You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Mar 20, 2024. It is now read-only.
There are a huge number of unsafe functions in move-native, and some safe functions that probably aren't really.
Reducing the number of unsafe methods would help future maintenance and potential auditors.
Most of the unsafety is due to functions interpreting MoveType plus AnyValue or MoveUntypedVector, the fields of which must be trusted to be correct. The basic approach to reducing unsafe functions is to make the fields of these types private, but add unsafe constructors. Then further functions/methods can be safe, assuming the unsafe types were constructed correctly.
Values of these types received from the compiler are assumed correct.
i.e.:
// These fields must maintain safety invariants.// Because the fields are public, functions operating on MoveType must be unsafe.// If an unsafe constructor is required to build this, then the constructor caller is responsible for the safety,// and methods on MoveType can be declared safe.#[repr(C)]pubstructMoveType{pubname:StaticTypeName,pubtype_desc:TypeDesc,pubtype_info:*constTypeInfo,}
Places where MoveType is combined with an AnyType or MoveUntypedVector can be changed to combine these two types into yet another container, again with an unsafe constructor and private fields, allowing further operations on the pair to be declared safe. Something like this is already done for and TypedMoveBorrowedRustVec and MoveBorrowedRustVecOfStruct, but the methods aren't quite factored correctly to declare methods safe.
e.g.:
// This should be a completely safe method on `TypedMoveBorrowedRustVecMut` -// the unsafe constructor `borrow_typeed_move_vec_as_rust_vec_mut` should be lifted out// (and turned into an unsafe constructor method on `TypedMoveBorrowedRustVecMut`).pubunsafefnswap(type_ve:&MoveType,v:&mutMoveUntypedVector,i:u64,j:u64){let i = usize::try_from(i).expect("usize");let j = usize::try_from(j).expect("usize");let rust_vec:TypedMoveBorrowedRustVecMut = borrow_typed_move_vec_as_rust_vec_mut(type_ve, v);match rust_vec {TypedMoveBorrowedRustVecMut::Bool(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U8(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U16(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U32(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U64(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U128(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::U256(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::Address(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::Signer(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::Vector(_t,mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::Struct(mut v) => v.swap(i, j),TypedMoveBorrowedRustVecMut::Reference(_t,mut v) => v.swap(i, j),}}
I'd also like to convert most free functions that operate on these types to methods.
The text was updated successfully, but these errors were encountered:
The low-hanging fruit here is done, but there's so much unsafety in the runtime that there's plenty more that can potentially be done to introduce safe abstractions around the unsafe ones; though there's a question of whether it is worthwhile - the code contortions to make the internal abstractions truly safe will get uglier and may reduce performance.
Off-hand I recall that the vector abstractions still have many functions that are unsafe, and making them actually memory safe looked tricky.
It could be worth someone taking a fresh look at, though I note that creating safe Rust abstractions around unsafe code is pretty tricky and there are a bunch of subtle rules. This page is a good starting point:
There are a huge number of unsafe functions in move-native, and some safe functions that probably aren't really.
Reducing the number of unsafe methods would help future maintenance and potential auditors.
Most of the unsafety is due to functions interpreting
MoveType
plusAnyValue
orMoveUntypedVector
, the fields of which must be trusted to be correct. The basic approach to reducing unsafe functions is to make the fields of these types private, but add unsafe constructors. Then further functions/methods can be safe, assuming the unsafe types were constructed correctly.Values of these types received from the compiler are assumed correct.
i.e.:
Places where
MoveType
is combined with anAnyType
orMoveUntypedVector
can be changed to combine these two types into yet another container, again with an unsafe constructor and private fields, allowing further operations on the pair to be declared safe. Something like this is already done for andTypedMoveBorrowedRustVec
andMoveBorrowedRustVecOfStruct
, but the methods aren't quite factored correctly to declare methods safe.e.g.:
I'd also like to convert most free functions that operate on these types to methods.
The text was updated successfully, but these errors were encountered: