-
Notifications
You must be signed in to change notification settings - Fork 233
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
HandleAlloc::clone_handle
and consume_handle
should be marked unsafe
#2164
Comments
One way this is called is through this:
which gets called from e.g. this: https://github.com/mozilla/uniffi-rs/blob/main/uniffi_core/src/ffi/rustfuture/mod.rs#L75 Given we make assumptions about a Handle maybe the Again because this should not be called outside of generated code I still think the current code is sound, though would benefit from making those assumptions and guarantees more clear (through docs, |
Yeah, I agree that this seems more about Best I can tell though, we could do all the above without many changes at all - but does that even make sense? |
Not sure what I was thinking really - all use of handles is ultimately unsafe and all callers of these already are unsafe, so "all of the above" it is :) |
…re all unsafe. Fixes mozilla#2164
The
clone_handle
andconsume_handle
methods in theHandleAlloc
trait should be unsafe:uniffi-rs/uniffi_core/src/ffi_converter_traits.rs
Lines 629 to 637 in cd38cce
The problem is that you can create a
Handle
with anyu64
value you want in safe Rust:I discussed this with @badboy at RustFest and there is a chance that none of the generated bindings code ever calls it like that. If so, then it should be possible to add
unsafe
to the trait methods and propagate this upwards.The text was updated successfully, but these errors were encountered: