FFI-proof slice::from_raw_parts

I know there are plenty of failure modes it can't check for, but it could check as much as a diligent-slightly-paranoid programmer can check for, while having an API that is nicer to use than the status quo with the bare-minimum !is_null check.

I don't think of prevention of deliberate attacks as the primary goal. Mainly it's about making regular error checking (that returns Result or Option) more convenient and harder to forget/cut corners on in typical cases, hopefully raising the baseline across the ecosystem. Ability to catch the less common problems like misaligned pointers and -1 lengths that authors usually don't bother to check for is a bonus. And the fact that the checks can also catch a subset of other issues like ABI mismatch or some exploits[1] is a cherry on top.

1. attackers may not be able to overflow lengths exactly, e.g. when type confusion puts a pointer where a length was expected, or where lengths have upper limits, but the application used max-min without enforcing max>min ↩︎