Rust soundness fixes (#7518)

* Rust soundness fixes * Second pass * Make init_from_table unsafe * Remove SafeSliceAccess * Clippy * Remove create_vector_of_strings * More clippy * Remove deprecated root type accessors * More soundness fixes * Fix EndianScalar for bool * Add TriviallyTransmutable * Add debug assertions * Review comments * Review feedback
2026-06-27 18:18:07 +00:00 · 2022-09-29 14:58:49 +01:00
parent dadbff5714
commit 374f8fb5fb
102 changed files with 2673 additions and 2035 deletions
--- a/tests/arrays_test/my_game/example/array_struct_generated.rs
+++ b/tests/arrays_test/my_game/example/array_struct_generated.rs
@@ -32,39 +32,25 @@ impl core::fmt::Debug for ArrayStruct {
 }

 impl flatbuffers::SimpleToVerifyInSlice for ArrayStruct {}
-impl flatbuffers::SafeSliceAccess for ArrayStruct {}
 impl<'a> flatbuffers::Follow<'a> for ArrayStruct {
  type Inner = &'a ArrayStruct;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
    <&'a ArrayStruct>::follow(buf, loc)
  }
 }
 impl<'a> flatbuffers::Follow<'a> for &'a ArrayStruct {
  type Inner = &'a ArrayStruct;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
    flatbuffers::follow_cast_ref::<ArrayStruct>(buf, loc)
  }
 }
 impl<'b> flatbuffers::Push for ArrayStruct {
    type Output = ArrayStruct;
    #[inline]
-    fn push(&self, dst: &mut [u8], _rest: &[u8]) {
-        let src = unsafe {
-            ::core::slice::from_raw_parts(self as *const ArrayStruct as *const u8, Self::size())
-        };
-        dst.copy_from_slice(src);
-    }
-}
-impl<'b> flatbuffers::Push for &'b ArrayStruct {
-    type Output = ArrayStruct;
-
-    #[inline]
-    fn push(&self, dst: &mut [u8], _rest: &[u8]) {
-        let src = unsafe {
-            ::core::slice::from_raw_parts(*self as *const ArrayStruct as *const u8, Self::size())
-        };
+    unsafe fn push(&self, dst: &mut [u8], _written_len: usize) {
+        let src = ::core::slice::from_raw_parts(self as *const ArrayStruct as *const u8, Self::size());
        dst.copy_from_slice(src);
    }
 }
@@ -104,64 +90,88 @@ impl<'a> ArrayStruct {
  }

  pub fn a(&self) -> f32 {
-    let mut mem = core::mem::MaybeUninit::<f32>::uninit();
-    unsafe {
+    let mut mem = core::mem::MaybeUninit::<<f32 as EndianScalar>::Scalar>::uninit();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
+    EndianScalar::from_little_endian(unsafe {
      core::ptr::copy_nonoverlapping(
        self.0[0..].as_ptr(),
        mem.as_mut_ptr() as *mut u8,
-        core::mem::size_of::<f32>(),
+        core::mem::size_of::<<f32 as EndianScalar>::Scalar>(),
      );
      mem.assume_init()
-    }.from_little_endian()
+    })
  }

  pub fn set_a(&mut self, x: f32) {
    let x_le = x.to_little_endian();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
    unsafe {
      core::ptr::copy_nonoverlapping(
-        &x_le as *const f32 as *const u8,
+        &x_le as *const _ as *const u8,
        self.0[0..].as_mut_ptr(),
-        core::mem::size_of::<f32>(),
+        core::mem::size_of::<<f32 as EndianScalar>::Scalar>(),
      );
    }
  }

  pub fn b(&'a self) -> flatbuffers::Array<'a, i32, 15> {
-    flatbuffers::Array::follow(&self.0, 4)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 4) }
  }

  pub fn set_b(&mut self, items: &[i32; 15]) {
-    flatbuffers::emplace_scalar_array(&mut self.0, 4, items);
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::emplace_scalar_array(&mut self.0, 4, items) };
  }

