Make DefaultViewInstance safe via compiler-checked covariance

[iainmcgin]

Stacked on #70.

Summary

Removes the last unsafe from the default-instance machinery by collapsing the two view-default traits into one safe trait whose covariance contract is checked by the compiler.

Previously, DefaultViewInstance was implemented only for FooView<'static>, and a separate unsafe trait HasDefaultViewInstance linked FooView<'a> to its 'static instantiation so that Deref for MessageFieldView<V> could serve the static default at any lifetime via a raw pointer cast:

None => unsafe { &*(V::default_view_ptr() as *const V) },

That cast is sound only if FooView is covariant in 'a — a promise the compiler can't verify through a *const u8, hence the unsafe trait.

This PR moves the lifetime coercion into the per-type impl body, where the compiler checks covariance via ordinary subtyping:

pub trait DefaultViewInstance {
    fn default_view_instance<'a>() -> &'a Self
    where
        Self: 'a;
}

impl<'v> DefaultViewInstance for FooView<'v> {
    fn default_view_instance<'a>() -> &'a Self
    where
        Self: 'a,
    {
        static VALUE: OnceBox<FooView<'static>> = OnceBox::new();
        VALUE.get_or_init(|| Box::new(<FooView<'static>>::default()))
    }
}

The return expression has type &'static FooView<'static>; the function must return &'a FooView<'v>. Rust accepts that coercion iff FooView is covariant in 'v — and rejects it with a lifetime error otherwise. So a non-covariant view type now fails to compile at the impl site instead of being a silently-unsound unsafe impl.

Deref for MessageFieldView<V> becomes plain safe code:

fn deref(&self) -> &V {
    self.inner.as_deref().unwrap_or_else(V::default_view_instance)
}

Why this is sound

A safe implementation cannot cause UB: there is no associated type to point at the wrong layout, and any &'a Self produced in safe Rust is valid by construction. The only contract not expressible in the old type signature — covariance — is now verified per-impl by the borrow checker.

Covariance verified end-to-end

All generated view field types are covariant in 'a:

• &'a str, &'a [u8] — covariant
• MessageFieldView<V> is Option<Box<V>> — covariant in V
• RepeatedView<'a, T> is Vec<T> + PhantomData<&'a ()> — covariant
• MapView<'a, K, V> is Vec<(K, V)> + PhantomData<&'a ()> — covariant (notably not HashMap, which would be the one risk)
• View oneof enums hold the above — covariant

The workspace (including buffa-test which exercises every field shape, and StructView which has a MapView field) compiles cleanly under the new scheme, confirming this in practice.

Changes

• buffa/src/view.rs: new DefaultViewInstance signature; HasDefaultViewInstance and default_view_ptr deleted; Deref/PartialEq/Eq for MessageFieldView now bound on DefaultViewInstance with no unsafe block; TinyView test impl updated.
• buffa/src/lib.rs: HasDefaultViewInstance removed from public exports.
• buffa-codegen/src/view.rs: emit the single lifetime-generic impl<'v> DefaultViewInstance for #view_ident<'v>; old two-impl emission removed.
• CHANGELOG.md: extended the DefaultInstance trait is not actually unsafe #68/DefaultViewInstance is not actually unsafe #69 entry.
• Regenerated buffa-types/src/generated/*.__view.rs.

Migration

Hand-written view types replace their two impls with one:

// Before (#70):
impl DefaultViewInstance for MyView<'static> { ... }
unsafe impl<'a> HasDefaultViewInstance for MyView<'a> {
    type Static = MyView<'static>;
}

// After:
impl<'v> DefaultViewInstance for MyView<'v> {
    fn default_view_instance<'a>() -> &'a Self where Self: 'a {
        static VALUE: OnceBox<MyView<'static>> = OnceBox::new();
        VALUE.get_or_init(|| Box::new(<MyView<'static>>::default()))
    }
}

Breaking change

Yes — targeted for v0.4.0 alongside #70.

[rpb-ant]

LGTM, I suggest adding a compile_fail doctest on the trait that tries to impl it for an invariant type (e.g. one holding Cell<&'v str>), to make the covariance a CI-enforced fact and guards against someone "simplifying" the signature later.

[iainmcgin]

[claude code]

Good call — added in the latest push. One tweak: Cell<&'v str> would make the test type !Sync, so a static-based impl would fail on the Sync bound rather than the covariance coercion. Used PhantomData<fn(&'v ()) -> &'v ()> instead (invariant, but Send + Sync) so the only compile error is:

error: lifetime may not live long enough
  = note: the struct `Invariant<'v>` is invariant over the parameter `'v`

which is the property we actually want pinned.