gpu-allocator icon indicating copy to clipboard operation
gpu-allocator copied to clipboard
verified publisher icon Traverse-Research

vulkan: Mark `fn mapped_(mut_)slice()` as `unsafe`

Open MarijnS95 opened this issue 3 years ago • 16 comments

CC @fu5ha

As discussed long ago, and recently in #138, it is undefined behaviour to create or transmute to &[u8] when the underlying data is possibly uninit. This also holds true for transmuting arbitrary T: Copy structures to &[u8] where eventual padding bytes are considered uninitialized, hence invalid for u8.

Instead of coming up with a massive safety API that distinguishes between uninitialized and initialized buffers - which turn out to be really easy to invalidate by copying structures with padding bytes - place the onus on the user to keep track of initialization status by only ever providing mapped slices in an unsafe context. Users are expected to initialize the buffer using ptr::copy(_nonoverlapping)() when used from a CPU context instead of calling .mapped_mut_slice(), or switch to the new presser API from #138.

MarijnS95 avatar Oct 18 '22 14:10 MarijnS95