  pub fn c(&self) -> i8 {
-    let mut mem = core::mem::MaybeUninit::<i8>::uninit();
-    unsafe {
+    let mut mem = core::mem::MaybeUninit::<<i8 as EndianScalar>::Scalar>::uninit();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
+    EndianScalar::from_little_endian(unsafe {
      core::ptr::copy_nonoverlapping(
        self.0[64..].as_ptr(),
        mem.as_mut_ptr() as *mut u8,
-        core::mem::size_of::<i8>(),
+        core::mem::size_of::<<i8 as EndianScalar>::Scalar>(),
      );
      mem.assume_init()
-    }.from_little_endian()
+    })
  }

  pub fn set_c(&mut self, x: i8) {
    let x_le = x.to_little_endian();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
    unsafe {
      core::ptr::copy_nonoverlapping(
-        &x_le as *const i8 as *const u8,
+        &x_le as *const _ as *const u8,
        self.0[64..].as_mut_ptr(),
-        core::mem::size_of::<i8>(),
+        core::mem::size_of::<<i8 as EndianScalar>::Scalar>(),
      );
    }
  }

  pub fn d(&'a self) -> flatbuffers::Array<'a, NestedStruct, 2> {
-    flatbuffers::Array::follow(&self.0, 72)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 72) }
  }

  pub fn set_d(&mut self, x: &[NestedStruct; 2]) {
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
    unsafe {
      core::ptr::copy(
        x.as_ptr() as *const u8,
@@ -172,34 +182,46 @@ impl<'a> ArrayStruct {
  }

  pub fn e(&self) -> i32 {
-    let mut mem = core::mem::MaybeUninit::<i32>::uninit();
-    unsafe {
+    let mut mem = core::mem::MaybeUninit::<<i32 as EndianScalar>::Scalar>::uninit();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
+    EndianScalar::from_little_endian(unsafe {
      core::ptr::copy_nonoverlapping(
        self.0[136..].as_ptr(),
        mem.as_mut_ptr() as *mut u8,
-        core::mem::size_of::<i32>(),
+        core::mem::size_of::<<i32 as EndianScalar>::Scalar>(),
      );
      mem.assume_init()
-    }.from_little_endian()
+    })
  }

  pub fn set_e(&mut self, x: i32) {
    let x_le = x.to_little_endian();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
    unsafe {
      core::ptr::copy_nonoverlapping(
-        &x_le as *const i32 as *const u8,
+        &x_le as *const _ as *const u8,
        self.0[136..].as_mut_ptr(),
-        core::mem::size_of::<i32>(),
+        core::mem::size_of::<<i32 as EndianScalar>::Scalar>(),
      );
    }
  }

  pub fn f(&'a self) -> flatbuffers::Array<'a, i64, 2> {
-    flatbuffers::Array::follow(&self.0, 144)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 144) }
  }

  pub fn set_f(&mut self, items: &[i64; 2]) {
-    flatbuffers::emplace_scalar_array(&mut self.0, 144, items);
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::emplace_scalar_array(&mut self.0, 144, items) };
  }

  pub fn unpack(&self) -> ArrayStructT {
--- a/tests/arrays_test/my_game/example/array_table_generated.rs
+++ b/tests/arrays_test/my_game/example/array_table_generated.rs
@@ -19,8 +19,8 @@ pub struct ArrayTable<'a> {
 impl<'a> flatbuffers::Follow<'a> for ArrayTable<'a> {
  type Inner = ArrayTable<'a>;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
-    Self { _tab: flatbuffers::Table { buf, loc } }
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+    Self { _tab: flatbuffers::Table::new(buf, loc) }
  }
 }

