for the variance of 'a, but it makes a difference for dropck.

This snippet errors before this change, but compiles after this change:

use std::thread::ScopedJoinHandle;

fn x<'a>(_: &'a i32, h: ScopedJoinHandle<'a, i32>) -> ScopedJoinHandle<'a, i32> {
    h
}

fn main() {
    std::thread::scope(|s| {
        let mut v = Vec::new();
        {
            let a = 1;
            v.push(x(&a, s.spawn(|| 1)));
        }
    });
}

[m-ou-se]

(Whether that's a real issue.. I'm not sure yet. But it's a publicly visible change, although an extremely subtle one.)

[RalfJung]

So, was it previously invariant? Or should I replace T by ()?

[RalfJung]

Looking at the old type, the data under lifetime 'scope is ScopeData. So I switched to that type in the PhantomType. I would think that means the old behavior is preserved?

[m-ou-se]

Yeah, that sounds right. Testing now..

[m-ou-se]

Nope. It still compiles.

[RalfJung]

That... doesn't make any sense, or does it?

[m-ou-se]

&'scope ScopeData doesn't have a Drop impl. We need something that has 'scope and might use that lifetime in its Drop impl.

[RalfJung]

The old code doesn't have such a thing either, though?

[m-ou-se]

It did: JoinInner's drop glue could drop a Packet<'scope, T>, which has a Drop implementation without #[may_dangle].

[RalfJung]

Ah, this should do it. The lifetime needs to be on Packet since that has a impl Drop without may_dangle.

[vincenzopalazzo]

LGTM!

[CAD97]

Just as another set of eyes: the current change looks like it should be trivially invisible to public API. The extent of potentially-public-visible changes are:

• Packet now additionally inherits autotrait constraints from Arc<scoped::ScopeData>.
• Scope now inherits autotrait constraints from Arc<ScopeData> instead of ScopeData.

ScopeData is Send + Sync + Unpin + UnwindSafe + RefUnwindSafe, thus no public change is visible.

---

A potential note for the future, though: Scope uses &'a mut &'a mut () to achieve invariance over 'a. This does accomplish this, but it also makes Scope not UnwindSafe.