update TODO and some fmt looking changes

Author: nstilt1

zeroize_stack/TODO.md

@@ -30,10 +30,13 @@ Copilot provided that code, but Gemini says that after the future is awaited, th
 
 ## Safe
 
-* Panic when the OS is `hermit` or it is running on `wasm32` or `wasm64`, as their stacks don't behave the same as all of the others.
-
 * Handle unwinds better: currently we return a `Result<R, Box<dyn Any + Send>>`. The error case is a little bit tricky to handle, as dropping the error could cause a panic. The program should either panic, or return the panic payload's message.
 
+* Either:
+  * Panic when the OS is `hermit` or it is running on `wasm32` or `wasm64`, as their stacks don't behave the same as all of the others.
+  * Run the closure without `psm::on_stack` and generate a compiler warning stating that the target's stack layout is not supported with basic stack switching.
+  * Implement different types of `AlignedHeapStack` to cover `wasm32` and `hermit` as performed in the `stacker` crate.
+
 ## Would require a PR to `stacker` to zero the allocated stack on drop
 
 * Use stacker crate to handle stack size management: if I read some of the `stacker` docs correctly, that crate should be able to extend the size of the stack when it is about to overflow. If that is correct, we could use their techniques to allocate a new stack and zeroize the old one whenever our allocated stack is about to overflow, eliminating the primary remaining `# Safety` comment. Note: we may not be able to zeroize the old stack immediately as the stack switching process likely attempts to return to the old stack once execution completes; we might have to wait until execution completes before zeroizing all heap-stacks.

zeroize_stack/src/lib.rs

@@ -84,11 +84,11 @@ pub struct AlignedHeapStack {
 }
 
 impl AlignedHeapStack {
-    /// Creates a new `AlignedHeapStack`. `psm` recommends using at least `4 KB` 
+    /// Creates a new `AlignedHeapStack`. `psm` recommends using at least `4 KB`
     /// of stack space.
-    /// 
+    ///
     /// # Panics
-    /// 
+    ///
     /// This function panics when `size_kb * 1024` overflows `isize`.
     pub fn new(size_kb: usize) -> Self {
         assert!(
@@ -99,7 +99,7 @@ impl AlignedHeapStack {
             locked: false,
             stack: create_aligned_vec(size_kb, align_of::<u128>()),
         };
-        // these may be redundant but I just want to be sure that the alignment doesn't 
+        // these may be redundant but I just want to be sure that the alignment doesn't
         // change somehow
         debug_assert_eq!(result.stack.as_ptr() as usize % align_of::<u128>(), 0);
         debug_assert_eq!(result.stack.len() % align_of::<u128>(), 0);
@@ -133,10 +133,10 @@ psm::psm_stack_manipulation! {
         ///
         /// # Arguments
         ///
-        /// * `aligned_heap_stack` - the heap-based aligned region of memory to 
-        ///   be used as the stack. `psm` recommends at least `4 KB` of stack 
+        /// * `aligned_heap_stack` - the heap-based aligned region of memory to
+        ///   be used as the stack. `psm` recommends at least `4 KB` of stack
         ///   space, but the total size cannot overflow an `isize`. Also,
-        ///   some architectures might consume more memory in the stack, such as 
+        ///   some architectures might consume more memory in the stack, such as
         ///   SPARC.
         /// * `crypto_fn` - the code to run while on the separate stack.
         ///

zeroize_stack/tests/zeroize_stack.rs

@@ -40,7 +40,13 @@ mod stack_sanitization_tests {
     fn non_returning_function_test() {
         let mut heap_stack = AlignedHeapStack::new(4);
         let mut v = 0;
-        unsafe { exec_on_sanitized_stack(&mut heap_stack, AssertUnwindSafe(|| non_returning_function(&mut v)))}.unwrap();
+        unsafe {
+            exec_on_sanitized_stack(
+                &mut heap_stack,
+                AssertUnwindSafe(|| non_returning_function(&mut v)),
+            )
+        }
+        .unwrap();
         assert_eq!(v, 5);
     }
 }