-
Notifications
You must be signed in to change notification settings - Fork 12.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improper_ctypes lint should check types referenced in C ABI function definitions #19834
Comments
To clarify: foreign functions ( |
It now checks extern fns in addition to foreign fns and checks `DefStruct` defs as well. There is room for improvement: for example, I believe that pointers should be safe in extern fn signatures regardless of the pointee's representation. The `FIXME` on `rust_begin_unwind_fmt` is because I don't think it should be, or needs to be, C ABI (cc @eddyb) and it takes a problematic `fmt::Arguments` structure by value. Fix rust-lang#20098, fix rust-lang#19834
This is still an issue. It just came up in a Stack Overflow question, with something roughly equivalent to this: #[no_mangle]
pub extern fn print(s: String) {
println!("{}", s);
} This produces no warnings. For context, the user was trying to bind to this function from C#, which went about as well as you'd expect. |
Its even worse here - this is an |
@arielb1 https://github.com/rust-lang/rust/blob/master/src/doc/trpl/ffi.md#calling-rust-code-from-c seems to imply that a Edit: and the reference seems to agree: https://github.com/rust-lang/rust/blob/master/src/doc/reference.md#extern-functions |
Continues to be a problem for people new to FFI: #[no_mangle]
pub extern "C" fn hello(cs: CString) -> CString {
// ...
} The OP states:
If this generated a warning, there's more of a chance people might not do this. |
Should we start some kind of RFC for this? /cc @nagisa from comment |
See also #36464. A comment in that issue explains why |
What's the use case for that example? If it is a niche case, I think the cost of adding a |
Lints in rustc shouldn’t have any false positives even in niche cases. Clippy has all the false positives you might want. |
I'm a firm believer that the lint should fire in this case. That niche usage does not mean we should let this massive footgun go by without any warning at all. In fact, if you so believe in that niche usage, find some examples in real crates that do that using non-repr(C) types. |
Would it be more acceptable for the lint to only apply to |
@rkruppe In my opinion function pointers passed to C are much more common than Rust code calling other Rust functions that happen to use the C calling convention. |
I agree. But Of course, if that objection is overruled, that would be great as well, but if not, let's try to at least catch some cases. |
I agree with the spirit of this statement, but not the absolute degree. Lints that are built into Discussing with @nagisa, I think that our understanding of the role of lints has changed a little bit in the last 2+ years:
I'd like to propose that we take the following course of action:
Then, bikesheddable steps:
|
I've never done a lint before, but I might be able to try and do this one, if someone had any mentoring steps to provide. (or if you just do it, that's cool too!) |
@shepmaster: You'll want to implement the
|
@shepmaster: have you had a chance to try implementing this yet? |
I have not... it's just been sitting in a tab, waiting, lonely. If someone wants to steal it, please feel free! |
@varkor @shepmaster I had a go at implementing the instructions in issue-19834-improper-ctypes-in-extern-C-fn, but quickly ran into problems:
The branch doesn't fail any tests at the moment. Do either of you think it's worth continuing with this and opening a PR? |
Neither of these problems is a showstopper in my opinion, please continue and open a PR. Also, I have comments about both of the issues you identified and how you addressed them but it would probably best to discuss that on the PR. |
…n-C-fn, r=rkruppe improper_ctypes: `extern "C"` fns cc #19834. Fixes #65867. This pull request implements the change [described in this comment](#19834 (comment)). cc @rkruppe @varkor @shepmaster
…n-C-fn, r=rkruppe improper_ctypes: `extern "C"` fns cc #19834. Fixes #65867. This pull request implements the change [described in this comment](#19834 (comment)). cc @rkruppe @varkor @shepmaster
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
Closing, |
For example, this compiles with no warnings or errors:
Even though
Blah
lacks the#[repr(C)]
attribute.The text was updated successfully, but these errors were encountered: