Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mark unsound public methods as private utility functions #445

Merged
merged 3 commits into from
Nov 28, 2024

Conversation

mohanson
Copy link
Collaborator

Fix #444

XuJiandong
XuJiandong previously approved these changes Nov 27, 2024
/// valid for the lifetime of the returned slice.
///
/// Failing to satisfy these conditions results in undefined behavior.
pub unsafe fn cast_ptr_to_slice(&self, ptr: u64, offset: usize, size: usize) -> &[u8] {
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This unsafe causes breaking changes. We can improve it by moving it to ckb-vm internal and marking it as pub(crate). This is also a breaking change but more intuitive.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Break changes involving unsoundness can be made without break versions, this is a safety fix

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would suggest taking a step back here: why are those 2 methods of AsmCoreMachine, when they can just be utility functions? Also, why are they made public? I don't see a use case exposing them to the public.

Maybe we should just make them private functions. To me, current changes simply shift the unsafe block from one place to another, they don't really address the fundamental problem.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

  1. This notation actually implies that &[u8] and &self have the same lifetime.
  2. cast_ptr_to_slice is defined in the ckb-vm-definitions crate, but will be used from the ckb-vm crate.

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

To me a change like this solves the issue.

We can also then decide if we want to keep the unsafe part internally in cast_ptr_to_slice's function body, or expose the unsafe part in the function signature. Either way, it will only affect the internal implementation of ckb-vm, no visible part will be exposed to the outside.

@mohanson mohanson requested a review from xxuejie November 27, 2024 08:23
@mohanson mohanson changed the title Marking cast_ptr_to_slice and cast_ptr_to_slice_mut unsafe Mark unsound public methods as private utility functions Nov 28, 2024
@mohanson mohanson merged commit abe964e into nervosnetwork:develop Nov 28, 2024
11 checks passed
@mohanson mohanson deleted the unsafe_cast branch November 28, 2024 01:41
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unsoundness in cast_ptr_to_slice
4 participants