The ComPtr API is unsound. #5813
Comments
|
It looks like we do have debug asserts for this but I agree our implementation is not great. Rather than rewriting it, I think we should just move over to |
|
Speaking for myself and @cwfitzgerald (with whom I've spoken about this directly), I think we have no attachment to the |
ErichDonGubler
added
type: bug
|
it's probably not scarier than trusting in keep msdn handy if you tackle this issue! https://github.com/microsoft/windows-rs/tree/master/crates/libs/windows/src/Windows/Win32/Graphics/Direct3D12 |
|
@onkoe per #3207 (comment) the migration to the |
|
sounds great! just wanted to warn anyone who expected a drop-in replacement that said, your branch looks very nice already. can see why you'd start immediately! 😄 |
Description
The ComPtr API let's you de reference a null pointer in safe code.
Repro steps
ComPtr::nullfunction.A.2 Clone your new pointer.
A.3 Look on in horror as
as_unknownde references a null pointer.B.2 Be a bit careless and let rust autoderef your pointer under your nose.
B.3 Watch as your pointer
Derefimpl executes a rapid unplanned program exit.Possible solutions
The simplest solution would be two fold. The clone impl should only call
AddRefwhen the pointer isn't null. The deref impl should be replaced by a deref function that's either safe and returns aOption<&T>or is unsafe and returns a &T.I'm also attempting a solution where
ComPtris turned into a basic wrapper over a *mut ptr and a new type is introduced that always contains a valid (non null and pointing to a valid allocation) pointer to a Interface. The problem is it touches a lot of code and I'm not very familiar with this repo.Platform
Windows
The text was updated successfully, but these errors were encountered: