Mark unsound public methods as private utility functions #445
Conversation
definitions/src/asm.rs
Outdated
| /// valid for the lifetime of the returned slice. | ||
| /// | ||
| /// Failing to satisfy these conditions results in undefined behavior. | ||
| pub unsafe fn cast_ptr_to_slice(&self, ptr: u64, offset: usize, size: usize) -> &[u8] { |
There was a problem hiding this comment.
This unsafe causes breaking changes. We can improve it by moving it to ckb-vm internal and marking it as pub(crate). This is also a breaking change but more intuitive.
There was a problem hiding this comment.
Break changes involving unsoundness can be made without break versions, this is a safety fix
There was a problem hiding this comment.
I would suggest taking a step back here: why are those 2 methods of AsmCoreMachine, when they can just be utility functions? Also, why are they made public? I don't see a use case exposing them to the public.
Maybe we should just make them private functions. To me, current changes simply shift the unsafe block from one place to another, they don't really address the fundamental problem.
There was a problem hiding this comment.
- This notation actually implies that
&[u8]and&selfhave the same lifetime. cast_ptr_to_sliceis defined in the ckb-vm-definitions crate, but will be used from the ckb-vm crate.
There was a problem hiding this comment.
To me a change like this solves the issue.
We can also then decide if we want to keep the unsafe part internally in cast_ptr_to_slice's function body, or expose the unsafe part in the function signature. Either way, it will only affect the internal implementation of ckb-vm, no visible part will be exposed to the outside.
mohanson
force-pushed
the
unsafe_cast
branch
from
2a96898
to
4119bfc
Compare
mohanson
changed the title
Fix #444