Lib.rs

Cryo › Reviews

These reviews are from Crev, a distributed system for code reviews. To add your review, set up cargo-crev.

The current version of Cryo is 0.3.1.

0.2.4 (older version) Rating: Neutral Thoroughness: High Understanding: High

by yvt on 2021-09-12

This is a self-review.

After two soundness issues being fixed, this package should be more solid than ever and devoid of any serious bugs. Nevertheless, I'm giving a neutral rating to provide warning about any remaining, potentially unsound usage of the now-deprecated cryo!.

  • Issue: Medium (github.com/yvt/cryo/commit/3cd529a8665063e98961e08b4df25d398d9bd4b5)

    This release fixes a soundness issue with the cryo! macro where, when used inside async fn, it allows safe code to circumvent the compile-time lifetime checking, rendering the code vulnerable to a use-after-free bug. The description about this issue can be found in the latest version's API documentation. cryo! is still there but now marked as deprecated to warn users about this issue.

0.2.3 (older version) Rating: Negative Thoroughness: High Understanding: High

by yvt on 2021-09-12

Show review…

This is a self-review.

While this release fixes a soundness issue, there is another soundness issue remaining regarding the cryo! macro (fixed in version 0.2.4), hence the negative rating. Please refer to the latest version's API documentation for a description of the issue.

Crates in the crates.io registry are tarball snapshots uploaded by crates' publishers. The registry is not using crates' git repositories. There is absolutely no guarantee that the repository URL declared by the crate belongs to the crate, or that the code in the repository is the code inside the published tarball.

To review the actual code of the crate, it's best to use cargo crev open cryo. Alternatively, you can download the tarball of cryo v0.3.1 or view the source online.