Rust 1.78 Does Not Return c_void Pointer Correctly

[git-blame]

We need to use a C library/API that has an initialization routine that returns a new opaque pointer in a parameter (i.e. func(void** ctx)). To do so, we have an interface similar to this:

 extern {
    fn initialize(ctx: &*mut c_void) -> i32;
}
...
let context = ptr::null_mut();
let result = unsafe { initialize(&context) };
...
// pass context to another C function

This has always worked since at least version 1.64.0. Recently, we started seeing our Windows build failing. Debugging reveals that since 1.78.0, variable context is always 0 and does not receive the pointer value created by the C function.

Further debugging shows the following:

• Fails on both linux and mingw version 1.78.0
• Succeeds with debug compile, fails with --release
• Succeeds if we add a statement that references the variable?! For example,

let result = unsafe { initialize(&context) };
debug!("ptr value is {:?}", context);

Version it worked on

It most recently worked on: 1.77

Version with regression

rustc --version --verbose:

rustc 1.78.0 (9b00956e5 2024-04-29)
binary: rustc
commit-hash: 9b00956e56009bab2aa15d7bff10916599e3d6d6
commit-date: 2024-04-29
host: x86_64-unknown-linux-gnu
release: 1.78.0
LLVM version: 18.1.2

rustc 1.78.0 (9b00956e5 2024-04-29) (Rev1, Built by MSYS2 project)
binary: rustc
commit-hash: 9b00956e56009bab2aa15d7bff10916599e3d6d6
commit-date: 2024-04-29
host: x86_64-pc-windows-gnu
release: 1.78.0
LLVM version: 18.1.4

[git-blame]

Since passing an int* and returning a void* still works, our current fix is to write a wrapper similar to this:

 extern {
     fn initialize_wrapper(result: *mut i32) -> *mut c_void;
}
...
let mut result: i32 = 0;
let context = unsafe { initialize_wrapper(&mut result) };
// check result
...
// pass context to another C function

[ChrisDenton]

extern {
    fn initialize(ctx: &*mut c_void) -> i32;
}

That looks like UB because your passing a shared reference rather than a mutable one. I.e. it should be defined as:

extern {
    fn initialize(ctx: &mut *mut c_void) -> i32;
}

[git-blame]

It's just odd that it worked up to 1.77.0 and also with 1.78.0, there are still some weird conditions where it still works (see description).

[Urgau]

I believe that what you're trying to do is UB, by taking an immutable reference and trying to assign to it you're violating the immutability requirements of that reference.

At least that's what I think is happening when I try to recreate your sample code in pure Rust, playground.

Using a mutable reference should already be a step in the right direction.

extern {
    fn initialize(ctx: &mut *mut c_void) -> i32;
}
// ...
let mut context = ptr::null_mut();
let result = unsafe { initialize(&mut context) };

[Urgau]

It's just odd that it worked up to 1.77.0 and also with 1.78.0, there are still some weird conditions where it still works (see description).

Optimization around aliasing are (if I remember correctly) only done at higher level of optimization.

[git-blame]

Thanks, using the &mut option works. But I'm surprised that the 1.78.0 compiler did not complain about passing immutable reference since it behaves differently than previous versions.

[Noratrieb]

the compiler usually doesn't complain about doing undefined behavior because it doesn't know that you're doing undefined behavior.

[Noratrieb]

here the compiler just assumed that you wouldn't modify it, and it has no way of knowing that you are modifying it. you just have to be careful. i don't think there's a tool that could have helped in this case, but in general, make sure to use tools like address sanitizer to check your unsafe code (and for unsafe code without FFI, Miri).

closing as not a bug