@@ -32,7 +32,7 @@ impl<'a> ArrayTable<'a> {
  }

  #[inline]
-  pub fn init_from_table(table: flatbuffers::Table<'a>) -> Self {
+  pub unsafe fn init_from_table(table: flatbuffers::Table<'a>) -> Self {
    ArrayTable { _tab: table }
  }
  #[allow(unused_mut)]
@@ -56,7 +56,10 @@ impl<'a> ArrayTable<'a> {

  #[inline]
  pub fn a(&self) -> Option<&'a ArrayStruct> {
-    self._tab.get::<ArrayStruct>(ArrayTable::VT_A, None)
+    // Safety:
+    // Created from valid Table for this object
+    // which contains a valid value in this slot
+    unsafe { self._tab.get::<ArrayStruct>(ArrayTable::VT_A, None)}
  }
 }

@@ -139,18 +142,6 @@ impl ArrayTableT {
    })
  }
 }
-#[inline]
-#[deprecated(since="2.0.0", note="Deprecated in favor of `root_as...` methods.")]
-pub fn get_root_as_array_table<'a>(buf: &'a [u8]) -> ArrayTable<'a> {
-  unsafe { flatbuffers::root_unchecked::<ArrayTable<'a>>(buf) }
-}
-
-#[inline]
-#[deprecated(since="2.0.0", note="Deprecated in favor of `root_as...` methods.")]
-pub fn get_size_prefixed_root_as_array_table<'a>(buf: &'a [u8]) -> ArrayTable<'a> {
-  unsafe { flatbuffers::size_prefixed_root_unchecked::<ArrayTable<'a>>(buf) }
-}
-
 #[inline]
 /// Verifies that a buffer of bytes contains a `ArrayTable`
 /// and returns it.
--- a/tests/arrays_test/my_game/example/nested_struct_generated.rs
+++ b/tests/arrays_test/my_game/example/nested_struct_generated.rs
@@ -30,39 +30,25 @@ impl core::fmt::Debug for NestedStruct {
 }

 impl flatbuffers::SimpleToVerifyInSlice for NestedStruct {}
-impl flatbuffers::SafeSliceAccess for NestedStruct {}
 impl<'a> flatbuffers::Follow<'a> for NestedStruct {
  type Inner = &'a NestedStruct;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
    <&'a NestedStruct>::follow(buf, loc)
  }
 }
 impl<'a> flatbuffers::Follow<'a> for &'a NestedStruct {
  type Inner = &'a NestedStruct;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
    flatbuffers::follow_cast_ref::<NestedStruct>(buf, loc)
  }
 }
 impl<'b> flatbuffers::Push for NestedStruct {
    type Output = NestedStruct;
    #[inline]
-    fn push(&self, dst: &mut [u8], _rest: &[u8]) {
-        let src = unsafe {
-            ::core::slice::from_raw_parts(self as *const NestedStruct as *const u8, Self::size())
-        };
-        dst.copy_from_slice(src);
-    }
-}
-impl<'b> flatbuffers::Push for &'b NestedStruct {
-    type Output = NestedStruct;
-
-    #[inline]
-    fn push(&self, dst: &mut [u8], _rest: &[u8]) {
-        let src = unsafe {
-            ::core::slice::from_raw_parts(*self as *const NestedStruct as *const u8, Self::size())
-        };
+    unsafe fn push(&self, dst: &mut [u8], _written_len: usize) {
+        let src = ::core::slice::from_raw_parts(self as *const NestedStruct as *const u8, Self::size());
        dst.copy_from_slice(src);
    }
 }
@@ -98,41 +84,59 @@ impl<'a> NestedStruct {
  }

  pub fn a(&'a self) -> flatbuffers::Array<'a, i32, 2> {
-    flatbuffers::Array::follow(&self.0, 0)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 0) }
  }

  pub fn set_a(&mut self, items: &[i32; 2]) {
-    flatbuffers::emplace_scalar_array(&mut self.0, 0, items);
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::emplace_scalar_array(&mut self.0, 0, items) };
  }

  pub fn b(&self) -> TestEnum {
-    let mut mem = core::mem::MaybeUninit::<TestEnum>::uninit();
-    unsafe {
+    let mut mem = core::mem::MaybeUninit::<<TestEnum as EndianScalar>::Scalar>::uninit();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
+    EndianScalar::from_little_endian(unsafe {
      core::ptr::copy_nonoverlapping(
        self.0[8..].as_ptr(),
        mem.as_mut_ptr() as *mut u8,
-        core::mem::size_of::<TestEnum>(),
+        core::mem::size_of::<<TestEnum as EndianScalar>::Scalar>(),
      );
      mem.assume_init()
-    }.from_little_endian()
+    })
  }

  pub fn set_b(&mut self, x: TestEnum) {
    let x_le = x.to_little_endian();
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid value in this slot
    unsafe {
      core::ptr::copy_nonoverlapping(
-        &x_le as *const TestEnum as *const u8,
+        &x_le as *const _ as *const u8,
        self.0[8..].as_mut_ptr(),
-        core::mem::size_of::<TestEnum>(),
+        core::mem::size_of::<<TestEnum as EndianScalar>::Scalar>(),
      );
    }
  }

  pub fn c(&'a self) -> flatbuffers::Array<'a, TestEnum, 2> {
-    flatbuffers::Array::follow(&self.0, 9)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 9) }
  }

  pub fn set_c(&mut self, x: &[TestEnum; 2]) {
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
    unsafe {
      core::ptr::copy(
        x.as_ptr() as *const u8,
@@ -143,11 +147,17 @@ impl<'a> NestedStruct {
  }

  pub fn d(&'a self) -> flatbuffers::Array<'a, i64, 2> {
-    flatbuffers::Array::follow(&self.0, 16)
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::Array::follow(&self.0, 16) }
  }

  pub fn set_d(&mut self, items: &[i64; 2]) {
-    flatbuffers::emplace_scalar_array(&mut self.0, 16, items);
+    // Safety:
+    // Created from a valid Table for this object
+    // Which contains a valid array in this slot
+    unsafe { flatbuffers::emplace_scalar_array(&mut self.0, 16, items) };
  }

  pub fn unpack(&self) -> NestedStructT {
--- a/tests/arrays_test/my_game/example/test_enum_generated.rs
+++ b/tests/arrays_test/my_game/example/test_enum_generated.rs
@@ -59,10 +59,8 @@ impl core::fmt::Debug for TestEnum {
 impl<'a> flatbuffers::Follow<'a> for TestEnum {
  type Inner = Self;
  #[inline]
-  fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
-    let b = unsafe {
-      flatbuffers::read_scalar_at::<i8>(buf, loc)
-    };
+  unsafe fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
+    let b = flatbuffers::read_scalar_at::<i8>(buf, loc);
    Self(b)
  }
 }
@@ -70,21 +68,21 @@ impl<'a> flatbuffers::Follow<'a> for TestEnum {
 impl flatbuffers::Push for TestEnum {
    type Output = TestEnum;
    #[inline]
-    fn push(&self, dst: &mut [u8], _rest: &[u8]) {
-        unsafe { flatbuffers::emplace_scalar::<i8>(dst, self.0); }
+    unsafe fn push(&self, dst: &mut [u8], _written_len: usize) {
+        flatbuffers::emplace_scalar::<i8>(dst, self.0);
    }
 }

 impl flatbuffers::EndianScalar for TestEnum {
+  type Scalar = i8;
  #[inline]
-  fn to_little_endian(self) -> Self {
-    let b = i8::to_le(self.0);
-    Self(b)
+  fn to_little_endian(self) -> i8 {
+    self.0.to_le()
  }
  #[inline]
  #[allow(clippy::wrong_self_convention)]
-  fn from_little_endian(self) -> Self {
-    let b = i8::from_le(self.0);
+  fn from_little_endian(v: i8) -> Self {
+    let b = i8::from_le(v);
    Self(b)
  }
 }