Expand description
Hopper-owned borrow guards for account data.
Ref and RefMut are the safe, drop-guarded handles returned by every
Hopper access path: load(), segment_ref(), raw_ref(), and the
mutable variants. The representation is backend-sensitive so the hot
path stays tight:
-
Solana (on-chain).
{ ptr, state_ptr }. Two pointer words, no extra guards, no slice fat-pointer, no ZSTs. Drop decrements or restores the singleborrow_statebyte on theRuntimeAccountdirectly. This matches Pinocchio’s pointer shape while adding the deterministic RAII release that Pinocchio pushes onto the caller. -
non-Solana (host tests, legacy-pinocchio-compat, solana-program).
{ ptr, guard, token, _marker }. Richer because host tests rely on the active backend’s borrow machinery (RefCell, etc.) plus Hopper’s own cross-handle alias registry (BorrowToken). Both are real RAII and must live until the runtime guard drops.
Both reprs expose the same surface: Deref/DerefMut into T,
as_ptr / as_mut_ptr, byte-slice narrowing (slice, slice_from),
and byte-level pointer projection (project). Whoever reads a
generated accessor like ctx.vault_balance_mut() cannot tell which
repr is in use. and on Solana the compiler collapses every hop to
ptr + offset -> cast, exactly the shape the finish-line audit
demanded.