[Merged by Bors] - bevy_reflect: ReflectFromPtr to create &dyn Reflect from a *const ()

[jakobhellermann]

Objective

#4447 adds functions that can fetch resources/components as *const () ptr by providing the ComponentId. This alone is not enough for them to be usable safely with reflection, because there is no general way to go from the raw pointer to a &dyn Reflect which is the pointer + a pointer to the VTable of the Reflect impl.

By adding a ReflectFromPtr type that is included in the type type registration when deriving Reflect, safe functions can be implemented in scripting languages that don't assume a type layout and can access the component data via reflection:

#[derive(Reflect)]
struct StringResource {
    value: String
}

local res_id = world:resource_id_by_name("example::StringResource")
local res = world:resource(res_id)

print(res.value)

Solution

1. add a ReflectFromPtr type with a FromType<T: Reflect> implementation and the following methods:

• pub unsafe fn as_reflect_ptr<'a>(&self, val: Ptr<'a>) -> &'a dyn Reflect
• pub unsafe fn as_reflect_ptr_mut<'a>(&self, val: PtrMut<'a>) -> &'a mud dyn Reflect

Safety requirements of the methods are that you need to check that the ReflectFromPtr was constructed for the correct type.

2. add that type to the TypeRegistration in the GetTypeRegistration impl generated by #[derive(Reflect)].
   This is different to other reflected traits because it doesn't need #[reflect(ReflectReflectFromPtr)] which IMO should be there by default.

[jakobhellermann]

I changed the unsafe functions to return a *const dyn Reflect instead of a &dyn Reflect with an arbitrary caller-chosen lifetime. This is safer because now the caller must explicitly dereference the pointer and think about the lifetime it is valid for instead of rust automatically choosing a lifetime which is big enough for its uses.

-/// Safety: correct type and correct chosen lifetime
-pub unsafe fn to_reflect_ptr<'a>(&self, val: *const ()) -> &'a dyn Reflect
+/// Safety: correct type
+pub unsafe fn to_reflect_ptr(&self, val: *const ()) -> *const dyn Reflect

[MrGVSV]

LGTM! Unfortunately, I don't feel confident enough in Rust pointers to approve it myself, though :/

[jakobhellermann]

I noticed a problem in this PR where a malicious user could

impl GetTypeRegisteration for T {
  fn get_type_registration() {
    let mut reg = TypeRegistration::of::<T>();
    reg.insert::<<ReflectFromPtr as FromType<DefinitelyNotT>>::from_type());
    reg
  }
}

Which would make it impossible to use to_reflect_ptr soundly because as a user you cannot rely that the type you fetched it for is the correct one, and the type check in to_reflect is wrong.

This can only be fixed by tweaking the type registration process so that the TypeRegistry maintains the invariant that and TypeData inserted will be 100% for the correct type.

[jakobhellermann]

blocked on #4567

[jakobhellermann]

Updated the PR to bevy_ptr. And perhaps "blocked on #4567" is a bit much, the PR is still useful for cases where you know the type of the value, it's just that if you don't you can't really trust that the ReflectFromPtr was created for the correct type.

[MrGVSV]

Ping @jakobhellermann this branch likely has merge conflicts from #4712. To resolve, simply move your line of code in bevy_reflect_derive to the new registration.rs file.

[MrGVSV]

Looks good to me (though, again, not super familiar with pointer manipulation in Rust so take my approval with a grain of salt haha).

[PROMETHIA-27]

A bit spooky, but I can't see any Undefined Behavior unless you break the type-safety promise. Definitely going to appreciate this for scripting.

[alice-i-cecile]

as_reflect and as_reflect_mut seem wholly unnecessary, given &'a T where T: Reflect can be coerced to &'a dyn Reflect without any additional help.

Pulling this comment by @TheRawMeatball up a level; we should block on that feedback being resolved in some form or another.

[PROMETHIA-27]

Hm, you could just replace the body of those functions with their input couldn't you... why are they there?

[jakobhellermann]

hm so they were meant as a safer alternative for when you don't need pointers involved but in that case you can just val as &dyn Reflect so the methods are pretty useless. I'll remove them.

[cart]

Looks good to me! One conversation I'd like to have, but I won't block on it.
(Please reply even after this is merged)

[cart]

I don't think we're in a place where we can treat "arbitrary rust code running in the users' program" as untrusted. Given that rust can do "anything", if there is arbitrary malicious code in a users' program, it is already compromised no matter what we do. Things like public/private visibility don't mean anything here when you can create a mirror struct that provides access and then unsafely cast a pointer to that struct.

We can only provide these guarantees in a sandbox with tight controls over data that passes the boundary. This api won't provide that, so idk if I see the point here (feel free to tell me if/how I'm wrong).

[DJMcNab]

Hmm, I thought we were trying to be sound? In that case, we'd treat all safe code as untrusted, and make sure that safe code cannot add requirements to an unsafe function.

Basically, this comment really really confuses me.

[cart]

bors r+

[bors]

Canceled.

[cart]

bors retry

[bors]

Pull request successfully merged into main.

Build succeeded:

• build-and-install-on-iOS
• build-android
• build (macos-latest)
• build (ubuntu-latest)
• build-wasm
• build (windows-latest)
• check-compiles
• check-doc
• check-missing-examples-in-docs
• ci
• markdownlint
• run-examples
• run-examples-on-wasm
• run-examples-on-windows-dx12