Lint for str::as_ptr arguments?

user16251 · February 16, 2023, 1:35am

Is there a way to easily check if str::as_ptr is being used to construct an argument to a foreign function? I recently encountered a bug due to this (where a C function expected a null-terminated string). Arguably the right thing is to wrap the foreign function to accept a &CStr; it would be helpful to get a list of potential problems.

Coding-Badly · February 16, 2023, 2:09am

CStr::as_ptr returns signed (*const i8) while str::as_ptr returns unsigned (*const u8).

Is the foreign function declared to accept what CStr::as_ptr returns?

If no then why not?

If yes then is the compiler not producing an error?

Hyeonu · February 16, 2023, 2:17am

CStr::as_ptr returns *const std::ffi::c_char and in C signedness of its char type is implementation defined. Here's how the Rust libstd detects it, for example in linux it's signed on x86 but unsigned on ARM.

user16251 · February 16, 2023, 2:24am

I don't have the code in front of me but it might have had a cast as well.

Coding-Badly · February 16, 2023, 4:48am

...which unfortunately is not reflected in the documentation.

That would be the goal. Create a situation in which the only way to get it correct is to have no cast. Rust is strongly typed and has support for new types.

Maybe something like this...

use std::ffi::CString;
use std::os::raw::c_char;

#[repr(C)]
struct MyChar(c_char);

#[repr(C)]
struct MyCharWrapper(*const MyChar);

impl From<&CString> for MyCharWrapper {
    fn from(value: &CString) -> MyCharWrapper {
        MyCharWrapper(value.as_ptr() as *const MyChar)
    }
}

extern "C" { fn puts(s: MyCharWrapper); }

fn main() {
    let print_me = CString::new("Hello, world!").unwrap();
    unsafe { puts((&print_me).into()); }
}

xfix · February 16, 2023, 6:45am

There is an issue in Clippy for this: Lint to warn about str::as_ptr() usage in ffi call · Issue #1236 · rust-lang/rust-clippy · GitHub.

The problem however is that it's not always incorrect to pass a pointer from str::as_ptr to an external function. If a function accepts a pair of pointer and length (like memcpy) or a pair of two pointers to start and end of an array (like STL containers do) then it's not a problem to do so, and determining cases like this isn't easy with how Clippy works.

user16251 · February 16, 2023, 10:55am

I agree, it's not always a problem. I'm okay with false positives since I just want to use this to review code. I would be happy with just a way to find every str reference being converted to a pointer.

kornel · February 16, 2023, 2:33pm

github.com/rust-lang/rust

Document that CStr::as_ptr returns a type alias

rust-lang:master ← kornelski:cstr_c_char

opened 02:26PM - 16 Feb 23 UTC

kornelski

+5 -0

Rustdoc resolves type aliases too eagerly #15823 which makes the [std re-export]…(https://doc.rust-lang.org/stable/std/ffi/struct.CStr.html#method.as_ptr) of `CStr::as_ptr` show `i8` instead of `c_char`. To work around this I've added info about `c_char` in the method's description. BTW, I've also added a comment to what-not-to-do example in case someone copypasted it without reading the surrounding text.

system · May 17, 2023, 2:34pm

This topic was automatically closed 90 days after the last reply. We invite you to open a new topic if you have further questions or comments.

Topic		Replies	Views
CString/.as_ptr() is incredibly unsafe :(	16	5906	January 12, 2023
Converting *const c_char to &str help	7	12607	January 12, 2023
[Solved] Understanding as_ptr example help	15	1870	October 28, 2019
FFI - Creating a "&[u8]" from "const char*" Slice help	24	7023	March 23, 2021
How to wrap `printf` in libc properly? help	6	4362	January 12, 2023

Lint for str::as_ptr arguments?

Related topics