Dangerous `unsafe` in `impl_reply`

Question

Dangerous `unsafe` in `impl_reply`

sosthene-nitrokey opened this issue a year ago · comments

https://github.com/trussed-dev/trussed/blob/main/src/api/macros.rs#L96

    impl From<Reply> for $reply {
        fn from(reply: Reply) -> reply::$reply {
            match reply {
                Reply::$reply(reply) => reply,
                _ => { unsafe { unreachable_unchecked() } }
            }
        }
    }

This unsafe is not sound and this impl is part of the public API. I think we could replace it with a panic!, since it is only used by PollClient::request. To reduce the risk of panicking I would instead use TryFrom.

Robin Krahl · Answer 1 · Tue Jan 31 2023 22:16:38 GMT+0800 (China Standard Time)

Yeah, this should really be a TryFrom. If we make changes to the request and reply types, it could make sense to have a trait that defines the request and reply types for a syscall.

Robin Krahl · Answer 2 · Tue Jan 31 2023 22:30:21 GMT+0800 (China Standard Time)

I’ll prepare a PR. Will also be useful for API extensions too because I’m using TryFrom there, so I had to duplicate FutureResult. Edit: Nevermind, I still have to do the serialization and deserialization.

sosthene-nitrokey · Answer 3 · Tue Jan 31 2023 22:50:04 GMT+0800 (China Standard Time)

I'm making a PR that adds a trait that does bindings between the request and reply types.