Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is UB in FFI also UB in Rust? #485

Closed
kpp opened this issue Dec 25, 2018 · 10 comments
Closed

Is UB in FFI also UB in Rust? #485

kpp opened this issue Dec 25, 2018 · 10 comments

Comments

@kpp
Copy link

kpp commented Dec 25, 2018
edited
Loading

Link to ref: https://doc.rust-lang.org/reference/behavior-considered-undefined.html

Warning: The following list is not exhaustive. There is no formal model of Rust's semantics for what is and is not allowed in unsafe code, so there may be more behavior considered unsafe.

My question is:
Does undefined behavior inside an extern FFI function also cause an UB in Rust?

There is an item inside of the list of Behavior considered undefined:

  • Invoking undefined behavior via compiler intrinsics:

I consider adding one more item:

  • Invoking undefined behavior via FFI:
@kpp
Copy link
Author

kpp commented Dec 25, 2018
edited
Loading

One more question: would in be an UB in C if we:

  1. create a Rust fn:
#[no_mangle]
extern "C" fn add_one(i: i8) -> i8 {
    i + 1
}

2.a. call it in C: add_one(127);

2.b create a wrapper of Rust's add_one inside C and call it from Rust:

C code:

int8_t add_one(int8_t); // extern Rust fn

int8_t add_one_wrapper(int8_t i) { return add_one(i); }

Rust code:

extern {
    fn add_one_wrapper(int8_t) -> int8_t; // extern C fn => Rust fn
}
fn main() {
    unsafe { add_one_wrapper(127i8) };
}

@Centril
Copy link
Contributor

Centril commented Dec 26, 2018

cc @rkruppe @RalfJung @ubsan

@strega-nil
Copy link

strega-nil commented Dec 26, 2018
edited
Loading

This is one of those things that's currently an area of active research, so nobody has any idea.

@kpp
Copy link
Author

kpp commented Dec 26, 2018

@ubsan is this the answer to the first or the second question (or both)?

@strega-nil
Copy link

@kpp the second question - if you have UB in C code that you call, then your program has UB. It's not Rust UB, because that doesn't make a lot of sense.

@RalfJung
Copy link
Member

Does undefined behavior inside an extern FFI function also cause an UB in Rust?

It causes UB in your entire program. The UB originates from the C part, so it's not "UB in Rust", but that doesn't help at all -- if you link together pieces written in different languages with a conventional linker, UB in any component "bleeds" into all the other components.

@kpp
Copy link
Author

kpp commented Dec 27, 2018
edited
Loading

@RalfJung thanks! What about question 2.b from my comment?

@RalfJung
Copy link
Member

RalfJung commented Dec 27, 2018
edited
Loading

@kpp every piece of code is evaluated following the rules of the language it is written in. Integer overflow is not UB in Rust, so it is also not UB in Rust when that code is called from C. (That's what the question is about, right?)

So that whole program does not have UB.

@kpp
Copy link
Author

kpp commented Dec 27, 2018

So that whole program does not have UB.

Awesome! Thanks!

What about the main question:

I consider adding one more item into the list of Behavior considered undefined:

  • Invoking undefined behavior via FFI:

@RalfJung
Copy link
Member

I don't know if that's helpful. It's not UB in Rust to have UB in C, it's just UB in your program. But FFI should probably appear in that list somewhere.

@Havvy Havvy mentioned this issue Dec 28, 2018
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@RalfJung @kpp @Centril @strega-nil