You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
In order for unsafe code working with generic ReadableProcessBuffer (and WriteableProcessBuffer with #3756 implemented) to trust that their implementations of ptr to be correct, that code needs to either:
Constrain implementations to a fixed and auditable set of ReadableProcessBuffer types, or
Have an unsafe guarantee from trait implementers that the ptr method returns a pointer with the documented requirements.
Note: #![forbid(unsafe_code)] can generally interact with and use an unsafe trait without issue; it primarily affects implementers of the trait itself.
This seems right to me. In other words, the implementations of ReadProcessBufferhas to be trusted even if it doesn't happen to require unsafe to write. So marking the trait unsafe would help ensure that only trusted code is allowed to write this trusted code.
Yes, at the moment any implementer of ReadableProcessBuffer could write fn ptr(&self) -> *const u8 { ptr::null() }. Since there's no safety requirement for trait implementers, that implementation is fine according to soundness rules - thus it's not fine for unsafe code to trust generic ReadableProcessBuffer::ptr output to be a valid pointer.
In order for
unsafe
code working with genericReadableProcessBuffer
(andWriteableProcessBuffer
with #3756 implemented) to trust that their implementations ofptr
to be correct, that code needs to either:ReadableProcessBuffer
types, orunsafe
guarantee from trait implementers that theptr
method returns a pointer with the documented requirements.See How Safe and Unsafe Interact for more info on when
unsafe trait
is needed.The text was updated successfully, but these errors were encountered: