Rust Flatbuffers Verifier (#6269)

* Updated comments and fixed a fundemental type error.

* bump rust flatbuffers semver

* Initial commit with verifier, need to clean up

* Verifier tested. Needs clean up and refactoring.

* Display for InvalidFlatbuffer and better errors for strings

* SimpleToVerify, some refactoring

* Combined VerifierType TableAccessorFuncBody into FollowType

* scrub todos

* Update Rust get_root functions.

There are 6 variants, with verifier options, default verifier options
and no verification "fast".

* Rename root fns

* inline

* Update to use thiserror

* fix for bad compiler

* improve error formatting

* Replace multiply with saturating_multiply

* saturating adds too

* Add docs disclaiming experimental verification system

Co-authored-by: Casper Neo <cneo@google.com>

tests/optional_scalars_generated.rs

@@ -69,7 +69,8 @@ impl<'a> flatbuffers::Follow<'a> for OptionalByte {
   type Inner = Self;
   #[inline]
   fn follow(buf: &'a [u8], loc: usize) -> Self::Inner {
-    Self(flatbuffers::read_scalar_at::<i8>(buf, loc))
+    let b = flatbuffers::read_scalar_at::<i8>(buf, loc);
+    Self(b)
   }
 }
 
@@ -84,14 +85,27 @@ impl flatbuffers::Push for OptionalByte {
 impl flatbuffers::EndianScalar for OptionalByte {
   #[inline]
   fn to_little_endian(self) -> Self {
-    Self(i8::to_le(self.0))
+    let b = i8::to_le(self.0);
+    Self(b)
   }
   #[inline]
   fn from_little_endian(self) -> Self {
-    Self(i8::from_le(self.0))
+    let b = i8::from_le(self.0);
+    Self(b)
   }
 }
 
+impl<'a> flatbuffers::Verifiable for OptionalByte {
+  #[inline]
+  fn run_verifier<'o, 'b>(
+    v: &mut flatbuffers::Verifier<'o, 'b>, pos: usize
+  ) -> Result<(), flatbuffers::InvalidFlatbuffer> {
+    use self::flatbuffers::Verifiable;
+    i8::run_verifier(v, pos)
+  }
+}
+
+impl flatbuffers::SimpleToVerifyInSlice for OptionalByte {}
 pub enum ScalarStuffOffset {}
 #[derive(Copy, Clone, PartialEq)]
 
@@ -341,6 +355,53 @@ impl<'a> ScalarStuff<'a> {
   }
 }
 
+impl flatbuffers::Verifiable for ScalarStuff<'_> {
+  #[inline]
+  fn run_verifier<'o, 'b>(
+    v: &mut flatbuffers::Verifier<'o, 'b>, pos: usize
+  ) -> Result<(), flatbuffers::InvalidFlatbuffer> {
+    use self::flatbuffers::Verifiable;
+    v.visit_table(pos)?
+     .visit_field::<i8>(&"just_i8", Self::VT_JUST_I8, false)?
+     .visit_field::<i8>(&"maybe_i8", Self::VT_MAYBE_I8, false)?
+     .visit_field::<i8>(&"default_i8", Self::VT_DEFAULT_I8, false)?
+     .visit_field::<u8>(&"just_u8", Self::VT_JUST_U8, false)?
+     .visit_field::<u8>(&"maybe_u8", Self::VT_MAYBE_U8, false)?
+     .visit_field::<u8>(&"default_u8", Self::VT_DEFAULT_U8, false)?
+     .visit_field::<i16>(&"just_i16", Self::VT_JUST_I16, false)?
+     .visit_field::<i16>(&"maybe_i16", Self::VT_MAYBE_I16, false)?
+     .visit_field::<i16>(&"default_i16", Self::VT_DEFAULT_I16, false)?
+     .visit_field::<u16>(&"just_u16", Self::VT_JUST_U16, false)?
+     .visit_field::<u16>(&"maybe_u16", Self::VT_MAYBE_U16, false)?
+     .visit_field::<u16>(&"default_u16", Self::VT_DEFAULT_U16, false)?
+     .visit_field::<i32>(&"just_i32", Self::VT_JUST_I32, false)?
+     .visit_field::<i32>(&"maybe_i32", Self::VT_MAYBE_I32, false)?
+     .visit_field::<i32>(&"default_i32", Self::VT_DEFAULT_I32, false)?
+     .visit_field::<u32>(&"just_u32", Self::VT_JUST_U32, false)?
+     .visit_field::<u32>(&"maybe_u32", Self::VT_MAYBE_U32, false)?
+     .visit_field::<u32>(&"default_u32", Self::VT_DEFAULT_U32, false)?
+     .visit_field::<i64>(&"just_i64", Self::VT_JUST_I64, false)?
+     .visit_field::<i64>(&"maybe_i64", Self::VT_MAYBE_I64, false)?
+     .visit_field::<i64>(&"default_i64", Self::VT_DEFAULT_I64, false)?
+     .visit_field::<u64>(&"just_u64", Self::VT_JUST_U64, false)?
+     .visit_field::<u64>(&"maybe_u64", Self::VT_MAYBE_U64, false)?
+     .visit_field::<u64>(&"default_u64", Self::VT_DEFAULT_U64, false)?
+     .visit_field::<f32>(&"just_f32", Self::VT_JUST_F32, false)?
+     .visit_field::<f32>(&"maybe_f32", Self::VT_MAYBE_F32, false)?
+     .visit_field::<f32>(&"default_f32", Self::VT_DEFAULT_F32, false)?
+     .visit_field::<f64>(&"just_f64", Self::VT_JUST_F64, false)?
+     .visit_field::<f64>(&"maybe_f64", Self::VT_MAYBE_F64, false)?
+     .visit_field::<f64>(&"default_f64", Self::VT_DEFAULT_F64, false)?
+     .visit_field::<bool>(&"just_bool", Self::VT_JUST_BOOL, false)?
+     .visit_field::<bool>(&"maybe_bool", Self::VT_MAYBE_BOOL, false)?
+     .visit_field::<bool>(&"default_bool", Self::VT_DEFAULT_BOOL, false)?
+     .visit_field::<OptionalByte>(&"just_enum", Self::VT_JUST_ENUM, false)?
+     .visit_field::<OptionalByte>(&"maybe_enum", Self::VT_MAYBE_ENUM, false)?
+     .visit_field::<OptionalByte>(&"default_enum", Self::VT_DEFAULT_ENUM, false)?
+     .finish();
+    Ok(())
+  }
+}
 pub struct ScalarStuffArgs {
     pub just_i8: i8,
     pub maybe_i8: Option<i8>,
@@ -629,15 +690,77 @@ impl std::fmt::Debug for ScalarStuff<'_> {
   }
 }
 #[inline]
+#[deprecated(since="1.13", note="Deprecated in favor of `root_as...` methods.")]
 pub fn get_root_as_scalar_stuff<'a>(buf: &'a [u8]) -> ScalarStuff<'a> {
-  flatbuffers::get_root::<ScalarStuff<'a>>(buf)
+  unsafe { flatbuffers::root_unchecked::<ScalarStuff<'a>>(buf) }
 }
 
