-
Notifications
You must be signed in to change notification settings - Fork 122
Open
Labels
customer-requestDocuments customer requests.Documents customer requests.
Description
These are kinds of validity that users may need to have checked before transmutation from &[u8]
to &T
:
- The language-level validity of the bits for the type of each field in
T
, e.g. abool
must be either0
or1
. This is implemented by thederive
. - The library-level validity of the bits in
T
, e.g. an invariant that the first field is less than the second. This can be referenced by thederive
but inherently must be user-controlled. - The library-level validity of the individual fields in
T
, based on the above library-level check applied to each field. This is also implemented by thederive
. - The library-level validity of the length of the struct given the header contents, e.g. the
length
field is equal to the size of the tail slice. This only applies to dynamically sized structs ending in a slice.
The plan discussed in #5 and #372 is to support the concept of a custom validator, a function or closure provided to derive(TryFromBytes)
that will always be called before allowing a TryFromBytes
transmute to succeed.
Open Questions
- Should users be able to provide their own error type, to communicate the way in which the validation failed? How would this be exposed to the higher-level
TryFromBytes
APIs? - How will data validation interact with custom DSTs? Is the validator also responsible for validating the correct length of the tail slice, or even deriving the correct length (as proposed in Support casting to a
KnownLayout
type with a user-provided length computed dynamically #1289 (comment))?- What happens if the user provides both a
#[length]
and custom validator function and they disagree? - Given
struct Outer { x: u8, y: Inner }
/struct Inner { a: [u8; 4], b: [u8] }
, is the validator forOuter
allowed to communicate a maximum length for the tail slice located inside ofInner
? What ifInner
has a custom validator that returns "valid if the tail slice is truncated to N", butOuter
has a different return from its custom validator?
- What happens if the user provides both a
- What are the required signature(s) for the custom validators? In theory the derive can support many return types simultaneously, including
bool
,Result<(), CustomError>
, orResult<Option<usize>, CustomError>
(to communicate a required length). - When zerocopy's expectations surrounding validator behavior are violated, should it panic (terrible for embedded), only panic in debug mode (middle ground a la
+
overflow checking), or always reject the input (could miss bugs in validators). - Should we ban mutation inside of a validator (either programmatically or as a safety invariant)? See also:
TryFromBytes::is_bit_valid
should promise not to mutate its referent #1831
russellbanks and joshlf
Metadata
Metadata
Assignees
Labels
customer-requestDocuments customer requests.Documents customer requests.