-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Is Box
FFI-safe?
#157
Comments
The representation of pointers section guarantees that In the example you mentioned, |
@gnzlbg Thank you for your answer. The If manipulating these 2 types interchangeably in FFI is sound, it would be nice to have a clear statement in the docs rather than just a single code example happening to rely on this fact without further explanations. For example, the nomicon FFI section clearly states that I can help and open a doc PR. |
The section of the documentation I meant is here:
For me that's clear. Looking at the implementation of |
Given that |
That sounds like you are meant to explicitly convert between them though. That doesn't necessarily imply they are layout compatible. I think that's still vague enough that it's worth clarifying either in Box's documentation or somewhere in the UCG reference. I guess just adding #[transparent] on it might be enough though, if that happens. |
Right now Layout-wise, it has currently the same layout as a *mut T as long as |
The
So, if the RFC was successfully implemented correctly then you can non-reliably use Box as if it was transparent already. We should of course get it upgraded to be |
@gnzlbg Thank you for linking this other issue. I will open a PR for the |
Closing as rust-lang/rust#62514 was made for the |
FWIW this PR #164 here would guarantee this for many cases, independently of whether |
Hold up. #164 only talks about layout, and while we've been bikeshedding what exactly "layout" is, it isn't currently officially defined to include call ABI and the discussion being written up (#34) definitely happened back when layout including call ABI wasn't even on the table. (This is actually part of a larger worry for me: all this bikeshedding about "layout" could cause immense confusion, and if we ever pull the trigger on redefining it we'll have to audit all uses of the term in existing write-ups.) |
The intent of #164 is to include call ABI, if that gets included as part of layout. I suppose we could be more explicit here.
I think this kind of iteration is inevitable, and some of these terms will get tweaked until the validity discussions conclude. Before preparing an RFC, we need to make sure that the definitions are consistent, and that the text uses them appropriately. |
For clarification, if #164 happens, then that's basically saying "anything not explicitly |
This officializes what was only shown as a code example in [the unsafe code guidelines](https://rust-lang.github.io/unsafe-code-guidelines/layout/function-pointers.html?highlight=box#use) and follows [the discussion](rust-lang/unsafe-code-guidelines#157) in the corresponding repository. It is also related to [the issue](rust-lang#52976) regarding marking `Box<T>` `#[repr(transparent)]`.
@Lokathor I don't know the exact rules for Maybe we would need a |
Yeah if it's just an error check against possible future changes that's important to know. |
Well, right now is the only thing that's guaranteed to give you that layout. If you omit If we were to guarantee #164, you could just rely on it, always. Independently of whether you use In general, this wouldn't matter, because if you can stamp But for |
Also note that even after #164 is merged, it'll be just a proposal not yet approved by the lang team. |
It'll be a proposal that's also already backed by an approved RFC ;3 |
There is no RFC backing this. If anything, the I imagine that, at some point, once "layout" is 100% set in stone, we could come up with a set of APIs that allow users to query the layout properties of a type, and write code to check, e.g., whether two types are layout compatible, and/or how compatible they are. That would allow writing reliable unsafe code, that is safe even if a third-party library decides to silently remove a |
in my comment above, #157 (comment), the quote block
is a direct quote from the RFC. the only thing that 164 would change would be a promotion from "implementation detail" to "actually we're set on this now". |
Indeed, and that change is not backed by any RFC.
We should really resolve the question "what is layout" ASAP and then review our existing documents to make sure we are stating the things we want to state (and probably link to the glossary definition of layout every time we say things like "the layout of X and Y are equal"). |
Clarify `Box<T>` representation and its use in FFI This officializes what was only shown as a code example in [the unsafe code guidelines](https://rust-lang.github.io/unsafe-code-guidelines/layout/function-pointers.html?highlight=box#use) and follows [the discussion](rust-lang/unsafe-code-guidelines#157) in the corresponding repository. It is also related to [the issue](rust-lang#52976) regarding marking `Box<T>` `#[repr(transparent)]`. If the statement this PR adds is incorrect or a more in-depth discussion is warranted, I apologize. Should it be the case, the example in the unsafe code guidelines should be amended and some document should make it clear that it is not sound/supported.
The section about the representation of pointers gives an example of C API using
Box<T>
on the Rust side and mapping it tostruct T*
on the C side.Box<T>
is used both as parameter and return types. If it is sound to useBox<SomethingSized>
across FFI boundaries and handle it asstruct SomethingSized*
orstruct SomethingSized const*
on the C side, wouldn't it be worth adding a short paragraph stating so to complement the example? It's reassuring to have a clear statement about what is or isn't sound.If this is already specified somewhere, I apologize. I couldn't find a definitive answer.
The text was updated successfully, but these errors were encountered: