-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
improper_ctypes: extern "C"
fns
#65134
improper_ctypes: extern "C"
fns
#65134
Conversation
r? @cramertj (rust_highfive has picked a reviewer for you, use r? to override) |
This comment has been minimized.
This comment has been minimized.
6bc5976
to
c5f18a7
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Inline comments/questions about some of the allow
s. The number of in-tree false positives, especially due to generics, is a bit concerning but seems surmountable. I can think of a few ways to address it, in increasing order of complexity and pay-off:
- First of all, if possible, don't bail out on lifetime parameters. I've not given the code a careful reading w.r.t. this but it seems easier to not crash on those, and it would eliminate some false positives.
- Consider not trying to lint (type- and const-)generic functions. As they can't be
no_mangle
anyway, the only way they'll leak to C is if they get passed as function pointer, and we do check the types occurring in function pointers. (There could still be casts, e.g. tovoid *
.) - Check generic functions at monomorphization time. Errors at mono-time are a no-no but warnings should be fine. The downside is that legitimate warnings may be displayed too late and to the wrong people, but OTOH this is better than many false negatives and would increase precision.
r? @varkor |
Thanks for your comments @rkruppe, I’ll have time to revisit this later in the week and address them then. |
Ping from triage |
@JohnCSimon This is still a draft PR. I’ve not had time to address the comments yet. |
c5f18a7
to
4788b84
Compare
I've updated the PR so that the improper ctypes lint does not trigger for generic |
Are generic functions ignored, or just their type parameters considered FFI-safe for the purposes of the analysis? |
I skip functions with generics entirely. rust/src/librustc_lint/types.rs Lines 955 to 957 in 8318ef2
I suppose I could bail out early for type parameters before that call though.. |
That call shouldn't ICE if you use a valid |
3558367
to
8b2d8e1
Compare
Thanks, @eddyb. I've updated the PR so that type parameters are considered FFI-safe and the rest of the function will continue to be linted. See the test snippet shown below: |
8b2d8e1
to
d0e440d
Compare
…n-C-fn, r=rkruppe improper_ctypes: `extern "C"` fns cc #19834. Fixes #65867. This pull request implements the change [described in this comment](#19834 (comment)). cc @rkruppe @varkor @shepmaster
☀️ Test successful - checks-azure |
rustup improper_ctypes: `extern "C"` fns cc rust-lang/rust#65134 changelog: none
This is actually a false positive, as the structs are only exposed to FFI as pointers, so they are effectively opaque from the non-Rust perspective The warning also showed up in nightly after the following PR was merged: rust-lang/rust#65134
This is actually a false positive, as the structs are only exposed to FFI as pointers, so they are effectively opaque from the non-Rust perspective The warning showed up in nightly after the following PR was merged: rust-lang/rust#65134
This is actually a false positive, as the structs are only exposed to FFI as pointers, so they are effectively opaque from the non-Rust perspective The warning showed up in nightly after the following PR was merged: rust-lang/rust#65134
I'm now getting a warning on extern "C" fn _f(_a: *mut *mut std::sync::Mutex<()>) {} Since the argument is just a thin raw pointer, I don't think the compiler should generate a warning here. |
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
…es-declarations, r=lcnr,varkor `improper_ctypes_definitions` lint Addresses rust-lang#19834, rust-lang#66220, and rust-lang#66373. This PR takes another attempt at rust-lang#65134 (reverted in rust-lang#66378). Instead of modifying the existing `improper_ctypes` lint to consider `extern "C" fn` definitions in addition to `extern "C" {}` declarations, this PR adds a new lint - `improper_ctypes_definitions` - which only applies to `extern "C" fn` definitions. In addition, the `improper_ctype_definitions` lint differs from `improper_ctypes` by considering `*T` and `&T` (where `T: Sized`) FFI-safe (addressing rust-lang#66220). There wasn't a clear consensus in rust-lang#66220 (where the issues with rust-lang#65134 were primarily discussed) on the approach to take, but there has [been some discussion in Zulip](https://rust-lang.zulipchat.com/#narrow/stream/131828-t-compiler/topic/.2366220.20improper_ctypes.20definitions.20vs.20declarations/near/198903086). I fully expect that we'll want to iterate on this before landing. cc @varkor + @shepmaster (from rust-lang#19834) @hanna-kruppe (active in discussing rust-lang#66220), @SimonSapin (rust-lang#65134 caused problems for Servo, want to make sure that this PR doesn't)
cc #19834. Fixes #65867.
This pull request implements the change described in this comment.
cc @rkruppe @varkor @shepmaster