Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Remove actual unsafety in hdr #985

Merged
merged 1 commit into from
Jul 8, 2019
Merged

Conversation

HeroicKatora
Copy link
Member

Third part of the effort of removing unsafe from the library, the hdr
decoder actually required an interface change. Several other instances
had been removed in earlier commits. The method would use Vec::set_len
even though it did not have full control over the type parameter, as it
was a public interface.

Now simply requires the memory into which to emplace the result to be
provided and allocated externally. This makes the callers responsible
for correct optimization.

Removes the optimization for the library internal structures; it is
expected that the compiler picks up on the pattern well enough for it to
not be the main bottleneck.

Leaves the instances that are deprecated methods, they should enjoy some
deprecation period afterall and are not inherently bad as they are
correctly marked with unsafe themselves.

Closes: #980

Third part of the effort of removing `unsafe` from the library, the hdr
decoder actually required an interface change. Several other instances
had been removed in earlier commits. The method would use `Vec::set_len`
even though it did not have full control over the type parameter, as it
was a public interface.

Now simply requires the memory into which to emplace the result to be
provided and allocated externally. This makes the callers responsible
for correct optimization.

Removes the optimization for the library internal structures; it is
expected that the compiler picks up on the pattern well enough for it to
not be the main bottleneck.

Leaves the instances that are deprecated methods, they should enjoy some
deprecation period afterall and are not inherently bad as they are
correctly marked with `unsafe` themselves.

Co-Authored-By: Andreas Molzer <andreas.molzer@gmx.de>
@HeroicKatora HeroicKatora requested a review from fintelia July 8, 2019 01:50
@Shnatsel
Copy link
Contributor

Do I understand correctly that this code could potentially drop uninitialized memory of arbitrary type?

@HeroicKatora
Copy link
Member Author

HeroicKatora commented Aug 31, 2019

I fear so, but I didn't realize until a few days ago that it was actually that severe in the old interface, was always under the impression that our own type (non-Drop) would be dropped, not the type parameter. Hence the backport.

@Shnatsel Thanks for the reminder, should probably get an advisory for this.

@Shnatsel
Copy link
Contributor

Yeah, please open a RustSec advisory: https://github.com/RustSec/advisory-db
Let me know if you need any help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unnecessary unsafety in HDR decoder
3 participants