Fully describe safety requirements

Currently we have a wildcard on safety requirements, saying more or less "plus a bunch of other stuff we don't mention". This is not helpful. Attempt to fully describe the safety requirements of creating a context from a raw context (all, signing only, and verification only). Fix: #544
2022-12-08 12:34:33 +11:00 · 2022-12-08 12:34:33 +11:00 · e705bcffb5
parent 92c4923289
commit e705bcffb5
1 changed files with 19 additions and 26 deletions
--- a/src/context.rs
+++ b/src/context.rs
@ -352,15 +352,22 @@ impl<'buf> Secp256k1<AllPreallocated<'buf>> {

    /// Creates a context from a raw context.
    ///
-    /// # Safety
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * Violating these may lead to Undefined Behavior.
+    /// The returned [`core::mem::ManuallyDrop`] context will never deallocate the memory pointed to
+    /// by `raw_ctx` nor destroy the context. This may lead to memory leaks. `ManuallyDrop::drop`
+    /// (or [`core::ptr::drop_in_place`]) will only destroy the context; the caller is required to
+    /// free the memory.
    ///
+    /// # Safety
+    ///
+    /// This is highly unsafe due to a number of conditions that aren't checked, specifically:
+    ///
+    /// * `raw_ctx` must be a valid pointer (live, aligned...) to memory that was initialized by
+    ///   `secp256k1_context_preallocated_create` (either called directly or from this library by
+    ///   one of the context creation methods - all of which call it internally).
+    /// * The version of `libsecp256k1` used to create `raw_ctx` must be **exactly the one linked
+    ///   into this library**.
+    /// * The lifetime of the `raw_ctx` pointer must outlive `'buf`.
+    /// * `raw_ctx` must point to writable memory (cannot be `ffi::secp256k1_context_no_precomp`).
    pub unsafe fn from_raw_all(
        raw_ctx: NonNull<ffi::Context>,
    ) -> ManuallyDrop<Secp256k1<AllPreallocated<'buf>>> {
@ -380,18 +387,11 @@ impl<'buf> Secp256k1<SignOnlyPreallocated<'buf>> {
    #[inline]
    pub fn preallocate_signing_size() -> usize { Self::preallocate_size_gen() }

-    /// Creates a context from a raw context.
+    /// Creates a context from a raw context that can only be used for signing.
    ///
    /// # Safety
    ///
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * This list *is not* exhaustive, and any violation may lead to Undefined Behavior.
-    ///
+    /// Please see [`Secp256k1::from_raw_all`] for full documentation and safety requirements.
    pub unsafe fn from_raw_signing_only(
        raw_ctx: NonNull<ffi::Context>,
    ) -> ManuallyDrop<Secp256k1<SignOnlyPreallocated<'buf>>> {
@ -411,18 +411,11 @@ impl<'buf> Secp256k1<VerifyOnlyPreallocated<'buf>> {
    #[inline]
    pub fn preallocate_verification_size() -> usize { Self::preallocate_size_gen() }

-    /// Creates a context from a raw context.
+    /// Creates a context from a raw context that can only be used for verification.
    ///
    /// # Safety
    ///
-    /// This is highly unsafe, due to the number of conditions that aren't checked.
-    /// * `raw_ctx` needs to be a valid Secp256k1 context pointer.
-    /// that was generated by *exactly* the same code/version of the libsecp256k1 used here.
-    /// * The capabilities (All/SignOnly/VerifyOnly) of the context *must* match the flags passed to libsecp256k1
-    /// when generating the context.
-    /// * The user must handle the freeing of the context(using the correct functions) by himself.
-    /// * This list *is not* exhaustive, and any violation may lead to Undefined Behavior.
-    ///
+    /// Please see [`Secp256k1::from_raw_all`] for full documentation and safety requirements.
    pub unsafe fn from_raw_verification_only(
        raw_ctx: NonNull<ffi::Context>,
    ) -> ManuallyDrop<Secp256k1<VerifyOnlyPreallocated<'buf>>> {