Code reviews of the Cryo crate // Lib.rs

These reviews are from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

The current version of Cryo is 0.3.1.

0.2.4 (older version) Rating: Neutral Thoroughness: High Understanding: High

by yvt on 2021-09-12

This is a self-review.

After two soundness issues being fixed, this package should be more solid than ever and devoid of any serious bugs. Nevertheless, I'm giving a neutral rating to provide warning about any remaining, potentially unsound usage of the now-deprecated cryo!.

Issue: Medium (github.com/yvt/cryo/commit/3cd529a8665063e98961e08b4df25d398d9bd4b5)

This release fixes a soundness issue with the cryo! macro where, when used inside async fn, it allows safe code to circumvent the compile-time lifetime checking, rendering the code vulnerable to a use-after-free bug. The description about this issue can be found in the latest version's API documentation. cryo! is still there but now marked as deprecated to warn users about this issue.

0.2.3 (older version) Rating: Negative Thoroughness: High Understanding: High

by yvt on 2021-09-12

Show review…

This is a self-review.

While this release fixes a soundness issue, there is another soundness issue remaining regarding the cryo! macro (fixed in version 0.2.4), hence the negative rating. Please refer to the latest version's API documentation for a description of the issue.

Issue: Medium (github.com/yvt/cryo/commit/0f60cd9f5459a6c4c0ceb1923d595ef7e2e127f2)

This release replaces {Cryo, CryoMut}::new with unsafe fns as they were found to be unsound. This issue is explained in this package's latest version's API documentation.

Lib.rs has been able to verify that all files in the crate's tarball are in the crate's repository. Please note that this check is still in beta, and absence of this confirmation does not mean that the files don't match.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories, so there is a possibility that published crates have a misleading repository URL, or contain different code from the code in the repository.

To review the actual code of the crate, it's best to use cargo crev open cryo. Alternatively, you can download the tarball of cryo v0.3.1 or view the source online.