There are safety issues with all wrapper type constructors.
All safe wrappers can be created without `unsafe` from raw pointers.
Meaning any subsequent use will cause undefined behavior if the pointer
does not point to a valid object:

```rust
// This will segfault / Cause undefined behavior
virt::connect::Connect::new(ptr::null_mut()).get_hostname()
```

These methods to create safe wrappers from raw pointers must be `unsafe`.
And optimally is if all unsafe methods have a `# Safety` section
explaining what conditions must hold to call them.

Since these methods should not be the main way of instantiating these types,
they should likely not be called `new`, but rather something like `from_ptr`.

Let's see if I manage to make the patch appear under the same email thread this time.

Linus Färnstrand (1):
  Make creating safe wrapper from raw pointer unsafe

 src/connect.rs         | 10 ++++++++--
 src/domain.rs          | 10 ++++++++--
 src/domain_snapshot.rs | 10 ++++++++--
 src/interface.rs       | 10 ++++++++--
 src/network.rs         | 10 ++++++++--
 src/nodedev.rs         | 10 ++++++++--
 src/nwfilter.rs        | 10 ++++++++--
 src/secret.rs          | 10 ++++++++--
 src/storage_pool.rs    | 10 ++++++++--
 src/storage_vol.rs     | 10 ++++++++--
 src/stream.rs          |  8 +++++++-
 11 files changed, 87 insertions(+), 21 deletions(-)

--
2.21.0


--
libvir-list mailing list
libvir-list@redhat.com
https://www.redhat.com/mailman/listinfo/libvir-list