Calling metal::Buffer.label() panics if there is no label set.

[iankronquist]

Calling metal::Buffer.label() panics if there is no label set. In my opinion, it should return an Option<&str> instead, or the empty string if you're looking to avoid a breaking API change.

My code panics with the following message:

unsafe precondition(s) violated: slice::from_raw_parts requires the pointer to be aligned and non-null, and the total size of the slice not to exceed `isize::MAX`
...
   6: metal::nsstring_as_str
             at /Users/ian/.cargo/registry/src/index.crates.io-6f17d22bba15001f/metal-0.31.0/src/lib.rs:74:21

Looking at the implementation we see:

fn nsstring_as_str(nsstr: &objc::runtime::Object) -> &str {
    let bytes = unsafe {
        let bytes: *const std::os::raw::c_char = msg_send![nsstr, UTF8String];
        bytes as *const u8
    };
    let len: NSUInteger = unsafe { msg_send![nsstr, length] };
    unsafe {
        let bytes = std::slice::from_raw_parts(bytes, len as usize);
        std::str::from_utf8(bytes).unwrap()
    }
}

There is no check that bytes is not null.

Also, if we look at the docs for UTF8String we can see this warning:

This C string is a pointer to a structure inside the string object, which may have a lifetime shorter than the string object and will certainly not have a longer lifetime. Therefore, you should copy the C string if it needs to be stored outside of the memory context in which you use this property.

This makes me worried that the library's approach to handling NSStrings can lead to use after frees.