DerefMut on Gc<T> allows undefined behaviour

[Frawstcrabs]

As the Gc type implements DerefMut, one can write the following safe code:

let gc_val = Gc::new(5);
let ptr1 = gc_val;
let ptr2 = gc_val;
let ref1 = ptr1.deref_mut();
let ref2 = ptr2.deref_mut();

At this point, there are now two simultaneous mutable references to the same value, which is undefined behaviour.
I would recommend the DerefMut trait be removed from Gc<T> and to leave only Deref, as only immutable references can be safely created for a type managing shared ownership. Those wishing to add mutability should wrap the value in a RefCell<T>, as one would with Rc<T>.

[ltratt]

At first glance, I think you're right (although @jacob-hughes might have a reason why DerefMut is OK, I suspect this is a hangover from an earlier version?). I think it's probably relevant that Rc doesn't implement DerefMut.

[jacob-hughes]

Ouch, good spot. I remember having this discussion @ltratt back when we thinking about gcmalloc's API. I think this got copied over mistakenly. Regardless, you're right this is UB. Thanks for raising.