push_next() is totally unsafe because of dereferencing a chain of p_next pointers to find the end of the chain to insert, which was obfuscated by a large unsafe block for the BaseOutStructure pointer cast in commit c8c8f69a ("next can contain a pointer chain and we need to correct insert it.").
While this function should definitely be marked unsafe, wrapping builders in unsafe {} en masse in user code isn't all too desirable, especially when this soundness issue only exists to optionally walk a p_next chain while most users are likely inserting bare structs without pointer chains most of the time. push_next_one() is introduced for this reason, remaining safe to call without any unintended raw pointer dereferences.
Fixes #905
push_next()
is totallyunsafe
because of dereferencing a chain ofp_next
pointers to find the end of the chain to insert, which was obfuscated by a largeunsafe
block for theBaseOutStructure
pointer cast in commit c8c8f69a ("next
can contain a pointer chain and we need to correct insert it.").While this function should definitely be marked unsafe, wrapping builders in
unsafe {}
en masse in user code isn't all too desirable, especially when this soundness issue only exists to optionally walk ap_next
chain while most users are likely inserting bare structs without pointer chains most of the time.push_next_one()
is introduced for this reason, remaining safe to call without any unintended raw pointer dereferences.