revise safety of internal get_rng method for ThreadLocalEntropy

Bluefinger · Bluefinger · commit 1fa16bf593f5 · 2023-03-13T12:55:25.000+01:00
diff --git a/crates/bevy_entropy/src/thread_local_entropy.rs b/crates/bevy_entropy/src/thread_local_entropy.rs
@@ -16,36 +16,48 @@ impl ThreadLocalEntropy {
     /// allow mutable access without a cell, so using `UnsafeCell` to bypass overheads associated with
     /// `RefCell`. There's no direct access to the pointer or mutable reference, so we control how long it
     /// lives and can ensure no multiple mutable references exist.
+    ///
+    /// # Safety
+    ///
+    /// Caller must ensure only one `mut` reference exists at a time.
     #[inline]
-    fn get_rng(&'_ mut self) -> &'_ mut ChaCha12Rng {
+    unsafe fn get_rng(&'_ mut self) -> &'_ mut ChaCha12Rng {
         // Obtain pointer to thread local instance of PRNG which with Rc, should be !Send & !Sync as well
         // as 'static.
         let rng = SOURCE.with(|source| source.get());
 
-        // SAFETY: We must make sure to stop using `rng` before anyone else creates another
-        // mutable reference
-        unsafe { &mut *rng }
+        &mut *rng
     }
 }
 
 impl RngCore for ThreadLocalEntropy {
     #[inline]
     fn next_u32(&mut self) -> u32 {
-        self.get_rng().next_u32()
+        // SAFETY: We must ensure to drop the `&mut rng` ref before creating another
+        // mutable reference
+        unsafe { self.get_rng().next_u32() }
     }
 
     #[inline]
     fn next_u64(&mut self) -> u64 {
-        self.get_rng().next_u64()
+        // SAFETY: We must ensure to drop the `&mut rng` ref before creating another
+        // mutable reference
+        unsafe { self.get_rng().next_u64() }
     }
 
     #[inline]
     fn fill_bytes(&mut self, dest: &mut [u8]) {
-        self.get_rng().fill_bytes(dest);
+        // SAFETY: We must ensure to drop the `&mut rng` ref before creating another
+        // mutable reference
+        unsafe {
+            self.get_rng().fill_bytes(dest);
+        }
     }
 
     #[inline]
     fn try_fill_bytes(&mut self, dest: &mut [u8]) -> Result<(), rand_core::Error> {
-        self.get_rng().try_fill_bytes(dest)
+        // SAFETY: We must ensure to drop the `&mut rng` ref before creating another
+        // mutable reference
+        unsafe { self.get_rng().try_fill_bytes(dest) }
     }
 }
