Prefer &self for COM interface traits
#1511
Conversation
| Ok(self.0.as_mut_ptr()) | ||
| fn Buffer(&self) -> Result<*mut u8> { | ||
| unsafe { | ||
| let writer: &mut Self = &mut *(self as *const _ as *mut Self); |
There was a problem hiding this comment.
This kind of cast is unsound- because self is a shared reference, producing a unique reference from it has immediate undefined behavior. (The same thing applies to the into_impl and implement_data_object tests.)
For this to work you will need some kind of interior mutability to make *mut access legal at all, and also some care to avoid invalidating (in the language-lawyer, avoiding-miscompilation sense) the *mut u8s you hand out if Buffer gets called multiple times. For reference, the current candidate for the actual rules here is Stacked Borrows, and you can test compliance with those rules using Miri.
There was a problem hiding this comment.
Yep, this is just to let the tests pass without writing a full RwLock implementation as I did for the vector test.
Is there a simple way to write this test that is not UB even if it is wildly unsafe? IBufferByteAccess is wildly unsafe to begin with. I'd just prefer not to have to write each test with something like RwLock if I can help it.
There was a problem hiding this comment.
Yes- the lowest level form of interior mutability is UnsafeCell, which directly gives you a *mut to its contents.
For example, this passes under Miri (Tools > Miri in the upper right): https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=abb63fe3c9e3a30f9d274f6111bdd6d9
There was a problem hiding this comment.
Thanks, will update the tests to use UnsafeCell.
The "implement_vector" test illustrates one way to mutate within an implementation using a
RwLock.Fixes #1497