rust: migration: do not pass raw pointer to VMStateDescription::fields

Pass a slice instead; a function that accepts a raw pointer should arguably be declared as unsafe. But since it is now much easier to forget vmstate_fields!, validate the value (at least to some extent) before passing it to C. (Unfortunately, doing the same for subsections would require const ptr::is_null(), which is only stable in Rust 1.84). Suggested-by: Zhao Liu <zhao1.liu@intel.com> Reviewed-by: Zhao Liu <zhao1.liu@intel.com> Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>
2025-09-25 10:13:29 +02:00 · 2025-09-25 10:13:29 +02:00 · 5c776a7677
commit 5c776a7677
parent 818231bc6d
1 changed files with 6 additions and 3 deletions
--- a/rust/migration/src/vmstate.rs
+++ b/rust/migration/src/vmstate.rs
@ -425,7 +425,7 @@ macro_rules! vmstate_fields {
                ..::common::zeroable::Zeroable::ZERO
            }
        ];
-        _FIELDS.as_ptr()
+        _FIELDS
    }}
 }

@ -677,8 +677,11 @@ impl<T> VMStateDescriptionBuilder<T> {
    }

    #[must_use]
-    pub const fn fields(mut self, fields: *const VMStateField) -> Self {
-        self.0.fields = fields;
+    pub const fn fields(mut self, fields: &'static [VMStateField]) -> Self {
+        if fields[fields.len() - 1].flags.0 != VMStateFlags::VMS_END.0 {
+            panic!("fields are not terminated, use vmstate_fields!");
+        }
+        self.0.fields = fields.as_ptr();
        self
    }