 #[inline]
+#[deprecated(since="1.13", note="Deprecated in favor of `root_as...` methods.")]
 pub fn get_size_prefixed_root_as_scalar_stuff<'a>(buf: &'a [u8]) -> ScalarStuff<'a> {
-  flatbuffers::get_size_prefixed_root::<ScalarStuff<'a>>(buf)
+  unsafe { flatbuffers::size_prefixed_root_unchecked::<ScalarStuff<'a>>(buf) }
 }
 
+#[inline]
+/// Verifies that a buffer of bytes contains a `ScalarStuff`
+/// and returns it.
+/// Note that verification is still experimental and may not
+/// catch every error, or be maximally performant. For the
+/// previous, unchecked, behavior use
+/// `root_as_scalar_stuff_unchecked`.
+pub fn root_as_scalar_stuff(buf: &[u8]) -> Result<ScalarStuff, flatbuffers::InvalidFlatbuffer> {
+  flatbuffers::root::<ScalarStuff>(buf)
+}
+#[inline]
+/// Verifies that a buffer of bytes contains a size prefixed
+/// `ScalarStuff` and returns it.
+/// Note that verification is still experimental and may not
+/// catch every error, or be maximally performant. For the
+/// previous, unchecked, behavior use
+/// `size_prefixed_root_as_scalar_stuff_unchecked`.
+pub fn size_prefixed_root_as_scalar_stuff(buf: &[u8]) -> Result<ScalarStuff, flatbuffers::InvalidFlatbuffer> {
+  flatbuffers::size_prefixed_root::<ScalarStuff>(buf)
+}
+#[inline]
+/// Verifies, with the given options, that a buffer of bytes
+/// contains a `ScalarStuff` and returns it.
+/// Note that verification is still experimental and may not
+/// catch every error, or be maximally performant. For the
+/// previous, unchecked, behavior use
+/// `root_as_scalar_stuff_unchecked`.
+pub fn root_as_scalar_stuff_with_opts<'b, 'o>(
+  opts: &'o flatbuffers::VerifierOptions,
+  buf: &'b [u8],
+) -> Result<ScalarStuff<'b>, flatbuffers::InvalidFlatbuffer> {
+  flatbuffers::root_with_opts::<ScalarStuff<'b>>(opts, buf)
+}
+#[inline]
+/// Verifies, with the given verifier options, that a buffer of
+/// bytes contains a size prefixed `ScalarStuff` and returns
+/// it. Note that verification is still experimental and may not
+/// catch every error, or be maximally performant. For the
+/// previous, unchecked, behavior use
+/// `root_as_scalar_stuff_unchecked`.
+pub fn size_prefixed_root_as_scalar_stuff_with_opts<'b, 'o>(
+  opts: &'o flatbuffers::VerifierOptions,
+  buf: &'b [u8],
+) -> Result<ScalarStuff<'b>, flatbuffers::InvalidFlatbuffer> {
+  flatbuffers::size_prefixed_root_with_opts::<ScalarStuff<'b>>(opts, buf)
+}
+#[inline]
+/// Assumes, without verification, that a buffer of bytes contains a ScalarStuff and returns it.
+/// # Safety
+/// Callers must trust the given bytes do indeed contain a valid `ScalarStuff`.
+pub unsafe fn root_as_scalar_stuff_unchecked(buf: &[u8]) -> ScalarStuff {
+  flatbuffers::root_unchecked::<ScalarStuff>(buf)
+}
+#[inline]
+/// Assumes, without verification, that a buffer of bytes contains a size prefixed ScalarStuff and returns it.
+/// # Safety
+/// Callers must trust the given bytes do indeed contain a valid size prefixed `ScalarStuff`.
+pub unsafe fn size_prefixed_root_as_scalar_stuff_unchecked(buf: &[u8]) -> ScalarStuff {
+  flatbuffers::size_prefixed_root_unchecked::<ScalarStuff>(buf)
+}
 pub const SCALAR_STUFF_IDENTIFIER: &str = "NULL";
 
 #[inline]