Fully describe safety requirements

Currently we have a wildcard on safety requirements, saying more or less "plus a bunch of other stuff we don't mention". This is not helpful. Attempt to fully describe the safety requirements of creating a context from a raw context (all, signing only, and verification only). Fix: rust-bitcoin#544
tcharding · Dec 8, 2022 · ef6836d · ef6836d
1 parent 29c1363
commit ef6836d
Showing 1 changed file with 24 additions and 23 deletions.
diff --git a/src/context.rs b/src/context.rs
@@ -352,14 +352,15 @@ impl<'buf> Secp256k1<AllPreallocated<'buf>> {
     /// Creates a context from a raw context.
     ///
     /// # Safety
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * Violating these may lead to Undefined Behavior.
     ///
+    /// This is highly unsafe due to the number of conditions that aren't checked, specifically:
+    ///
+    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer that was generated by *exactly*
+    ///   the same code/version of the libsecp256k1 used here.
+    /// * The capabilities (`All`/`SignOnly`/`VerifyOnly`) of the context *must* match the flags
+    ///   passed to libsecp256k1 when generating the context.
+    /// * The user must handle the freeing of the context (using the correct functions) by himself.
+    /// * `raw_ctx` must point to writable memory (cannot be `ffi::secp256k1_context_no_precomp`).
     pub unsafe fn from_raw_all(
         raw_ctx: NonNull<ffi::Context>,
     ) -> ManuallyDrop<Secp256k1<AllPreallocated<'buf>>> {
@@ -379,18 +380,18 @@ impl<'buf> Secp256k1<SignOnlyPreallocated<'buf>> {
     #[inline]
     pub fn preallocate_signing_size() -> usize { Self::preallocate_size_gen() }
 
-    /// Creates a context from a raw context.
+    /// Creates a context from a raw context that can only be used for signing.
     ///
     /// # Safety
     ///
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * This list *is not* exhaustive, and any violation may lead to Undefined Behavior.
+    /// This is highly unsafe due to the number of conditions that aren't checked, specifically:
     ///
+    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer that was generated by *exactly*
+    ///   the same code/version of the libsecp256k1 used here.
+    /// * The capabilities (`All`/`SignOnly`/`VerifyOnly`) of the context *must* match the flags
+    ///   passed to libsecp256k1 when generating the context.
+    /// * The user must handle the freeing of the context (using the correct functions) by himself.
+    /// * `raw_ctx` must point to writable memory (cannot be `ffi::secp256k1_context_no_precomp`).
     pub unsafe fn from_raw_signing_only(
         raw_ctx: NonNull<ffi::Context>,
     ) -> ManuallyDrop<Secp256k1<SignOnlyPreallocated<'buf>>> {
@@ -410,18 +411,18 @@ impl<'buf> Secp256k1<VerifyOnlyPreallocated<'buf>> {
     #[inline]
     pub fn preallocate_verification_size() -> usize { Self::preallocate_size_gen() }
 
-    /// Creates a context from a raw context.
+    /// Creates a context from a raw context that can only be used for verification.
     ///
     /// # Safety
     ///
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * This list *is not* exhaustive, and any violation may lead to Undefined Behavior.
+    /// This is highly unsafe due to the number of conditions that aren't checked, specifically:
     ///
+    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer that was generated by *exactly*
+    ///   the same code/version of the libsecp256k1 used here.
+    /// * The capabilities (`All`/`SignOnly`/`VerifyOnly`) of the context *must* match the flags
+    ///   passed to libsecp256k1 when generating the context.
+    /// * The user must handle the freeing of the context (using the correct functions) by himself.
+    /// * `raw_ctx` must point to writable memory (cannot be `ffi::secp256k1_context_no_precomp`).
     pub unsafe fn from_raw_verification_only(
         raw_ctx: NonNull<ffi::Context>,
     ) -> ManuallyDrop<Secp256k1<VerifyOnlyPreallocated<'buf>>> {