irmin-pack: further tweaks and clarifications after initial review

mirage · Jul 7, 2022 · 97340db · 97340db
1 parent 15207cf
commit 97340db
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 4 deletions.
diff --git a/src/irmin-pack/unix/pack_index.ml b/src/irmin-pack/unix/pack_index.ml
@@ -43,12 +43,13 @@ module Make (K : Irmin.Hash.S) = struct
          functions above return unique ownership of buf. Then in the call to
          Bytes.unsafe_to_string we give up unique ownership of buf for ownership of the
          resulting string. This is safe. *)
-      Bytes.unsafe_to_string buf (* safe: see comment above *)
+      Bytes.unsafe_to_string buf
 
     let decode s pos : t =
       (* Bytes.unsafe_of_string usage: s is shared ownership; buf is shared ownership (we
-         cannot mutate buf); we assume the Bytes.get... functions require only shared
-         ownership. This usage is safe. *)
+         cannot mutate buf) and the lifetime of buf ends on return from this function; we
+         assume the Bytes.get... functions require only shared ownership. This usage is
+         safe. *)
       let buf = Bytes.unsafe_of_string s in
       let off = Bytes.get_int64_be buf pos |> Int63.of_int64 in
       let len = Bytes.get_int32_be buf (pos + 8) |> Int32.to_int in

diff --git a/src/irmin-pack/unix/snapshot.ml b/src/irmin-pack/unix/snapshot.ml
@@ -231,7 +231,8 @@ module Make (Args : Args) = struct
         Bytes.set_int32_be buf 8 (Int32.of_int len);
         (* Bytes.unsafe_to_string usage: buf is local, uniquely owned; we assume the
            Bytes.set... functions return unique ownership; then Bytes.unsafe_to_string
-           gives up unique ownership of buf. This is safe. *)
+           gives up unique ownership of buf to get shared ownership of the resulting
+           string, which is then returned. buf is no longer accessible. This is safe. *)
         Bytes.unsafe_to_string buf
 
       let decode s pos : t =