Interior mutability and C API

Commeownist · October 17, 2021, 5:48am

(Sorry if it's a stupid question, I'm fairly new to Rust)

I'm working with a Rust binding to a C library, and I'm not sure if it's implemented correctly. This library is gccjit, but I think it will be more educative if I express it as a general problem.

The C library is a collection of functions and data types. Some functions are used to create an instance, these return "owning pointer"; some functions are used to mutate those data structures, they take this pointer. I would normally design the binding as follows:

struct TheType {
    // the pointer to the corresponding C type
    ptr: *mut c_void,
}

impl TheType {
    fn new() -> Self { /*...*/ }

    // Has to be mut because the underlying C function mutates the structure 
    fn set_some_property(&mut self, data: Data)  { 
        unsafe { (c_set_function(self.ptr)) }
    }

    // Doesn't have to be mut because the underlying C function does not mutate the structure 
    fn get_something(&self) -> Something { 
        unsafe { (c_get_function(self.ptr)).into() }
    }
}

Due to the way this library is used, I would like to have all methods take &self to avoid fighting the borrow checker. (This is how this library is implemented now. I suspect it's unsound).

My questions are:

Is my suspicion that &self methods that lead to logically mutating the contents are unsound?
If yes, would wrapping the ptr field in Cell fix the issue?

N.B: the library is inherently single-threaded and I don't care whether the Rust binding types are thread safe or not.

zrk · October 17, 2021, 6:34am

If you access the pointer solely by FFI and never create a rust reference to it, I believe using UnsafeCell to be unnecessary.

This stackoverflow discussion might be of interest.

jessa0 · October 17, 2021, 7:07am

I agree, if you're only storing a pointer the C library gives you, there's no Rust references, so any mutation is going to be happening in C code, governed by C's rules. There might be other reasons to add a &mut self to some of the mutating APIs in the wrapper struct, though: say e.g. one &self API returns a pointer to some data, but subsequent use of a mutating API may invalidate that pointer. Rust can help the wrapper struct's users avoid UB in that situation where C could not.

alice · October 17, 2021, 9:11am

This is fine. A raw pointer boundary has a similar effect as UnsafeCell.

system · January 15, 2022, 9:12am

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
Need help designing a safe Handle API for a C void pointer help	9	1096	March 13, 2020
`UnsafeCell` and C code (or `ptr::read/write`)	14	806	September 16, 2020
Exposing Rust instance from C help	7	309	April 12, 2024
Using Rust's advanced memory management features without invalidating a bound C library's references help	7	1476	May 17, 2020
Scope for structs and raw pointers for FFI/C library help	4	474	May 10, 2021

Interior mutability and C API

Related Topics