This can be used by any library that has explicit permission for FFI, to "break memory safety" by converting from any arbitrary pointer type to any other pointer type.
Previously, doing this would require compiling a C shim library to be linked into the Savi program. We provide this FFI function as a convenience because FFI use can already compromise memory safety.
As with all other FFI usage, it is intended to be governed by explicitly granted permission in the root application manifest, allowing application authors visibility into and allow-list control over the libraries that are allowed to do unsafe things with FFI.
As with all other FFI usage, application authors should only grant this permission to libraries that they trust to provide a fully safe abstraction over the unsafe internal FFI mechanisms that they use.
This commit also refactors internal code for Array and String to use this new savi_cast_pointer function, and removes a deprecated from_address function that would not be portable to platforms like CHERI (wherein the pointer value includes more beyond just the address).
This can be used by any library that has explicit permission for FFI, to "break memory safety" by converting from any arbitrary pointer type to any other pointer type.
Previously, doing this would require compiling a C shim library to be linked into the Savi program. We provide this FFI function as a convenience because FFI use can already compromise memory safety.
As with all other FFI usage, it is intended to be governed by explicitly granted permission in the root application manifest, allowing application authors visibility into and allow-list control over the libraries that are allowed to do unsafe things with FFI.
As with all other FFI usage, application authors should only grant this permission to libraries that they trust to provide a fully safe abstraction over the unsafe internal FFI mechanisms that they use.
This commit also refactors internal code for Array and String to use this new
savi_cast_pointerfunction, and removes a deprecatedfrom_addressfunction that would not be portable to platforms like CHERI (wherein the pointer value includes more beyond just the address).