Audit Cap'n Proto and drasticly reduce the amount of unsafe code

[DemiMarie]

I would love to use Cap'n Proto, but it is full of unsafe code (~3000 lines).

[Shnatsel]

Are you referring to the runtime library, or the code it generates?

https://crates.io/crates/capnp seems to have ~200 daily downloads. A protobuf implementation such https://crates.io/crates/protobuf or https://crates.io/crates/prost would be a higher-value target with ~3000 daily downloads each.

[tarcieri]

I'd love to see an audit of prost. It should be fairly trivial as it appears to have 6 usages of unsafe

[Shnatsel]

I've opened #68 for prost.

[DemiMarie]

@Shnatsel The runtime library seems to be the biggest risk; layout.rs is ~3000 lines of incredibly unsafe code. Given that it is a direct port of a C++ implementation, this is not particularly surprising. The use of raw pointers may be necessary to circumvent Rust’s aliasing rules, but since these pointers are virtually all to primitive integer types with no invariants, it should be possible to wrap these uses in safe, bounds-checked APIs.

[DemiMarie]

Like protobufs, Cap’n Proto is exposed to untrusted data from the network.