Rewrite the improper_ctypes lint.

[eefriedman]

Makes the lint a bit more accurate, and improves the quality of the diagnostic
messages by explicitly returning an error message.

[rust-highfive]

r? @pcwalton

(rust_highfive has picked a reviewer for you, use r? to override)

[eefriedman]

With some help on IRC, I got part of the way handling projection types (54e183f). Still doesn't work completely correctly, though; not sure what's missing.

[bors]

☔️ The latest upstream changes (presumably #26575) made this pull request unmergeable. Please resolve the merge conflicts.

[eefriedman]

Rebased, and updated with some handling for late-bound lifetimes. Ready to be reviewed, I think?

[bors]

☔️ The latest upstream changes (presumably #26694) made this pull request unmergeable. Please resolve the merge conflicts.

[eefriedman]

Rebased.

[eefriedman]

Ping.

[alexcrichton]

r? @nrc

[nrc]

Does this mean we no longer use ReachesFfiUnsafe at all? If so, it should be removed, not just this helper function.

[nrc]

Can we share this code with trans? I'm pretty uncomfortable with having two different ways of answering this question.

[eefriedman]

Pulling the whole algorithm out of trans into librustc is rather complicated... I can do it, but I think I'll submit it as a separate PR (it's a few hundred lines of code).

[nrc]

It is currently correct and unlikely to change (although technically, no guarantees).

[nrc]

After some discussion on IRC - why are tuples ever OK by the FFI lint? Since C has no tuples, it seems we should lint against passing them to C.

[eefriedman]

This follows what the old FFI lint did; I guess I can try changing it.

[nrc]

You should probably check for ZSTs at the 'top level' of this function - I believe it would be an error to pass a struct with a aero-sized field across FFI too?

[nrc]

Better to be unsafe until this is implemented. Or perhaps add FfiUnimplemented

[nrc]

Shouldn't usize and isize be FfiUnsafe?

[eefriedman]

They are; I'll rearrange the function to make that more obvious.

[tomjakubowski]

Why are they considered unsafe for FFI? Are they not guaranteed to be defined the same as (one of) size_t/ssize_t, uintptr_t/intptr_t, on all our supported platforms?

On Jul 21, 2015, at 14:38, Nick Cameron notifications@github.com wrote:

In src/librustc_lint/builtin.rs:

•        ty::TyRawPtr(ref m) | ty::TyRef(_, ref m) => {
  

•            self.check_type_for_ffi(cache, m.ty)
  

•        }
  

•        // FIXME: Maybe we want to prohibit arrays of zero-size types?
  

•        ty::TyArray(ty, _) => {
  

•            self.check_type_for_ffi(cache, ty)
  

•        }
  

•        ty::TyBareFn(..) => {
  

•            // FIXME: Implement
  

•            FfiSafe
  

•        }
  

•        // Primitive types with a stable representation.
  

•        ty::TyBool | ty::TyInt(..) | ty::TyUint(..) |
  

  Shouldn't usize and isize be FfiUnsafe?

—
Reply to this email directly or view it on GitHub.

[tomjakubowski]

If you were writing a malloc replacement in Rust, for example, you'd likely use size/usize internally, and it seems likely that you'd want to use those as well in your extern signature for tjmalloc or whatever.

The alternative is to use libc's size_t type alias in those signatures, but that seems to just be shoving the problem elsewhere.

On Jul 21, 2015, at 14:38, Nick Cameron notifications@github.com wrote:

In src/librustc_lint/builtin.rs:

•        ty::TyRawPtr(ref m) | ty::TyRef(_, ref m) => {
  

•            self.check_type_for_ffi(cache, m.ty)
  

•        }
  

•        // FIXME: Maybe we want to prohibit arrays of zero-size types?
  

•        ty::TyArray(ty, _) => {
  

•            self.check_type_for_ffi(cache, ty)
  

•        }
  

•        ty::TyBareFn(..) => {
  

•            // FIXME: Implement
  

•            FfiSafe
  

•        }
  

•        // Primitive types with a stable representation.
  

•        ty::TyBool | ty::TyInt(..) | ty::TyUint(..) |
  

  Shouldn't usize and isize be FfiUnsafe?

—
Reply to this email directly or view it on GitHub.

[eefriedman]

They aren't really unsafe, per se. We just want to discourage people from using them; it's usually a good idea to use types from the libc crate in FFI signatures.

Granted, it used to be more of a concern when isize was named int.

[tomjakubowski]

The alternative is to use libc's size_t type alias in those signatures, but that seems to just be shoving the problem elsewhere.

By that I meant, by disallowing usize or size in FFI signatures: there are now two potential problems, that usize/size don't correspond to size_t/ssize_t, and that the libc::size_t and libc::ssize_t aliases are wrong. You'd need a cast somewhere, probably inside the FFI function, from libc::size_t (which is something like u64) to usize, which could cause hidden errors in the case that the alias in libc is wrong.

[eefriedman]

You might be right. That said, the old improper_ctypes lint did exactly the same thing, so I don't really want to change it here. Please file a bug, or open a thread on https://internals.rust-lang.org.

[eefriedman]

Updated to address review comments.

Function pointers are now checked. Tuples are now disallowed. Zero-size structs are now disallowed. is_repr_nullable_ptr is still a separate function; unifying it with the trans enum handling is going to be a big task.

[tomjakubowski]

Any chance fixes (or tests, if these commits already fix them) for #20098 and #19834 could slip in? :-)

[eefriedman]

This already fixes and tests #20098 (Box was affected by the same issue as String). #19834 is essentially orthogonal; I don't want to make too many changes at once.

[nrc]

Pulling the whole algorithm out of trans into librustc is rather complicated... I can do it, but I think I'll submit it as a separate PR (it's a few hundred lines of code).

Seems reasonable

[nrc]

@bors r+

[bors]

📌 Commit 484d071 has been approved by nrc

[bors]

⌛️ Testing commit 484d071 with merge d7e2f6f...

[bors]

📌 Commit 8d47c3d has been approved by alexcrichton

[bors]

⌛️ Testing commit 8d47c3d with merge 3825fc1...

[bors]

💔 Test failed - auto-mac-64-nopt-t

[eefriedman]

Fixed again...

[nrc]

@bors r+

[bors]

📌 Commit 858a1b9 has been approved by nrc

[bors]

⌛️ Testing commit 858a1b9 with merge 48ef346...

[bors]

💔 Test failed - auto-win-msvc-64-opt

[eefriedman]

Fixed again...

[alexcrichton]

@bors: r=nrc 6fa17b4

[bors]

⌛️ Testing commit 6fa17b4 with merge 68e0d13...

[bors]

☀️ Test successful - auto-linux-32-nopt-t, auto-linux-32-opt, auto-linux-64-nopt-t, auto-linux-64-opt, auto-linux-64-x-android-t, auto-mac-32-opt, auto-mac-64-nopt-t, auto-mac-64-opt, auto-win-gnu-32-nopt-t, auto-win-gnu-32-opt, auto-win-gnu-64-nopt-t, auto-win-gnu-64-opt, auto-win-msvc-32-opt, auto-win-msvc-64-opt