Refactor and simplify object liveness/RTTI checks

Author: Bromeon

godot-codegen/src/generator/classes.rs

@@ -192,12 +192,14 @@ fn make_class(class: &Class, ctx: &mut Context, view: &ApiView) -> GeneratedClas
     let (assoc_memory, assoc_dyn_memory, is_exportable) = make_bounds(class, ctx);
 
     let internal_methods = quote! {
-        fn __checked_id(&self) -> Option<crate::obj::InstanceId> {
-            // SAFETY: only Option due to layout-compatibility with RawGd<T>; it is always Some because stored in Gd<T> which is non-null.
-            let rtti = unsafe { self.rtti.as_ref().unwrap_unchecked() };
-            #[cfg(safeguards_strict)]
-            rtti.check_type::<Self>();
-            Some(rtti.instance_id())
+        /// Creates a validated object for FFI boundary crossing.
+        ///
+        /// Low-level internal method. Validation (liveness/type checks) depend on safeguard level.
+        fn __validated_obj(&self) -> crate::obj::ValidatedObject {
+            // SAFETY: Self has the same layout as RawGd<Self> (object_ptr + rtti fields in same order).
+            let raw_gd = unsafe { std::mem::transmute::<&Self, &crate::obj::RawGd<Self>>(self) };
+
+            raw_gd.validated_object()
         }
 
         #[doc(hidden)]
@@ -580,10 +582,10 @@ fn make_class_method_definition(
 
     let table_index = ctx.get_table_index(&MethodTableKey::from_class(class, method));
 
-    let maybe_instance_id = if method.qualifier() == FnQualifier::Static {
+    let validated_obj = if method.qualifier() == FnQualifier::Static {
         quote! { None }
     } else {
-        quote! { self.__checked_id() }
+        quote! { Some(self.__validated_obj()) }
     };
 
     let fptr_access = if cfg!(feature = "codegen-lazy-fptrs") {
@@ -599,16 +601,14 @@ fn make_class_method_definition(
         quote! { fptr_by_index(#table_index) }
     };
 
-    let object_ptr = &receiver.ffi_arg;
     let ptrcall_invocation = quote! {
         let method_bind = sys::#get_method_table().#fptr_access;
 
         Signature::<CallParams, CallRet>::out_class_ptrcall(
             method_bind,
             #rust_class_name,
             #rust_method_name,
-            #object_ptr,
-            #maybe_instance_id,
+            #validated_obj,
             args,
         )
     };
@@ -620,8 +620,7 @@ fn make_class_method_definition(
             method_bind,
             #rust_class_name,
             #rust_method_name,
-            #object_ptr,
-            #maybe_instance_id,
+            #validated_obj,
             args,
             varargs
         )

godot-core/src/classes/class_runtime.rs

@@ -10,10 +10,13 @@
 use crate::builtin::{GString, StringName, Variant, VariantType};
 #[cfg(safeguards_strict)]
 use crate::classes::{ClassDb, Object};
+#[cfg(safeguards_balanced)]
 use crate::meta::CallContext;
 #[cfg(safeguards_strict)]
 use crate::meta::ClassId;
-use crate::obj::{bounds, Bounds, Gd, GodotClass, InstanceId, RawGd, Singleton};
+#[cfg(safeguards_strict)]
+use crate::obj::Singleton;
+use crate::obj::{bounds, Bounds, Gd, GodotClass, InstanceId, RawGd};
 use crate::sys;
 
 pub(crate) fn debug_string<T: GodotClass>(
@@ -191,6 +194,12 @@ where
     Gd::<T>::from_obj_sys(object_ptr)
 }
 
