core: VaArgSafe is an unsafe trait

`T: VaArgSafe` is relied on for soundness. Safe impls promise nothing. Therefore this must be an unsafe trait. Slightly pedantic, as only core can impl this, but we could choose to unseal the trait. That would allow soundly (but unsafely) implementing this for e.g. a `#[repr(C)] struct` that should be passable by varargs.
2024-10-02 23:04:50 +00:00 · 2024-06-24 20:24:10 -07:00 · 2024-06-24 20:24:10 -07:00 · 050595a826
parent 5a3e2a4e92
commit 050595a826
1 changed files with 5 additions and 4 deletions
--- a/library/core/src/ffi/mod.rs
+++ b/library/core/src/ffi/mod.rs
@ -484,7 +484,7 @@ mod sealed_trait {
                  all supported platforms",
        issue = "44930"
    )]
-    pub trait VaArgSafe {}
+    pub unsafe trait VaArgSafe {}
 }

 macro_rules! impl_va_arg_safe {
@ -494,7 +494,7 @@ macro_rules! impl_va_arg_safe {
                       reason = "the `c_variadic` feature has not been properly tested on \
                                 all supported platforms",
                       issue = "44930")]
-            impl sealed_trait::VaArgSafe for $t {}
+            unsafe impl sealed_trait::VaArgSafe for $t {}
        )+
    }
 }
@ -509,14 +509,15 @@ impl sealed_trait::VaArgSafe for $t {}
              all supported platforms",
    issue = "44930"
 )]
-impl<T> sealed_trait::VaArgSafe for *mut T {}
+unsafe impl<T> sealed_trait::VaArgSafe for *mut T {}
+
 #[unstable(
    feature = "c_variadic",
    reason = "the `c_variadic` feature has not been properly tested on \
              all supported platforms",
    issue = "44930"
 )]
-impl<T> sealed_trait::VaArgSafe for *const T {}
+unsafe impl<T> sealed_trait::VaArgSafe for *const T {}

 #[unstable(
    feature = "c_variadic",