Conversation
The old slice was doing several things at the same time: demonstrating both external functions as well as unsafe Rust functions. We now treat those two topics separately. In addition, the “Calling Unsafe Functions” heading has become its own slide with a non-crashing example that shows what can go wrong if an argument is misunderstood in a call to an unsafe function. The old example didn’t actually illustrate the danger clearly: it would produce mangled UTF-8 output, which the Playground server refuses to print.
| /// | ||
| /// # Safety | ||
| /// | ||
| /// The pointers must be valid and properly aligned. |
There was a problem hiding this comment.
oh, because these are u8 it's actually ok to overlap
| `abs` is unsafe because it is an external function (FFI). Calling external | ||
| functions is usually only a problem when those functions do things with pointers | ||
| which might violate Rust's memory model, but in general any C function might | ||
| have undefined behaviour under any arbitrary circumstances. |
There was a problem hiding this comment.
Is it worth mentioning here that there is no automatic checking of the Rust function signature against that of the target function? For example, in this case the C function might take uint64_t and this would cause UB.
Co-authored-by: Dustin J. Mitchell <djmitche@google.com>
| println!("a = {}, b = {}", a, b); | ||
| } | ||
| ``` | ||
| - Foreign functions in `extern "C"` blocks. |
There was a problem hiding this comment.
Since Rust 1.82 (with unsafe extern) foreign functions aren't necessarily unsafe, so I don't think these are really separate categories. Either way, a function is unsafe if it has some safety prerequisites which must be met to avoid undefined behaviour (or IO safety issues).
We should also update the example to use unsafe extern.
There was a problem hiding this comment.
This PR was from before Rust 1.82, so perhaps we can land it and update, unless you think that splitting the slides doesn't make sense anymore?
There was a problem hiding this comment.
I've pushed some commits to fix this and some other issues.
| @@ -0,0 +1,32 @@ | |||
| # Unsafe External Functions | |||
|
|
|||
| All functions implemented in a foreign language are considered unsafe in Rust: | |||
There was a problem hiding this comment.
This is no longer true as of 1.82. We should talk about unsafe extern here.
|
Let's merge it before Rust 1.85.0 :) |
The old slice was doing several things at the same time: demonstrating both external functions as well as unsafe Rust functions. We now treat those two topics separately. In addition, the “Calling Unsafe Functions” heading has become its own slide with a non-crashing example that shows what can go wrong if an argument is misunderstood in a call to an unsafe function. The old example didn’t actually illustrate the danger clearly: it would produce mangled UTF-8 output, which the Playground server refuses to print. Part of google#2445. --------- Co-authored-by: Dustin J. Mitchell <djmitche@google.com> Co-authored-by: Andrew Walbran <qwandor@google.com>
3 participants
The old slice was doing several things at the same time: demonstrating
both external functions as well as unsafe Rust functions.
We now treat those two topics separately. In addition, the “Calling
Unsafe Functions” heading has become its own slide with a non-crashing
example that shows what can go wrong if an argument is misunderstood
in a call to an unsafe function. The old example didn’t actually
illustrate the danger clearly: it would produce mangled UTF-8 output,
which the Playground server refuses to print.
Part of #2445.