+/// Checks that the object with the given instance ID is still alive and that the pointer is valid.
+///
+/// This does **not** perform type checking — use `ensure_object_type()` for that.
+///
+/// # Panics (balanced+strict safeguards)
+/// If the object has been freed or the instance ID points to a different object.
 #[cfg(safeguards_balanced)]
 pub(crate) fn ensure_object_alive(
     instance_id: InstanceId,

godot-core/src/meta/signature.rs

@@ -17,7 +17,7 @@ use crate::meta::{
     FromGodot, GodotConvert, GodotType, InParamTuple, MethodParamOrReturnInfo, OutParamTuple,
     ParamTuple, ToGodot,
 };
-use crate::obj::{GodotClass, InstanceId};
+use crate::obj::{GodotClass, ValidatedObject};
 
 pub(super) type CallResult<R> = Result<R, CallError>;
 
@@ -62,7 +62,6 @@ where
     /// Receive a varcall from Godot, and return the value in `ret` as a variant pointer.
     ///
     /// # Safety
-    ///
     /// A call to this function must be caused by Godot making a varcall with parameters `Params` and return type `Ret`.
     #[inline]
     pub unsafe fn in_varcall(
@@ -126,30 +125,20 @@ impl<Params: OutParamTuple, Ret: FromGodot> Signature<Params, Ret> {
     /// Make a varcall to the Godot engine for a class method.
     ///
     /// # Safety
-    ///
-    /// - `object_ptr` must be a live instance of a class with the type expected by `method_bind`
     /// - `method_bind` must expect explicit args `args`, varargs `varargs`, and return a value of type `Ret`
     #[inline]
     pub unsafe fn out_class_varcall(
         method_bind: sys::ClassMethodBind,
         // Separate parameters to reduce tokens in generated class API.
         class_name: &'static str,
         method_name: &'static str,
-        object_ptr: sys::GDExtensionObjectPtr,
-        maybe_instance_id: Option<InstanceId>, // if not static
+        validated_obj: Option<ValidatedObject>,
         args: Params,
         varargs: &[Variant],
     ) -> CallResult<Ret> {
         let call_ctx = CallContext::outbound(class_name, method_name);
         //$crate::out!("out_class_varcall: {call_ctx}");
 
-        // Note: varcalls are not safe from failing, if they happen through an object pointer -> validity check necessary.
-        // paranoid since we already check the validity in check_rtti, this is unlikely to happen.
-        #[cfg(safeguards_strict)]
-        if let Some(instance_id) = maybe_instance_id {
-            crate::classes::ensure_object_alive(instance_id, object_ptr, &call_ctx);
-        }
-
         let class_fn = sys::interface_fn!(object_method_bind_call);
 
         let variant = args.with_variants(|explicit_args| {
@@ -162,7 +151,7 @@ impl<Params: OutParamTuple, Ret: FromGodot> Signature<Params, Ret> {
                     let mut err = sys::default_call_error();
                     class_fn(
                         method_bind.0,
-                        object_ptr,
+                        ValidatedObject::object_ptr(validated_obj.as_ref()),
                         variant_ptrs.as_ptr(),
                         variant_ptrs.len() as i64,
                         return_ptr,
@@ -290,35 +279,26 @@ impl<Params: OutParamTuple, Ret: FromGodot> Signature<Params, Ret> {
     /// Make a ptrcall to the Godot engine for a class method.
     ///
     /// # Safety
-    ///
-    /// - `object_ptr` must be a live instance of a class with the type expected by `method_bind`
     /// - `method_bind` must expect explicit args `args`, and return a value of type `Ret`
     #[inline]
     pub unsafe fn out_class_ptrcall(
         method_bind: sys::ClassMethodBind,
         // Separate parameters to reduce tokens in generated class API.
         class_name: &'static str,
         method_name: &'static str,
-        object_ptr: sys::GDExtensionObjectPtr,
-        maybe_instance_id: Option<InstanceId>, // if not static
+        validated_obj: Option<ValidatedObject>,
         args: Params,
     ) -> Ret {
         let call_ctx = CallContext::outbound(class_name, method_name);
         // $crate::out!("out_class_ptrcall: {call_ctx}");
 
