This fixes a soundness hole in ComObject. The soundness hole is that we should never allow safe Rust code to hold an owned instance of MyApp_Impl objects (implementations of COM objects) because those objects contain reference counts and provide safely-callable methods that adjust those reference counts. If Rust code holds an owned instance of such a type, then we don't control its lifetime; it may be placed on the stack, in a static, etc. and we have no control over that.
This PR closes the soundness hole by providing only one way to get access to any MyApp_Impl type -- these types are immediately placed into a heap allocation and the only way to access them is through a ComObject reference.
A few other minor improvements:
ComObject::as_reference() and friends now work with IInspectable.
Switched vtable pointers to use &'static instead of *const.
Converted some existing From implementations to use safe ComObject code.
Allows "fluid" construction of a ComObject by calling foo.into_object().
This fixes a soundness hole in
ComObject
. The soundness hole is that we should never allow safe Rust code to hold an owned instance ofMyApp_Impl
objects (implementations of COM objects) because those objects contain reference counts and provide safely-callable methods that adjust those reference counts. If Rust code holds an owned instance of such a type, then we don't control its lifetime; it may be placed on the stack, in astatic
, etc. and we have no control over that.This PR closes the soundness hole by providing only one way to get access to any
MyApp_Impl
type -- these types are immediately placed into a heap allocation and the only way to access them is through aComObject
reference.A few other minor improvements:
ComObject::as_reference()
and friends now work withIInspectable
.&'static
instead of*const
.From
implementations to use safeComObject
code.ComObject
by callingfoo.into_object()
.