Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

entry: Mark all extern "C" function-pointer calls unsafe #756

Merged
merged 1 commit into from
May 28, 2023
Merged

entry: Mark all extern "C" function-pointer calls unsafe #756

merged 1 commit into from
May 28, 2023

Conversation

MarijnS95
Copy link
Collaborator

@MarijnS95 MarijnS95 commented May 26, 2023
edited
Loading

We don't mark any of the extern calls to Vulkan function-pointers safe except for a few Entry functions. Their safety contract was easy to validate, but now that we exposed a constructor function to let the user provide function pointers in the form of Entry::from_parts_1_1() it is no longer safe to assume that we are calling the function that adheres to the contract specified in the Vulkan reference.

Because we don't rigorously do this validation and safe-marking anywhere else either, mark these function calls as unsafe.

Related discussion chain: #748 (comment)

@MarijnS95 MarijnS95 requested a review from Ralith May 26, 2023 08:55
@MarijnS95 MarijnS95 mentioned this pull request May 26, 2023
Merged
Ralith
Ralith approved these changes May 26, 2023
View reviewed changes
Copy link
Collaborator

@Ralith Ralith left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Did you want to also mark the individual methods as unsafe for consistency?

@MarijnS95
Copy link
Collaborator Author

Did you want to also mark the individual methods as unsafe for consistency?

We were not going to do that because the safety contract could be upheld on the Vulkan side, right? The only problem was that we can no longer validate this when the function pointer itself originates from an unknown source (e.g. not vkGetInstanceProcAddr).

Otherwise I would have gone for marking the functions as unsafe instead (to match all other Vulkan functions) and leave this function as safe (to match from_parts on Instance and Device) but we discussed the opposite in #748 (comment)?

@Ralith
Copy link
Collaborator

Ralith commented May 27, 2023

Both approaches are equally valid from a correctness standpoint. I understood from that conversation that you strongly favored the approach of marking the wrapper functions as unsafe for consistency?

@MarijnS95
Copy link
Collaborator Author

MarijnS95 commented May 27, 2023
edited
Loading

@Ralith yes they are, but since you put so much emphasis on (extern) C functions being not necessarily/inherently unsafe to call in #748 (comment), I figured the preference was to mark from_parts unsafe instead?

I haven't checked any of the safety contracts for these C functions, so we might as well mark them unsafe and keep the from_parts function safe (both matching how ash exposes the API everywhere else) then?

@Ralith
Copy link
Collaborator

Ralith commented May 27, 2023

you put so much emphasis on (extern) C functions being not necessarily/inherently unsafe to call

This was a point of fact, but is not necessarily the deciding factor. Apologies for the confusion!

I haven't checked any of the safety contracts for these C functions, so we might as well mark them unsafe and keep the from_parts function safe (both matching how ash exposes the API everywhere else) then?

I find this appealing from a consistency standpoint. Even though we can easily deem these safe, it might be confusing to do so when we in general don't.

@MarijnS95
Copy link
Collaborator Author

Ah, that makes sense then! Sure, I'll mark the C function wrappers unsafe instead.

@MarijnS95 MarijnS95 requested a review from Ralith May 28, 2023 21:25
@MarijnS95
entry: Mark all extern "C" function-pointer calls unsafe
ee5e651 
We don't mark any of the extern calls to Vulkan function-pointers safe
except for a few `Entry` functions.  Their safety contract was easy to
validate, but now that we exposed a constructor function to let the user
provide function pointers in the form of `Entry::from_parts_1_1()` it is
no longer safe to assume that we are calling the function that adheres
to the contract specified in the Vulkan reference.

Because we don't rigorously do this validation and safe-marking anywhere
else either, mark these function calls as `unsafe`.

Related discussion chain: #748 (comment)
@Ralith Ralith merged commit bdafbb4 into master May 28, 2023
@Ralith Ralith deleted the entry-from-parts-unsafe branch May 28, 2023 23:32
@MarijnS95 MarijnS95 changed the title entry: Mark Entry::from_parts_1_1() as unsafe entry: Mark all extern "C" function-pointer calls unsafe May 29, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Ralith Ralith Ralith approved these changes

Assignees
No one assigned
Labels
Breaking change
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@MarijnS95 @Ralith