Mark push_next() as unsafe and add push_next_one() alternative

`push_next()` is totally `unsafe` because of dereferencing a chain of `p_next` pointers to find the end of the chain to insert, which was obfuscated by a large `unsafe` block for the `BaseOutStructure` pointer cast in commit c8c8f69 ("`next` can contain a pointer chain and we need to correct insert it."). While this function should definitely be marked unsafe, wrapping builders in `unsafe {}` en masse in user code isn't all too desirable, especially when this soundness issue only exists to optionally walk a `p_next` chain while most users are likely inserting bare structs without pointer chains most of the time. `push_next_one()` is introduced for this reason, remaining safe to call without any unintended raw pointer dereferences.
ash-rs · Apr 14, 2024 · d255d28 · d255d28
1 parent 660553c
commit d255d28
Show file tree

Hide file tree

Showing 3 changed files with 3,225 additions and 774 deletions.
diff --git a/ash/src/lib.rs b/ash/src/lib.rs
@@ -204,8 +204,8 @@ mod tests {
             <*mut _>::cast(&mut corner),
         ];
         let mut device_create_info = vk::DeviceCreateInfo::default()
-            .push_next(&mut corner)
-            .push_next(&mut variable_pointers);
+            .push_next_one(&mut corner)
+            .push_next_one(&mut variable_pointers);
         let chain2: Vec<*mut vk::BaseOutStructure<'_>> = unsafe {
             vk::ptr_chain_iter(&mut device_create_info)
                 .skip(1)