refactor(mdb)!: Add marker for Message (#110)

This should reduce the likelihood that unsafe code accidentally pass a `Message` without a lifetime to safe code, which would make the code unsound. This commit does not address any known soundness issues. --------- Co-authored-by: Philip Johansson <philjn@axis.com>
AxisCommunications · Nov 14, 2024 · 2623a42 · 2623a42
1 parent dbf8359
commit 2623a42
Show file tree

Hide file tree

Showing 2 changed files with 11 additions and 7 deletions.
diff --git a/apps-aarch64.checksum b/apps-aarch64.checksum
@@ -1,6 +1,6 @@
 0018f1c3b46545bebbef794b68900c254a7785e7  target-aarch64/acap/axstorage_example_0_0_0_aarch64.eap
 10227865e8dadfeeda0e4a3c1a0d88ed18bc019a  target-aarch64/acap/bounding_box_example_0_0_0_aarch64.eap
-15416f9c686a3b46560db9e79b0e83f9419c4302  target-aarch64/acap/consume_analytics_metadata_0_0_0_aarch64.eap
+c11772e7188d741a7a13225dbb14c8e059aee060  target-aarch64/acap/consume_analytics_metadata_0_0_0_aarch64.eap
 51f9e2ce6cfc81264afa310c9c51ee05ff45666d  target-aarch64/acap/embedded_web_page_0_0_0_aarch64.eap
 da794d700cc407d5692e7387e5f8af3a56c29bea  target-aarch64/acap/hello_world_0_0_0_aarch64.eap
 df34073ade39bb4331ae5cc550616f41a7dc0efa  target-aarch64/acap/inspect_env_0_0_0_aarch64.eap

diff --git a/crates/mdb/src/lib.rs b/crates/mdb/src/lib.rs
@@ -7,6 +7,7 @@ use std::{
     any,
     ffi::CStr,
     fmt::{Debug, Display, Formatter},
+    marker::PhantomData,
     slice::from_raw_parts,
 };
 
@@ -25,7 +26,7 @@ macro_rules! suppress_unwind {
     };
 }
 
-type OnMessage = dyn FnMut(&Message) + Send + 'static;
+type OnMessage = dyn FnMut(Message) + Send + 'static;
 type OnError = dyn FnMut(&Error) + Send + 'static;
 type OnDone = dyn FnMut(Option<&Error>) + Send + 'static;
 
@@ -211,7 +212,7 @@ impl SubscriberConfig {
             debug!("Retrieving callback...");
             let user_data = user_data as *mut Box<OnMessage>;
             debug!("Calling callback...");
-            (*user_data)(&message);
+            (*user_data)(message);
         });
     }
 }
@@ -315,14 +316,17 @@ unsafe impl<'a> Send for Subscriber<'a> {}
 // implementation until it is needed or the Send and Sync properties are clearly guaranteed by
 // the C API.
 
-pub struct Message {
+pub struct Message<'a> {
     ptr: *const mdb_sys::mdb_message_t,
+    _marker: PhantomData<&'a mdb_sys::mdb_message_t>,
 }
 
-impl Message {
+impl Message<'_> {
     unsafe fn from_raw(ptr: *const mdb_sys::mdb_message_t) -> Self {
-        // TODO: Can we encode that this is never owned?
-        Self { ptr }
+        Self {
+            ptr,
+            _marker: PhantomData,
+        }
     }
     pub fn payload(&self) -> &[u8] {
         unsafe {