Polonius workflow

.github/workflows/polonius.diff

@@ -0,0 +1,44 @@
+modified   neqo-http3/src/server.rs
+@@ -120,12 +120,7 @@ impl Http3Server {
+         out: &'a mut Vec<u8>,
+     ) -> Output<&'a [u8]> {
+         qtrace!([self], "Process.");
+-        let mut output = self.server.process_into_buffer(
+-            dgram,
+-            now,
+-            // See .github/workflows/polonius.yml.
+-            unsafe { &mut *std::ptr::from_mut(out) },
+-        );
++        let mut output = self.server.process_into_buffer(dgram, now, out);
+
+         self.process_http3(now);
+
+modified   neqo-transport/src/server.rs
+@@ -445,12 +445,7 @@ impl Server {
+         let mut callback = None;
+
+         for connection in &mut self.connections {
+-            match connection.borrow_mut().process_into_buffer(
+-                None,
+-                now,
+-                // See .github/workflows/polonius.yml.
+-                unsafe { &mut *std::ptr::from_mut(out) },
+-            ) {
++            match connection.borrow_mut().process_into_buffer(None, now, out) {
+                 Output::None => {}
+                 d @ Output::Datagram(_) => return d,
+                 Output::Callback(next) => match callback {
+@@ -490,12 +485,7 @@ impl Server {
+         assert!(out.is_empty());
+
+         let output = if let Some(dgram) = dgram {
+-            self.process_input(
+-                dgram,
+-                now,
+-                // See .github/workflows/polonius.yml.
+-                unsafe { &mut *std::ptr::from_mut(out) },
+-            )
++            self.process_input(dgram, now, out)
+         } else {
+             Output::None
+         };

.github/workflows/polonius.yml

@@ -0,0 +1,62 @@
+# Rustc by default uses the NLL borrow-checker. There are multiple cases where
+# NLL is too restrictive. An upcoming improvement to Rust's borrow-checker,
+# adressing these shortcomings, is Polonius. It ships with Nightly behind a
+# flag.
+#
+# This workflow first removes the workarounds necessary to please NLL and then
+# runs with Polonius to ensure each workaround only fixes the false-positive of
+# NLL only and doesn't mask an actually undefined behavior.
+#
+# See also:
+# - <https://blog.rust-lang.org/inside-rust/2023/10/06/polonius-update.html>
+# - <https://github.com/rust-lang/rust/issues/54663>
+
+name: Polonius
+on:
+  push:
+    branches: ["main"]
+    paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"]
+  pull_request:
+    branches: ["main"]
+    paths-ignore: ["*.md", "*.png", "*.svg", "LICENSE-*"]
+  merge_group:
+  workflow_dispatch:
+env:
+  CARGO_TERM_COLOR: always
+  RUST_BACKTRACE: 1
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref_name }}
+  cancel-in-progress: true
+
+permissions:
+  contents: read
+
+jobs:
+  polonius:
+    strategy:
+      fail-fast: false
+    runs-on: ${{ matrix.os }}
+    defaults:
+      run:
+        shell: bash
+    runs-on: ubuntu-latest
+
+    steps:
+      - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+      - uses: ./.github/actions/rust
+        with:
+          version: nightly
+          token: ${{ secrets.GITHUB_TOKEN }}
+
+      - id: nss-version
+        run: echo "minimum=$(cat neqo-crypto/min_version.txt)" >> "$GITHUB_OUTPUT"
+
+      - uses: ./.github/actions/nss
+        with:
+          minimum-version: ${{ steps.nss-version.outputs.minimum }}
+
+      - name: Apply patch, removing `unsafe` workarounds.
+        run: patch -p1 < .github/workflows/polonius.diff
+
+      - run: RUSTFLAGS="-Z polonius" cargo +nightly check