Avoid lossy ptr-int transmutes by using AtomicPtr

[saethlin]

This project looks pretty inactive, but it is still used very widely by the ecosystem and Miri detects UB in it that looks unambiguously bad to me, so that's why I'm submitting a patch for it.

Rust doesn't have a formal memory model yet, but as far as we can tell it isn't sound to round-trip a pointer through an integer via transmutes in a compiler which does provenance-based optimizations (which LLVM and basically all modern compilers currently do). The fix here is pretty easy: we store an AtomicPtr instead of an AtomicUsize and we create our sentinel values using the wrapping_ pointer methods.

This PR is very similar to rust-lang/rust#95621.

[Noratrieb]

@yoshuawuyts any chance on getting this merged soon? Would be pretty useful since this crate is causing Miri checking to fail for many crates.

[RalfJung]

Meanwhile, RFC 3559 has been accepted, which states that

This means that a pointer, in general, carries more information than can be captured by an integer type. For instance, transmuting a raw pointer to an array of u8, and then transmuting it back, does not restore the original pointer! (This RFC does not specify what exactly that roundtrip does. Unsafe code authors should conservatively assume that it is UB.)

@yoshuawuyts would be good to see this fix land so this widely-used crate can be brought into the realm of unambiguously sound code. :)

[yoshuawuyts]

I'm trusting @Nilstrieb and @RalfJung that you've looked at this code and determined it correctly upholds the rules. That's good enough for me; thank you! - merging!

[yoshuawuyts]

Published as v3.0.3