Allow raw pointers in extern fn signature

[dtolnay]

See #122 (comment) for the rationale.

mod ffi {
    extern "C" {
        type T;
        unsafe fn f(_: *mut T);
    }
    extern "Rust" {
        unsafe fn g(_: *mut T);
    }
}

The presence of *const or *mut in a function argument should enforce that the function is marked unsafe.

[dtolnay]

Function pointers need to get the same check too. A function pointer type that has a raw pointer argument should be required to be specified as unsafe.

extern "Rust" {
    fn g(callback: unsafe fn(*mut T));
}

[dtolnay]

In contrast to argument position, a pointer in return position should not enforce that the function is unsafe. #283

extern "C++" {
    type socc_examples_fixture;
    type SDIDevicePropInfoDataset;

    fn wait_for_IsEnable(
        self: &mut socc_examples_fixture,
        code: u16,
        expect: u16,
        retry_count: i32,
    ) -> *mut SDIDevicePropInfoDataset;
}

[felipesere]

I am trying to call the following function found in node.h from Node.js

// Set up per-process state needed to run Node.js. This will consume arguments
// from argv, fill exec_argv, and possibly add errors resulting from parsing
// the arguments to `errors`. The return value is a suggested exit code for the
// program; If it is 0, then initializing Node.js succeeded.
NODE_EXTERN int InitializeNodeWithArgs(std::vector<std::string>* argv,
                                       std::vector<std::string>* exec_argv,
                                       std::vector<std::string>* errors);

Given the std::vector<std::string>* ... arguments, I assume this falls into the problemspace for this issue?

Is there a workaround I could try?

My code currently looks like this:

#[cxx::bridge(namespace = "node")]
mod ffi {

    extern "C" {
        include!("node.h");

        fn InitializeNodeWithArgs(
            args: *const CxxVector<CxxString>,
            exec_args: *const CxxVector<CxxString>,
            errors: *const CxxVector<CxxString>,
        ) -> i32;
    }
}

[adetaylor]

This is likely to be the next thing I look into adding. I haven't started yet. If anyone else thinks they'll do something in this area, please let me know so we can avoid duplication.

[adetaylor]

This proved easier than I thought - WIP linked just above.

I need to do some thinking about what happens if a raw pointer is included in some other type, e.g. a CxxVector: either adding some code in check.rs and in UI tests to ensure that's not possible, or make it possible - in which case the logic to check for the presence of unsafe will need to dig deeper in the type.

[Plecra]

Could the extern "Rust" functions be allowed without unsafe? I'd find the requirement confusing when it came up, since the Rust function would need to use unsafe internally to cause any soundness issue. (Of course, many functions would end up being unsafe by nature - I just worry that cxx enforcing it would make it less obvious that the author of the Rust function should document their requirements)