-        // paranoid since we already check the validity in check_rtti, this is unlikely to happen.
-        #[cfg(safeguards_strict)]
-        if let Some(instance_id) = maybe_instance_id {
-            crate::classes::ensure_object_alive(instance_id, object_ptr, &call_ctx);
-        }
-
         let class_fn = sys::interface_fn!(object_method_bind_ptrcall);
 
         unsafe {
             Self::raw_ptrcall(args, &call_ctx, |explicit_args, return_ptr| {
                 class_fn(
                     method_bind.0,
-                    object_ptr,
+                    ValidatedObject::object_ptr(validated_obj.as_ref()),
                     explicit_args.as_ptr(),
                     return_ptr,
                 );

godot-core/src/obj/raw_gd.rs

@@ -381,34 +381,61 @@ impl<T: GodotClass> RawGd<T> {
         }
     }
 
-    /// Verify that the object is non-null and alive. In paranoid mode, additionally verify that it is of type `T` or derived.
+    /// Validates object for use in `RawGd`/`Gd` methods (not FFI boundary calls).
+    ///
+    /// This is used for Rust-side object operations like `bind()`, `clone()`, `ffi_cast()`, etc.
+    /// For FFI boundary calls (generated engine methods), validation happens in signature.rs instead.
+    ///
+    /// # Panics
+    /// If validation fails.
+    #[cfg(safeguards_balanced)]
     pub(crate) fn check_rtti(&self, method_name: &'static str) {
-        #[cfg(safeguards_balanced)]
-        {
-            let call_ctx = CallContext::gd::<T>(method_name);
-            #[cfg(safeguards_strict)]
-            self.check_dynamic_type(&call_ctx);
-            let instance_id = unsafe { self.instance_id_unchecked().unwrap_unchecked() };
+        let call_ctx = CallContext::gd::<T>(method_name);
 
-            classes::ensure_object_alive(instance_id, self.obj_sys(), &call_ctx);
-        }
+        // Type check (strict only).
+        #[cfg(safeguards_strict)]
+        self.check_dynamic_type(&call_ctx);
+
+        // SAFETY: check_rtti() is only called for non-null pointers.
+        let instance_id = unsafe { self.instance_id_unchecked().unwrap_unchecked() };
+
+        // Liveness check (balanced + strict).
+        classes::ensure_object_alive(instance_id, self.obj_sys(), &call_ctx);
     }
 
-    /// Checks only type, not alive-ness. Used in Gd<T> in case of `free()`.
+    #[cfg(not(safeguards_balanced))]
+    pub(crate) fn check_rtti(&self, _method_name: &'static str) {
+        // Disengaged level: no-op.
+    }
+
+    /// Checks only type, not liveness.
+    ///
+    /// Used in specific scenarios like `Gd<T>::free()` where we need type validation
+    /// but the object may already be dead. This is an internal helper for `check_rtti()`.
     #[cfg(safeguards_strict)]
+    #[inline]
     pub(crate) fn check_dynamic_type(&self, call_ctx: &CallContext<'static>) {
-        debug_assert!(
+        assert!(
             !self.is_null(),
-            "{call_ctx}: cannot call method on null object",
+            "internal bug: {call_ctx}: cannot call method on null object",
         );
 
         let rtti = self.cached_rtti.as_ref();
 
-        // SAFETY: code surrounding RawGd<T> ensures that `self` is non-null; above is just a sanity check against internal bugs.
+        // SAFETY: RawGd non-null (checked above).
         let rtti = unsafe { rtti.unwrap_unchecked() };
         rtti.check_type::<T>();
     }
 
