Lib.rs

Review update from 0.9.3 to 0.9.4

• Update edition to 2018
• Rustfmt
• Some minor new functions

Contains several flaws leading to Undefined Behavior in purely safe Rust code. Here are the instances of UB I uncovered:

CFArray::from_copyable can trivially lead to reading uninitialized memory if the T type argument is not pointer sized. This is GH issue #291.

In many places, NULL checks are missing entirely, leading to types assumed to be safe by construction to be created with a NULL pointer, trivially leading to crashes. This is especially the case in almost every allocating types. Tracked at GH issue #361.

CFMutableDictionary has multiple issues allowing one to trivially cause UB by calling add with arbitrary pointers. Furthermore, the CFMutableDictionary constructor calls CFDictionaryCreateMutable with the kCFTypeDictionary*CallBacks, causing issues if non-CFTypes are inserted into the dictionary. This is not, however, ensured at the type level. Tracked at GH issue #362.

TCFType is a safe trait that should be implemented on the safe Core Foundation type wrappers. Many functions assume that a type implementing TCFType is in fact core-foundation managed, despite the trait being safe to implement. This can trivially cause UB simply by calling the default retain_count() on a broken implementation, or by passing a broken implementation to CFArray::from_CFTypes. This is tracked at #364.

Contains large amounts of UB and segfault-prone code. See https://github.com/servo/core-foundation-rs/issues/361 and https://github.com/servo/core-foundation-rs/issues/291.

I've reviewed every source contribution that was neither authored nor reviewed by Mozilla.

Packaged for Guix (crates-apple)

Packaged for Debian (stable). Changelog:

• Team upload.
• Package core-foundation 0.9.1 from crates.io using debcargo 2.5.0
• Bump UUID dependency.