push_next() is totally unsafe because of dereferencing a chain of p_next pointers to find the end of the chain to insert, which was obfuscated by a large unsafe block for the BaseOutStructure pointer cast in commit c8c8f69a ("next can contain a pointer chain and we need to correct insert it.").
While this function should definitely be marked unsafe, wrapping builders in unsafe {} en masse in user code isn't all too desirable, especially when this soundness issue only exists to optionally walk a p_next chain while most users are likely inserting bare structs without pointer chains most of the time. push_next_one() is introduced for this reason, remaining safe to call without any unintended raw pointer dereferences.
Fixes #905
push_next()is totallyunsafebecause of dereferencing a chain ofp_nextpointers to find the end of the chain to insert, which was obfuscated by a largeunsafeblock for theBaseOutStructurepointer cast in commit c8c8f69a ("nextcan contain a pointer chain and we need to correct insert it.").While this function should definitely be marked unsafe, wrapping builders in
unsafe {}en masse in user code isn't all too desirable, especially when this soundness issue only exists to optionally walk ap_nextchain while most users are likely inserting bare structs without pointer chains most of the time.push_next_one()is introduced for this reason, remaining safe to call without any unintended raw pointer dereferences.