generator: Mark QNX c_void types as opaque to get raw pointers
#950
Conversation
Long ago in #339 I added "opaque" types to ensure that pointers to it stay as pointers in FFI rather than get converted to `&mut` borrows which don't carry the load of an arbitrary pointer value to "something unknown" (= opaque). When the QNX types were added in #429 and #760 some time later, they weren't added to this list and turned into borrows making them impossible to be handled safely in user code.
They can't be handled safely regardless, I think, but at least we can have useful setters. |
|
@Ralith wrong wording, I think I meant UB. There are likely more safety constraints on |
|
I think it's actually okay to synthesize references to ZSTs? But the lifetime isn't doing any good here. |
|
Makes sense. What is your verdict on |
|
That's a tricky case, since unlike a windowing handle it seems like it theoretically could address a value on the stack and readily benefit from lifetime checking. So long as we're defining it ourselves/as c_void, that's difficult but not strictly impossible for a user to take advantage of--typically going through pointer casts will erase lifetime information, but you can put it back if you really want. Do we know where they come from, and in what form? |
|
It's just a POD but with a pointer to a "security descriptor". Looks like the caller is expected to create it as follows: Either way it's allowed to be |
|
API-wise, I wonder if what we're doing here is a semver break since the target type remains the same, and the original |
Fixes #949
Long ago in #339 I added "opaque" types to ensure that pointers to it stay as pointers in FFI rather than get converted to
&mutborrows which don't carry the load of an arbitrary pointer value to "something unknown" (= opaque). When the QNX types were added in #429 and #760 some time later, they weren't added to this list and turned into borrows making them impossible to be handled safely in user code.Note that only
SECURITY_ATTRIBUTESremains as a borrow of ac_void, which should probably be changed in some way too. If not in the least because the raw pointer is allowed to beNULL.