lazy::Lazy<T> having public fields is unsound.

[eddyb]

While normally only used within the lazy_static macro, the type and its fields need to be public, at least for the old macro_rules macros. This poses both a safety (the fields are used in unsafe ways) and stability hazard (changing implementation details is technically breaking).

Because Lazy::get takes &'static mut self, it's hard to abuse (static mut itself is unsafe, so it doesn't really count here), but Box::leak does let you create a &'static mut at runtime, so you could, in theory, leak a Lazy<T>, trigger the call_once manually, then call Lazy::get, which will return an invalid reference to a T (since no actual initialization occurred).

To construct a Lazy<T> to initialize the static in the macro, you can use associated consts (since 1.20):

impl<T> Lazy<T> {
    const INIT: Self = Lazy(None, ONCE_INIT);
}

This way, the fields can be made private (we should try a crater run if possible - cc @kennytm @Mark-Simulacrum - just to make sure nobody was using the Lazy type themselves).

[KodrAus]

Hmm, this is pretty subtle...

I'd be suspicious of any case that uses Lazy directly since it's really meant to be an implementation detail that's only leaked out of necessity.

Still, I think we should patch out the soundness hole if we can.

[pietroalbini]

A crater run is possible for this. Is #103 the branch with the change?

[KodrAus]

@pietroalbini Sounds good! We haven't got a branch with the change just yet, should we give you a ping when there is one ready?

[pietroalbini]

@KodrAus yes, thanks!

[eddyb]

@KodrAus Are you working on this, or should I open a PR?

[anp]

I'll work on this and include it with #103.

[KodrAus]

@pietroalbini Alrighty, we've got a patch ready now in 0463a90

[KodrAus]

Friendly ping @pietroalbini Do you think the release team will have some bandwidth for a crater run on our lazy_static patch?

[pietroalbini]

Uh, woops! Totally forgot about this!

Crater run started, it should be finished in a bit more than a day.

[KodrAus]

No worries :) Thanks again @pietroalbini

[pietroalbini]

Hi @KodrAus (crater requester)! Crater results are at: https://cargobomb-reports.s3.amazonaws.com/lazy_static-1/index.html. 'Blacklisted' crates (spurious failures etc) can be found here. If you see any spurious failures not on the list, please make a PR against that file.

(interested observers: Crater is a tool for testing the impact of changes on parts of the Rust ecosystem. You can find out more at the repo if you're curious)

[pietroalbini]

In other news, no regressions 🎉🎉

[KodrAus]

Thanks @pietroalbini! I appreciate your effort executing and examining the crater run ❤️

[anp]

Can we close this? #103 made the fields of Lazy private for both the inline & heap impls. The core/no_std impl already made use of const_fn to avoid having public fields, so there's no soundness issue to resolve there.