Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Document and restrict some unsafe code in gix-pack #1137

Merged
merged 6 commits into from
Nov 29, 2023
Merged

Document and restrict some unsafe code in gix-pack #1137

merged 6 commits into from
Nov 29, 2023

Conversation

martinvonz
Copy link
Contributor

Thanks to @cramertj for highlighting these issues in our internal review of unsafe code at Google.

@martinvonz
rename an Item-typed variable from node to item
d6b8977 
I found it confusing that `node` is not a `Node` but an `Item`.
@martinvonz
extract a ItemSliceSend::get_mut() from Node::into_child_iter()
d27857d
@martinvonz
move delta Node into resolve.rs
d655ee1 
The `Node` type is only used in `resolve.rs`, and using it safely
depends on using the child items correctly, so let's define it there.
@martinvonz
make delta Node private to resolve.rs
7301ca1
@martinvonz
remove Clone impl of ItemSliceSend and make it Sync instead
43bca11 
The `Clone` impl allows two `ItemSliceSend` to be backed by the same
slice. That makes the behavior of `get_mut()` harder to reason about
because we have to consider clones of the `ItemSliceSend` to determine
if it's safe. By making it `Sync`, we make it more obvious that
multiple threads referring to the same instance need to be considered.

I renamed the type to `ItemSliceSync` since it's now also `Sync`.

We could make the type also check the bounds and that an individual
element has not been borrowed more than once. Then we could make
`get_mut()` not `unsafe`.
@martinvonz
give Node an unsafe constructor
c4807de 
`Node` is only safe if it doesn't repeat any indexes into the
`ItemSliceSync`. Let's document this by giving it an unsafe
constructor. To enforce that, I also moved it into a private module.
@Byron
Copy link
Member

Byron commented Nov 29, 2023

Thanks a lot for your help with this!

This portion of the code has seen a lot of revisions, probably more than anything else, which once more shows how hard it is to get unsafe code right. And for better or worse, it's hard to get training with it as well and the Rustonomicon only gets you this far.

@Byron Byron merged commit 115c993 into GitoxideLabs:main Nov 29, 2023
18 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@martinvonz @Byron