bytes icon indicating copy to clipboard operation
bytes copied to clipboard
verified publisher icon tokio-rs

Suggestion: `BufMut::advance_mut` should make `cnt > self.remaining_mut()` unsound

Open paolobarbolini opened this issue 11 months ago • 4 comments

The current documentation for BufMut::advance_mut suggests that the implementation should handle cases where cnt > self.remaining_mut(). However, since this function is already unsafe and requires the caller to ensure that the declared length has been properly initialized, it seems contradictory to also suggest the implementation handle out-of-bounds lengths. This requirement was added in #70, and did not exist before. It looks like an artifact of the pre-MaybeUninit days.

The suggestion should instead be to add debug_assert! to catch obviously unsound implementations while avoiding unnecessary runtime overhead in release builds.

paolobarbolini avatar Jan 24 '25 21:01 paolobarbolini

I'm not convinced this is possible due to the semver hack. Bytes v1 will re-export bytes_v2::BufMut, so we cannot make any change we want to due to backwards compat.

Darksonn avatar Jan 24 '25 21:01 Darksonn

I agree it's impossible but I also agree that an already unsafe function required to handle invalid inputs is unfortunate.

Kixunil avatar Jan 25 '25 08:01 Kixunil

I'm not convinced this is possible due to the semver hack. Bytes v1 will re-export bytes_v2::BufMut, so we cannot make any change we want to due to backwards compat.

Could we change the docs to say something along the lines of:

  • Implementors: keep doing what you're doing
  • Callers: assume it's unsound to have cnt > self.remaining_mut()

paolobarbolini avatar Jan 25 '25 11:01 paolobarbolini

That would be a nice way to transition into it becoming unsound at some point (with breaking change).

Kixunil avatar Jan 26 '25 12:01 Kixunil