Weird/UB ndk APIs found by removing NIHisms in android-activity #478
Description
android-activity open-codes a lot of ndk-provided API, directly on top of native functions and symbols from ndk-sys. While attempting to remove most of it to simplify and clear up the implementation with safer Rust, I found that the ndk could do some things quite a bit better, even if only by documenting expectations. Perhaps this is why certain things were open-coded in the first place, besides being ported from raw C code.
Since the ndk crate is quite old by now, and has seen a lot of "Just Make it Work™", things like lifetime management and correctness when it comes to safety/UB have not always been kept in mind while writing bindings. Instead of creating a lot of separate issues (or PRs) right now, I am using this issue as a public scratch-pad to keep track of questions and ideas that need to tracked and looked into later.
NativeActivityreturns&Paths from raw pointers: could these ever benull()/None?NativeActivity::asset_manager()has no lifetime: this should be bound to&selfor is it "Application-global"?InputQueuehas no lifetime and noDrop/Clone: document its lifetime guarantees and return borrows where necessary?
Its lifetime is tied to theonInputQueueDestroyedcallback whose docs describe that:You should no longer try to reference this object upon returning from this function.
ForeignLooper(and various other structures, see Unify lifetime handling forNativeWindowandHardwareBuffer#309) cannot be created without lifetime management, i.e. to temporarily borrow/handle the pointer safely while it is valid inside a callback.
For lack ofunsafe fn borrow_from_ptr(NonNull...) -> &'unknown Self(impossible to write in Rust anyway), it seems most convenient to calllet looper = ManuallyDrop::new(ForeignLooper::from_ptr(looper));now.