passing empty wayland raw window handle segfaults in safe code

[m4b]

Using wgpu 0.3.0,

let handle = raw_window_handle::RawWindowHandle::Wayland(raw_window_handle::unix::WaylandHandle::empty());
let surface = _instance.create_surface(handle);

This will cause a segfault in safe code.

[grovesNL]

Right, we should be null checking here if anyone would like to take a look at improving this.

[kvark]

I don't know if we can even truly address this. Users can always provide garbage pointers in RawWindowHandle. It looks like the only true way to solve this is to turn create_surface() to be unsafe.

[HeroesGrave]

As per the HasRawWindowHandle docs:

It is entirely valid behavior for fields within each platform-specific RawWindowHandle variant to be null or 0, and appropriate checking should be done before the handle is used. However, users can safely assume that non-null/0 fields are valid handles, and it is up to the implementor of this trait to ensure that condition is upheld.

It should be enough to just check for null/0.

[Lokathor]

create_surface can remain safe if it just checks for null and then panics. It's obviously not ideal, but it's always legal for safe code to panic.

[pythonesque]

We also came to the same conclusion (this interface can be made safe as long as we check for 0/null on all the fields we need, in a platform-dependent way). I think it would be best to do this check directly in gfx-rs since we know exactly which handles we need at any given time. So I might take a stab at this (it would also be much better if this returns a Result rather than panicking; we ran into issues with gfx-rs panicking on "obvious" errors that we couldn't easily catch at runtime, and I think almost anyone would trade having to handle a Result for safety).

[kvark]

Closing in favor of #674