Pass a slice instead; a function that accepts a raw pointer should arguably be declared as unsafe.
But since it is now much easier to forget vmstate_fields!, validate the value (at least to some extent) before passing it to C. (Unfortunately, doing the same for subsections would require const ptr::is_null(), which is only stable in Rust 1.84). Suggested-by: Zhao Liu <[email protected]> Signed-off-by: Paolo Bonzini <[email protected]> --- rust/migration/src/vmstate.rs | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/rust/migration/src/vmstate.rs b/rust/migration/src/vmstate.rs index e04b19b3c9f..319d353c311 100644 --- a/rust/migration/src/vmstate.rs +++ b/rust/migration/src/vmstate.rs @@ -424,7 +424,7 @@ macro_rules! vmstate_fields { ..::common::zeroable::Zeroable::ZERO } ]; - _FIELDS.as_ptr() + _FIELDS }} } @@ -676,8 +676,11 @@ pub const fn unplug_pending<F: for<'a> FnCall<(&'a T,), bool>>(mut self, _f: &F) } #[must_use] - pub const fn fields(mut self, fields: *const VMStateField) -> Self { - self.0.fields = fields; + pub const fn fields(mut self, fields: &'static [VMStateField]) -> Self { + if fields[fields.len() - 1].flags.0 != VMStateFlags::VMS_END.0 { + panic!("fields are not terminated, use vmstate_fields!"); + } + self.0.fields = fields.as_ptr(); self } -- 2.51.0
