refactor(async,blocking)!: make Framed::read_exact crate-private#1247
Merged
Benoît Cortier (CBenoit) merged 1 commit intoMay 14, 2026
Conversation
Closes Devolutions#1226. Framed holds an invariant that buf starts at the first byte of a PDU message. read_pdu and read_by_hint maintain that invariant. Framed::read_exact also maintains it for its own callers, but exposing it as pub lets external callers leave buf misaligned by passing an arbitrary length, which then breaks subsequent read_pdu calls. Both ironrdp-async::framed::Framed and ironrdp-blocking::framed::Framed have the same shape and the same exposure. Audit shows no external consumers across the workspace (the four call sites are all internal: two each in async/framed.rs and blocking/framed.rs, calling self.read_exact inside read_pdu / read_by_hint). Drop the now-unused missing_panics_doc lint expectation since the function is no longer part of the documented public API. This is a breaking change to the public API of ironrdp-async (0.8) and ironrdp-blocking (0.8). Pre-1.0; per Cargo SemVer the next minor bump in either crate covers this.
Contributor
Author
|
copilot-pull-request-reviewer please review |
Benoît Cortier (CBenoit)
merged commit d02d24a
into
Devolutions:master
13 checks passed
There was a problem hiding this comment.
Pull request overview
Restricts Framed::read_exact to crate-private visibility in both ironrdp-async and ironrdp-blocking to protect the internal buffer alignment invariant maintained by read_pdu/read_by_hint. Also removes now-unfulfilled #[expect(clippy::missing_panics_doc)] annotations since the lint no longer fires on non-public methods.
Changes:
- Change
pub fn read_exacttopub(crate) fn read_exactinironrdp-asyncandironrdp-blocking. - Remove
#[expect(clippy::missing_panics_doc, ...)]annotations that would otherwise become unfulfilled expectations.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.
| File | Description |
|---|---|
| crates/ironrdp-async/src/framed.rs | Restrict async read_exact visibility and drop unfulfilled clippy expectation. |
| crates/ironrdp-blocking/src/framed.rs | Restrict blocking read_exact visibility and drop unfulfilled clippy expectation. |
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Greg Lamberson (glamberson)
deleted the
refactor/framed-read-exact-private
branch
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Closes #1226.
Framedholds an invariant thatbufstarts at the first byte of a PDU message.read_pduandread_by_hintmaintain that invariant.Framed::read_exactalso maintains it for its own callers, but exposing it aspublets external callers leavebufmisaligned by passing an arbitrary length, which then breaks subsequentread_pducalls.Both
ironrdp_async::framed::Framedandironrdp_blocking::framed::Framedhave the same shape and the same exposure. Audit shows no external consumers across the workspace; the four call sites are all internal:ironrdp-asyncframed.rs:145(read_pdu)ironrdp-asyncframed.rs:174(read_by_hint)ironrdp-blockingframed.rs:74(read_pdu)ironrdp-blockingframed.rs:96(read_by_hint)Both visibility changes use
pub(crate).Also drops the
#[expect(clippy::missing_panics_doc)]annotation that was placed on the inlineexpect("length > self.buf.len()")because the lint only fires on public APIs; with the methods nowpub(crate), the expectation is unfulfilled and clippy fails the build.Breaking change
Marked with
!in the conventional commit. Affects any out-of-workspace consumer that calledFramed::read_exactdirectly. The audit was workspace-only; if someone has a private consumer that relied on this, the migration is to useread_pdu(when reading a structured PDU) orread_by_hint(when the length comes from a header peek) — both maintain the buffer invariant correctly.Pre-1.0 (
ironrdp-async0.8,ironrdp-blocking0.8); per Cargo SemVer a 0.8 → 0.9 minor bump covers this.Test plan
cargo xtask check fmt -vcleancargo xtask check lints -vcleancargo xtask check tests -vpassescargo build --workspace --all-targetsclean