Extern statics can be accessed in safe Rust

[bjorn3]

This code crashes:

#[no_mangle] pub static X: usize = 0;
mod test {
    extern {
        pub static X: &'static u32;
    }
}
fn main() {
     println!("{}", X);
     println!("{}", *test::X);
}

@ubsan wrote this code on irc.
https://botbot.me/mozilla/rust-internals/2016-07-28/?msg=70411962&page=5

[strega-nil]

I believe the solution is to require unsafe when accessing statics that are extern, or that we do unsafe extern when writing an extern block that includes statics.

[Stebalien]

Why do we even allow extern references? Shouldn't this be pub static X: *const u32? Nevermind, it's useful to be able to talk about external values of arbitrary types.

[petrochenkov]

It's pretty horrifying that unsafe isn't required to access foreign statics.
Given that you can write a foreign static with any Rust type with any invariants (improper_ctypes is not a hard rule)

extern "C" {
    static STATIC: Vec<u8>;
}

fn main() {
    println!("{}", STATIC[0]);
}

and the C side can contain arbitrary bytes under the name STATIC.

[steveklabnik]

nominating due to unsoundness

[strega-nil]

@petrochenkov technically, the Rust side can also contain arbitrary bytes under the name STATIC. Or the C++ side. Or really any language.

[retep998]

I'd be okay with extern statics requiring unsafe to access. Would probably need a very long deprecation/warning period however.

[strega-nil]

@retep998 it's unsound, therefore, it doesn't need that long of a deprecation period, in my opinion. Maybe two cycles.

[hanna-kruppe]

Since this would presumably go through a forward compatibility lint, it could be made deny-by-default soon-ish. A hard error should perhaps take longer — just because it's unsound doesn't mean it won't affect many crates.

[strega-nil]

@rkruppe makes sense.

[retep998]

Probably one Rust release warn by default, and then at least one deny by default and keeping it deny by default for a while until crater says it is mostly okay.

[nikomatsakis]

Agreed, it seems very clear that accessing an extern static should be unsafe -- just as calling an extern fn is unsafe. Just a plain oversight. There are many ways for this to go wrong:

• the C code could mutate the static
• the type might not match what the C type is
• etc

So we should add a forwards-compatibility lint and make it unsafe to access an extern static. I agree we'll want to have a (very) long deprecation period.