+    /// Creates a validated object for FFI boundary crossing.
+    ///
+    /// This is a convenience wrapper around [`ValidatedObject::validate()`].
+    #[doc(hidden)]
+    #[inline]
+    pub fn validated_object(&self) -> ValidatedObject {
+        ValidatedObject::validate(self)
+    }
+
     // Not pub(super) because used by godot::meta::args::ObjectArg.
     pub(crate) fn obj_sys(&self) -> sys::GDExtensionObjectPtr {
         self.obj as sys::GDExtensionObjectPtr
@@ -428,7 +455,7 @@ where
 {
     /// Hands out a guard for a shared borrow, through which the user instance can be read.
     ///
-    /// See [`crate::obj::Gd::bind()`] for a more in depth explanation.
+    /// See [`Gd::bind()`] for a more in depth explanation.
     // Note: possible names: write/read, hold/hold_mut, r/w, r/rw, ...
     pub(crate) fn bind(&self) -> GdRef<'_, T> {
         self.check_rtti("bind");
@@ -437,7 +464,7 @@ where
 
     /// Hands out a guard for an exclusive borrow, through which the user instance can be read and written.
     ///
-    /// See [`crate::obj::Gd::bind_mut()`] for a more in depth explanation.
+    /// See [`Gd::bind_mut()`] for a more in depth explanation.
     pub(crate) fn bind_mut(&mut self) -> GdMut<'_, T> {
         self.check_rtti("bind_mut");
         GdMut::from_guard(self.storage().unwrap().get_mut())
@@ -758,6 +785,44 @@ impl<T: GodotClass> fmt::Debug for RawGd<T> {
     }
 }
 
+// ----------------------------------------------------------------------------------------------------------------------------------------------
+// Type-state for already-validated objects before an engine API call
+
+/// Type-state object pointers that have been validated for engine API calls.
+///
+/// Can be passed to [`Signature`](meta::signature::Signature) methods. Performs the following checks depending on safeguard level:
+/// - `disengaged`: no validation.
+/// - `balanced`: liveness check only.
+/// - `strict`: liveness + type inheritance check.
+#[doc(hidden)]
+pub struct ValidatedObject {
+    object_ptr: sys::GDExtensionObjectPtr,
+}
+
+impl ValidatedObject {
+    /// Validates a `RawGd<T>` according to the type's invariants (depending on safeguard level).
+    ///
+    /// # Panics
+    /// If validation fails.
+    #[doc(hidden)]
+    #[inline]
+    pub fn validate<T: GodotClass>(raw_gd: &RawGd<T>) -> Self {
+        raw_gd.check_rtti("validated_object");
+
+        Self {
+            object_ptr: raw_gd.obj_sys(),
+        }
+    }
+
+    /// Extracts the object pointer from an `Option<ValidatedObject>`.
+    ///
+    /// Returns null pointer for `None` (static methods), or the validated pointer for `Some`.
+    #[inline]
+    pub fn object_ptr(opt: Option<&Self>) -> sys::GDExtensionObjectPtr {
+        opt.map(|v| v.object_ptr).unwrap_or(ptr::null_mut())
+    }
+}
+
 // ----------------------------------------------------------------------------------------------------------------------------------------------
 // Reusable functions, also shared with Gd, Variant, ObjectArg.
 

godot-core/src/obj/rtti.rs

@@ -41,10 +41,15 @@ impl ObjectRtti {
         }
     }
 
-    /// Checks that the object is of type `T` or derived.
+    /// Validates that the object's stored type matches or inherits from `T`.
     ///
-    /// # Panics
-    /// In paranoid mode, if the object is not of type `T` or derived.
+    /// Used internally by `RawGd::check_rtti()` for type validation in strict mode.
+    ///
+    /// Only checks the cached type from RTTI construction time.
+    /// This may not reflect runtime type changes (which shouldn't happen).
+    ///
+    /// # Panics (strict safeguards)
+    /// If the stored type does not inherit from `T`.
     #[cfg(safeguards_strict)]
     #[inline]
     pub fn check_type<T: GodotClass>(&self) {
@@ -53,6 +58,7 @@ impl ObjectRtti {
 
     #[inline]
     pub fn instance_id(&self) -> InstanceId {
+        // Do not add logic or validations here, this is passed in every FFI call.
         self.instance_id
     }
 }