FFI code compilation error, STRANGE?!

finogeek · May 7, 2022, 8:38am

The following piece of code is really weird - try compile it on the Rust Playground -

use std::os::raw::c_char;
use std::ffi::{CString};

#[no_mangle]
pub unsafe extern "C" fn free(data: *mut c_char) {
    drop(CString::from_raw(data));
}

fn main() {
    println!("{}", "ok");
}

The result is this:

   Compiling playground v0.0.1 (/playground)
    Finished dev [unoptimized + debuginfo] target(s) in 1.40s
     Running `target/debug/playground`
timeout: the monitored command dumped core
/playground/tools/entrypoint.sh: line 11:     8 Segmentation fault      timeout --signal=KILL ${timeout} "$@"

However, if you do one of the following things, it will compile and run all right:

comment out '#[no_mangle]' , or
rename the 'free' function to something like 'freee' or whatever, just not name it 'free', or
comment out the 'main' function, or
comment out the 'drop(CString::from_raw(data))' part

Am I missing anything obvious here? is this 'free' name colliding with the 'free' word in C or something? but what does the 'main' or 'drop' part have anything to do, given the function is not even called. What is the logic behind this magic?

Cerber-Ursi · May 7, 2022, 8:47am

Yes, it overrides the libc's free, so it is called by the system allocator whenever something is freed on the heap, be it your own Box or something from the Rust runtime. See this:

use std::os::raw::c_char;

#[no_mangle]
pub unsafe extern "C" fn free(data: *mut c_char) {
    println!("Freeing pointer: {:p}", data);
}

fn main() {
    let boxed = Box::new(42);
    println!("Allocated pointer: {:p}", boxed);
}

Playground
At the end of the output, you can see something like this:

Allocated pointer: 0x56187e7f3de0
Freeing pointer: 0x56187e7f3de0

with some other free calls beforehand.

Well, without main the program will not run at all, so there's nothing to crash. And without drop there's no invalid pointer access, so no reason to crash, just a couple of memory leaks.

finogeek · May 7, 2022, 8:54am

cool. Got it. thx.

simonbuchan · May 7, 2022, 9:40am

Would it be a problem for Rust to disallow overriding library symbols like this, at least by default? There's probably technical issues since the platform controls the linker, which is what's really controlling this, but would there be design issues too? Surely this isn't desired and depended on, perhaps outside of [language_item]s

quinedot · May 7, 2022, 9:50am

See:

github.com/rust-lang/rust

#[no_mangle] is unsafe

opened 11:36PM - 02 Sep 15 UTC

geofft

A-linkage P-low T-lang T-compiler I-unsound C-bug

On some platforms (at least GNU/Linux, but I hear Windows and several others too…), if you link together two static libraries that both export a symbol of the same name, it's undefined which symbol actually gets linked. In practice on my machine, the first library seems to win. This lets you defeat type/memory safety without the `unsafe` keyword, by having two crates export a `#[no_mangle] pub fn` with different signatures but compatible calling conventions: ``` rust // one.rs #![crate_type = "lib"] #[no_mangle] pub fn convert(x: &'static i32) -> Result<i32, f32> { Ok(*x) } ``` ``` rust // two.rs #![crate_type = "lib"] #[no_mangle] pub fn convert(x: &'static f32) -> Result<i32, f32> { Err(*x) } ``` ``` rust // transmute.rs extern crate one; extern crate two; fn main() { static X: f32 = 3.14; let y: i32 = two::convert(&X).unwrap(); println!("{}", y); } ``` ``` geofft@titan:/tmp/transmute$ rustc one.rs geofft@titan:/tmp/transmute$ rustc two.rs geofft@titan:/tmp/transmute$ rustc transmute.rs -L . geofft@titan:/tmp/transmute$ ./transmute 1078523331 ``` Despite the stated call to `two::convert`, it's actually `one::convert` that gets called, which interprets the argument as a `&'static i32`. (It may be clearer to understand with this [simpler example](https://gist.github.com/geofft/493c5c17bfdd04b97670), which doesn't break type safety.) On at least GNU/Linux but _not_ other platforms like Windows or Darwin, dynamically-linked symbols have the same ambiguity. I don't know what the right response is here. The following options all seem pretty reasonable: 1. Acknowledge it and ignore it. Maybe document it as a possible source of unsafety, despite not using the `unsafe` keyword. 2. Have `#[no_mangle]` export both a mangled and un-mangled name, and have Rust crates call each other via mangled names only, on the grounds that `#[no_mangle]` is for external interfaces, not for crates linking to crates. ("External interfaces" includes other Rust code using FFI, but FFI is unsafe.) This is analogous to how `extern "C" fn`s export both a Rust-ABI symbol as well as a C-ABI shim, and a direct, safe Rust call to those function happens through the Rust ABI, not through the C ABI. I'm pretty sure that all production uses of `#[no_mangle]` are `extern "C"`, anyway (see e.g. #10025). 3. Deprecate `#[no_mangle]` on safe functions and data, and introduce a new `#[unsafe_no_mangle]`, so it substring-matches `unsafe`. (`#[no_mangle]` on unsafe functions or mutable statics is fine, since you need the `unsafe` keyword to get at them.) All of these are, I think, backwards-compatible.

simonbuchan · May 7, 2022, 10:31am

Tldr: "yeah, this should be an error, but it's too hard", seems like? A little lame, but I guess #[no_mangle] is already pretty weird and unsafe like.

quinedot · May 7, 2022, 8:36pm

I suspect churn is a concern but that's just a guess. There's an unsafe_code lint, but it's allow by default so far.

scottmcm · May 7, 2022, 9:15pm

And indeed, if you #![warn(unsafe_code)], you'll find out it warns on the no_mangle:

warning: declaration of a `no_mangle` function
 --> src/main.rs:6:1
  |
6 | #[no_mangle]
  | ^^^^^^^^^^^^
  |
  = note: the linker's behavior with multiple libraries exporting duplicate symbol names is undefined and Rust cannot provide guarantees when you manually override them

https://play.rust-lang.org/?version=stable&mode=debug&edition=2021&gist=343b3d3ffa0f989996fa821ca089ae8b

system · August 5, 2022, 9:15pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Side effect of marking all the methods to #[no_mangle] community	5	1029	July 10, 2019
Pointer becomes misaligned in test with `no_mangle` help	6	211	June 3, 2025
Why I am getting build error when I have 2 functions of same name in different lib in a workspace?	4	512	October 20, 2020
Segfault when freeing memory allocated to trait objects through the Rust FFI help	3	785	August 9, 2019
Help needed to solve compile and linkage issues	4	1530	January 12, 2023

FFI code compilation error, STRANGE?!

Related topics