This fixes a soundness hole in ComObject. The soundness hole is that we should never allow safe Rust code to hold an owned instance of MyApp_Impl objects (implementations of COM objects) because those objects contain reference counts and provide safely-callable methods that adjust those reference counts. If Rust code holds an owned instance of such a type, then we don't control its lifetime; it may be placed on the stack, in a static, etc. and we have no control over that.
This PR closes the soundness hole by providing only one way to get access to any MyApp_Impl type -- these types are immediately placed into a heap allocation and the only way to access them is through a ComObject reference.
A few other minor improvements:
ComObject::as_reference() and friends now work with IInspectable.
Switched vtable pointers to use &'static instead of *const.
Converted some existing From implementations to use safe ComObject code.
Allows "fluid" construction of a ComObject by calling foo.into_object().
This fixes a soundness hole in
ComObject. The soundness hole is that we should never allow safe Rust code to hold an owned instance ofMyApp_Implobjects (implementations of COM objects) because those objects contain reference counts and provide safely-callable methods that adjust those reference counts. If Rust code holds an owned instance of such a type, then we don't control its lifetime; it may be placed on the stack, in astatic, etc. and we have no control over that.This PR closes the soundness hole by providing only one way to get access to any
MyApp_Impltype -- these types are immediately placed into a heap allocation and the only way to access them is through aComObjectreference.A few other minor improvements:
ComObject::as_reference()and friends now work withIInspectable.&'staticinstead of*const.Fromimplementations to use safeComObjectcode.ComObjectby callingfoo.into_object().