Box over FFI boundary

3453453453 · October 16, 2015, 1:58pm

I was wondering if Box is safe to expose in FFI signatures. Box is not marked as repr(C) but its layout seems to be compatible. Consider for example the following C-API:

#ifndef TEST_H
#define TEST_H

#include <stddef.h>
#include <stdint.h>

typedef struct vector_t vector_t;

void   new(vector_t **);
void   del(vector_t *);
void   add(uint8_t, vector_t *);
size_t len(vector_t const *);

#endif

Would this Rust implementation be safe?

use std::ptr;

#[no_mangle]
pub extern fn new(x: *mut Box<Vec<u8>>) {
    let v = Box::new(Vec::new());
    unsafe {
        ptr::write(x, v)
    }
}

#[no_mangle]
pub extern fn del(_: Box<Vec<u8>>) {}

#[no_mangle]
pub extern fn add(x: u8, v: &mut Vec<u8>) {
    v.push(x)
}

#[no_mangle]
pub extern fn len(v: &Vec<u8>) -> usize {
    v.len()
}

It certainly compiles and links fine with a little test program:

#include <assert.h>
#include <test.h>

int main () {
        vector_t * v = NULL;
        new(&v);
        add(1, v);
        add(2, v);
        assert(2 == len(v));
        del(v);
}

Am I relying on some unsafe behaviour here or would this be a correct approach to write a Rust FFI?

gkoz · October 16, 2015, 2:52pm

Although Box's representation is currently identical to that of a raw pointer, it's more future-proof to use from_raw and into_raw (that are stable in Rust 1.4 coming out in two weeks).

#[no_mangle]
pub extern fn new(x: *mut *mut Vec<u8>) {
    unsafe {
        let v = Box::new(Vec::new());
        *x = Box::into_raw(v);
    }
}

#[no_mangle]
pub extern fn del(v: *mut Vec<u8>) {
    unsafe {
        Box::from_raw(v);
    }
}

steveklabnik · October 16, 2015, 3:02pm

If it's not repr(c), then there's no guarantees about its representation, at all.

gkoz · October 16, 2015, 3:07pm

I wonder, is improper_ctypes lint supposed to be smart enough to warn about x: Box<Vec<Foo>> (it doesn't do even that so far) but allow x: *mut Vec<Foo> (although you still can do *x = Vec::new())? Or should it deny any mentions of non-repr(C) types no matter the level of indirection?

mzabaluev · October 18, 2015, 7:02am

Box itself shouldn't be used in FFI, but as @gkoz points out, it can be converted to a raw pointer. I find it useful in C APIs that take an untyped pointer as a user-provided value together with a function pointer to call (with the data pointer as argument) when the value stops being used. You can pass an extern "C" fn that converts the pointer back to the Box and drops it.

Topic		Replies	Views
FFI Safety of Box<T> help	4	1462	June 4, 2020
Is there an established technique for FFI callbacks? help	4	950	January 24, 2021
Using struct with boxed array in FFI	3	283	January 23, 2022
From rawpointer to rust struct	6	662	January 12, 2023
Sending a boxed trait over FFI help	7	4942	January 12, 2023

Box over FFI boundary

Related Topics