docs(db): document safety invariants for sqlite-vec transmute
Adds a SAFETY comment explaining why the transmute of sqlite3_vec_init to the sqlite3_auto_extension callback type is sound. The three invariants (stable C-ABI signature, single-call-per-connection contract, idempotency) were previously undocumented, which left the lone unsafe block without justification for future readers. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Taylor Eernisse
@@ -55,6 +55,13 @@ const MIGRATIONS: &[(&str, &str)] = &[
|
|||||||
];
|
];
|
||||||
|
|
||||||
pub fn create_connection(db_path: &Path) -> Result<Connection> {
|
pub fn create_connection(db_path: &Path) -> Result<Connection> {
|
||||||
|
// SAFETY: `sqlite3_vec_init` is an extern "C" function provided by the sqlite-vec
|
||||||
|
// crate with the exact signature expected by `sqlite3_auto_extension`. The transmute
|
||||||
|
// converts the concrete function pointer to the `Option<unsafe extern "C" fn()>` type
|
||||||
|
// that the FFI expects. This is safe because:
|
||||||
|
// 1. The function is a C-ABI init callback with a stable signature.
|
||||||
|
// 2. SQLite calls it once per new connection, matching sqlite-vec's contract.
|
||||||
|
// 3. `sqlite3_auto_extension` is idempotent for the same function pointer.
|
||||||
#[allow(clippy::missing_transmute_annotations)]
|
#[allow(clippy::missing_transmute_annotations)]
|
||||||
unsafe {
|
unsafe {
|
||||||
rusqlite::ffi::sqlite3_auto_extension(Some(std::mem::transmute(
|
rusqlite::ffi::sqlite3_auto_extension(Some(std::mem::transmute(
|
||||||
|
|||||||
Reference in New Issue
Block a user