Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Review safety in low-level code #5

Closed
8 tasks done
Bromeon opened this issue Oct 3, 2022 · 2 comments
Closed
8 tasks done

Review safety in low-level code #5

Bromeon opened this issue Oct 3, 2022 · 2 comments
Labels
bug c: ffi Low-level components and interaction with GDExtension API ub Undefined behavior

Comments

@Bromeon
Copy link
Member

Bromeon commented Oct 3, 2022
edited
Loading

The current low-level implementation has some rough edges, such as unnecessary unsafe or possible UB. This issue tracks several code locations, in which robustness could be improved. A lot of those are marked with TODO or FIXME in code.

Soundness:

  • Global access to everything uses static mut
  • Global string registry (returning *const i8) hands out &mut at will
    • This was removed a long time ago, as I found out we don't need to retain the memory on our side.
  • as_storage() not only hands out &mut, but also leaves them unbounded

Test coverage:

  • Ptrcalls and pointer conversions
  • Varcalls and variant conversions
  • Reference-counter increments and decrements across several types
  • Deref and cast between smart pointers/references to Godot objects
  • Memory leak checks (mem::forget, missing dec_ref, etc.)
@Bromeon Bromeon added bug c: ffi Low-level components and interaction with GDExtension API labels Oct 3, 2022
@Bromeon Bromeon mentioned this issue Oct 12, 2022
Merged
@Bromeon Bromeon mentioned this issue Jan 25, 2023
Merged
bors bot added a commit that referenced this issue Feb 1, 2023
@bors @RealAstolfo
Merge #69
3182bd4 
69: PR #5/5 Astolfo feature/example-update r=Bromeon a=RealAstolfo

Changed the example to fit the newer rust api

Co-Authored-By: Thomas ten Cate <ttencate@gmail.com>

Co-authored-by: RealAstolfo <astolfo.gman@gmail.com>
Hapenia-Lans pushed a commit to Hapenia-Lans/gdextension that referenced this issue May 26, 2023
@Bromeon @Hapenia-Lans
# This is a combination of 20 commits.
2c41abc 
# This is the 1st commit message:

Parse gdextension_interface.h declarations using regex

# This is the commit message #2:

AsUninit trait to convert FFI pointers to their uninitialized versions

# This is the commit message godot-rust#3:

GodotFfi::from_sys_init() now uses uninitialized pointer types

# This is the commit message godot-rust#4:

Introduce GDExtensionUninitialized*Ptr, without changing semantics

# This is the commit message godot-rust#5:

Adjust init code to new get_proc_address mechanism

# This is the commit message godot-rust#6:

Make `trace` feature available in godot-ffi, fix interface access before initialization

# This is the commit message godot-rust#7:

Compatibility layer between Godot 4.0 and 4.1 (different GDExtension APIs)

# This is the commit message godot-rust#8:

Add GdextBuild to access build/runtime metadata

# This is the commit message godot-rust#9:

Detect 4.0 <-> 4.1 mismatches in both directions + missing `compatibility_minimum = 4.1`

# This is the commit message godot-rust#10:

Detect legacy/modern version of C header (also without `custom-godot` feature)

# This is the commit message godot-rust#11:

CI: add jobs that use patched 4.0.x versions

# This is the commit message godot-rust#12:

Remove several memory leaks by constructing into uninitialized pointers

# This is the commit message godot-rust#13:

CI: memcheck jobs for both 4.0.3 and nightly

# This is the commit message godot-rust#14:

Remove ToVariant, FromVariant, and VariantMetadata impls for pointers

This commit splits SignatureTuple into two separate traits:
PtrcallSignatureTuple and VarcallSignatureTuple. The latter is a child
of the former. PtrcallSignatureTuple is used for ptrcall and only
demands GodotFuncMarshall of its arguments. VarcallSignatureTuple is
used for varcall and additionally demands ToVariant, FromVariant, and
VariantMetadata of its arguments, so pointers cannot benefit from the
optimizations provided by varcall over ptrcall.

# This is the commit message godot-rust#15:

Adds FromVariant and ToVariant proc macros

# This is the commit message godot-rust#16:

godot-core: builtin: reimplement Plane functions/methods

# This is the commit message godot-rust#17:

impl GodotFfi for Option<T> when T is pointer sized and nullable godot-rust#240

Additionally FromVariant and ToVariant are also implemented for Option<Gd<T>>
to satisfy all the requirements for ffi and godot_api.

# This is the commit message godot-rust#18:

Fix UB in virtual method calls that take objects
Fix incorrect incrementing of refcount when calling in to godot
Fix refcount not being incremented when we receive a refcounted object in virtual methods

# This is the commit message godot-rust#19:

fix UB caused by preload weirdness

# This is the commit message godot-rust#20:

Implements swizzle and converts from/to tuples
@ogapo ogapo mentioned this issue Dec 1, 2023
Open
@Bromeon
Copy link
Member Author

Bromeon commented Jan 5, 2024

Updated several of the above tasks. Will spend some effort over the coming days to look into the rest and then close the issue.

@Bromeon Bromeon added the ub Undefined behavior label Jan 5, 2024
@Bromeon
Copy link
Member Author

Bromeon commented Feb 9, 2024

With #546 and #581 merged, the last points in the above list should be addressed.

@Bromeon Bromeon closed this as completed Feb 9, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug c: ffi Low-level components and interaction with GDExtension API ub Undefined behavior
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@Bromeon