Maybe BufMut trait should be unsafe?
#329
Comments
|
What does making the trait unsafe gain over making individual fns unsafe? |
|
They are different things and I believe making |
|
I don't know about making the trait itself |
|
I tried to search for them and I must say I didn't find anything that clearly, undeniably relies on correctness of the implementation. Or in other words, I didn't find any code in the wild that is safe and would cause UB if the trait wasn't implemented correctly. Yet. Keeping it safe seems like a footgun, but admittedly there being at least one |
|
I think it's reasonable to judge that the correctness of calling an unsafe trait method is subject to the implementation of that trait complying with the trait's documented interface, but this does seem a bit unclear; maybe something to raise at the rust guidelines level? |
|
According to https://doc.rust-lang.org/nomicon/safe-unsafe-meaning.html
So it seems that the question boils down to can One thing that occurred to me is that while a method is |
|
What is an example of unsafe code that relies/would rely on those requirements? |
|
Let's assume for instance that the ability to rewind gets implemented by suggested traits as discussed in #330. Naturally, the desire to add |
|
What is some specific code that relies on that specific requirement? |
pub struct Rewindable<B: BufMut> {
buf: B,
offset: usize,
}
impl<B: BufMut> Rewindable<B> {
pub fn written(&mut self) -> &mut [u8] {
unsafe {
// Safety: we track how much data was written in `offset` field,
// So unless `bytes_mut` returns a different buffer, then that memory is initialized.
self.buf.bytes_mut()[..self.offset].assume_init_mut()
}
}
}
impl<B: BufMut> BufMut for Rewindable<B> {
// ...
unsafe fn advance(&mut self, amount: usize) {
self.offset += amount;
}
} |
|
That won't work with non-contiguous BufMut implementations anyway. |
|
Double checking again, |
|
But it is possible to implement |
|
In that case |
|
How is |
|
|
@Kixunil You are correct that a caller of |
Users of `BufMut` are unable to defend against incorrect implementations of `BufMut`, this makes the trait unsafe to implement. Fixes #329
Users of `BufMut` are unable to defend against incorrect implementations of `BufMut`, this makes the trait unsafe to implement. Fixes #329
I was thinking that it's likely that some
unsafecode will rely on properties ofBufMut. More specifically:remaining_mutreturns correct valuebytes_mutalways returns the same slice (apart fromadvance())has_remaining_mutreturns correct valuebytes_vectoredfills the correct dataThus, I'd suggest making the trait
unsafeto specify thatunsafecode might rely on those properties and the implementors must ensure they hold.The text was updated successfully, but these errors were encountered: