Open mgeisler opened 1 week ago
One way this is called is through this:
which gets called from e.g. this: https://github.com/mozilla/uniffi-rs/blob/main/uniffi_core/src/ffi/rustfuture/mod.rs#L75
which ultimately ends up being a FFI function.
So the handle
should indeed only be coming from generated code, so if the other uses are correct, the Handle
received in clone_handle
should be correct.
Maybe we should still have that safety documentation somewhere.
Given we make assumptions about a Handle maybe the from_raw
should already be unsafe and have additional documentation.
Again because this should not be called outside of generated code I still think the current code is sound, though would benefit from making those assumptions and guarantees more clear (through docs, unsafe
and/or assertions)
The
clone_handle
andconsume_handle
methods in theHandleAlloc
trait should be unsafe:https://github.com/mozilla/uniffi-rs/blob/cd38ccea8236df7d93aff336c325a3a8e524af5d/uniffi_core/src/ffi_converter_traits.rs#L629-L637
The problem is that you can create a
Handle
with anyu64
value you want in safe Rust:I discussed this with @badboy at RustFest and there is a chance that none of the generated bindings code ever calls it like that. If so, then it should be possible to add
unsafe
to the trait methods and propagate this upwards.