See also: #3088
Currently, isValid is only enforced whenever there is a Hermes annotation. Un-annotated functions can violate isValid invariants. Since we don't have unsafe fields, Rust doesn't prevent modifying a field in such a way that violates type-level invariants. In particular, these modifications don't require unsafe, which in turn means they don't require a safety comment, which in turn means they don't require a Hermes annotation.
Once unsafe fields are stabilized, we can just require them. In the meantime, here is a roadmap to closing the isValid soundness gap without unsafe fields:
See also: #3088
Currently,
isValidis only enforced whenever there is a Hermes annotation. Un-annotated functions can violateisValidinvariants. Since we don't have unsafe fields, Rust doesn't prevent modifying a field in such a way that violates type-level invariants. In particular, these modifications don't requireunsafe, which in turn means they don't require a safety comment, which in turn means they don't require a Hermes annotation.Once unsafe fields are stabilized, we can just require them. In the meantime, here is a roadmap to closing the
isValidsoundness gap without unsafe fields:isValidis not reliably enforced, so users must exercise care--unsound-is-validto enableisValidannotations--unsound-is-valid