rust: migration: do not pass raw pointer to VMStateDescription::fields

Pass a slice instead; a function that accepts a raw pointer should
arguably be declared as unsafe.

But since it is now much easier to forget vmstate_fields!, validate the
value (at least to some extent) before passing it to C.  (Unfortunately,
doing the same for subsections would require const ptr::is_null(), which
is only stable in Rust 1.84).

Suggested-by: Zhao Liu <zhao1.liu@intel.com>
Reviewed-by: Zhao Liu <zhao1.liu@intel.com>
Signed-off-by: Paolo Bonzini <pbonzini@redhat.com>

diff --git a/rust/migration/src/vmstate.rs b/rust/migration/src/vmstate.rs
index 5f5708ad39ebf2fbf1b8cd613c44a7f1e5cafa23..2e320262f06386e3e187681509ba717bb4f6bc14 100644 (file)
--- a/rust/migration/src/vmstate.rs
+++ b/rust/migration/src/vmstate.rs
@@ -425,7 +425,7 @@ macro_rules! vmstate_fields {
                 ..::common::zeroable::Zeroable::ZERO
             }
         ];
-        _FIELDS.as_ptr()
+        _FIELDS
     }}
 }
 
@@ -677,8 +677,11 @@ impl<T> VMStateDescriptionBuilder<T> {
     }
 
     #[must_use]
-    pub const fn fields(mut self, fields: *const VMStateField) -> Self {
-        self.0.fields = fields;
+    pub const fn fields(mut self, fields: &'static [VMStateField]) -> Self {
+        if fields[fields.len() - 1].flags.0 != VMStateFlags::VMS_END.0 {
+            panic!("fields are not terminated, use vmstate_fields!");
+        }
+        self.0.fields = fields.as_ptr();
         self
     }