Sebastian Scholz

Or in newer versions, at the time they didn't have that, but in newer versions you have a try variant of all of their functions, which allows to test for certain invariants.

For example, if you want to receive a Boolean, a Boolean can either be 1 or 0, but a byte can be 0 to 255, right?

So you have a bunch more values that normally shouldn't be allowed.

And

These need to be verified.

And that's also one of the critical things.

In C, I saw a bunch of code where you just convert from your bytes into integers.

And then you use those integers somewhere else.

And so it's very easy to mess up

with just not validating your inputs enough.

And especially if you accept input over satellite connection, there's a bunch of bits that can flip.

There's a bunch of stuff that can just go wrong.

And so you really need to be sure to pass it correctly.

And once again, we can use Rust's type system by making the constructors to all of these payload structs private.

and letting it just take bytes and doing all of this validation in this new function, in the constructor, and returning an option of ourself, or a result of ourself.

And so if any of the preconditions, they're just local, they're right next to the struct, so it's easy to verify that all of the preconditions that we need when converting from a byte string are checked for.

And then afterwards, you're sure if you have the struct, its data is validated.

Actually, we have no instances of transmute and it's on the list of things that we really try to avoid.

And so far, we have not come across of a use case that is not covered by zero copy.

So, of course, sometimes we have to convert between different types in Rust and we use S for that.