Make GraphicsContext::window_mut() an unsafe fn.

As documented in the new safety comment, providing `&mut` access to an inner component about which there are consistency invariants is unsafe, because `&mut` is sufficient for a caller to completely replace the value (using assignment or `std::mem::swap()`). Luckily, when `softbuffer` is used with `winit`, no `&mut` access is needed. However, other windowing libraries such as `glfw` and `sdl2` do have `&mut` methods, so this method can't simply be removed. This is a breaking change since it makes a previously safe function unsafe, and should not be published without a major version bump (i.e. to `0.2.0` or higher).
rust-windowing · May 26, 2022 · 92624e5 · 92624e5
1 parent 08883d7
commit 92624e5
Showing 1 changed file with 16 additions and 3 deletions.
diff --git a/src/lib.rs b/src/lib.rs
@@ -62,15 +62,28 @@ impl<W: HasRawWindowHandle> GraphicsContext<W> {
         })
     }
 
-    /// Gets shared access to the underlying window
+    /// Gets shared access to the underlying window.
     #[inline]
     pub fn window(&self) -> &W {
         &self.window
     }
 
-    /// Gets mut/exclusive access to the underlying window
+    /// Gets mut/exclusive access to the underlying window.
+    ///
+    /// This method is `unsafe` because it could be used to replace the window with another one,
+    /// thus dropping the original window and violating the property that this [`GraphicsContext`]
+    /// will always be destroyed before the window it writes into. This method should only be used
+    /// when the window type in use requires mutable access to perform some action on an existing
+    /// window.
+    ///
+    /// # Safety
+    ///
+    /// - After the returned mutable reference is dropped, the window must still be the same window
+    ///   which this [`GraphicsContext`] was created for; and within that window, the
+    ///   platform-specific configuration for 2D drawing must not have been modified. (For example,
+    ///   on macOS the view hierarchy of the window must not have been modified.)
     #[inline]
-    pub fn window_mut(&mut self) -> &mut W {
+    pub unsafe fn window_mut(&mut self) -> &mut W {
         &mut self.window
     }