-
Notifications
You must be signed in to change notification settings - Fork 523
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Be smarter about the requirement for unsafe
keyword when declaring interface methods
#1782
Comments
I'm not sure exactly what you mean by "smarter" but I noticed in #1506 you talk about making functions which have pointers in their signature unsafe. I think this may not be enough. While writing an implementation for #[windows::core::implement(IExample)]
struct MyComClass {
// ...
}
impl IExample_Impl for MyComClass{
// I am a "safe" COM interface function
fn CreateFoo(&self) -> windows::core::Result<IFoo> {
// DANGER!
// Relies on us being wrapped up in a type generated by the `implement`
// macro but we have no way of knowing if we are.
// If we are not we will do bad pointer arithmetic.
// We just have to trust the caller to keep this invariant.
let i_example: IExample = unsafe { self.cast::<IExample>().unwrap() };
let i_foo: IFoo = CreateDefaultFoo(i_example);
Ok(i_foo)
}
// ...
}
// ...
fn main() {
let my_com_class = MyComClass {};
// Ooops, I forgot to convert into a real COM interface:
// let my_com_class: IExample = my_com_class.into();
// ...
// DANGER!
// I have broken the invariant of MyComClass::cast<I>()
// UB ahead...
my_com_class.CreateFoo();
} It seems like it would be very difficult to predict if an implementer of a COM interface might ever need to use |
This is indeed true, and something we need to fix. We can either make the function unsafe and rely on the user only calling it when a heap allocated and pinned COM interface, or we can somehow ensure that |
unsafe
keyword when declaring interface methods
Originally posted by @rylev in #1486 (comment)
The text was updated successfully, but these errors were encountered: