1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
|
% Rust Foreign Function Interface Tutorial
# Introduction
This tutorial will use the [snappy](https://code.google.com/p/snappy/)
compression/decompression library as an introduction to writing bindings for
foreign code. Rust is currently unable to call directly into a C++ library, but
snappy includes a C interface (documented in
[`snappy-c.h`](https://code.google.com/p/snappy/source/browse/trunk/snappy-c.h)).
The following is a minimal example of calling a foreign function which will compile if snappy is
installed:
~~~~ {.xfail-test}
use std::libc::size_t;
#[link_args = "-lsnappy"]
extern {
fn snappy_max_compressed_length(source_length: size_t) -> size_t;
}
#[fixed_stack_segment]
fn main() {
let x = unsafe { snappy_max_compressed_length(100) };
println(fmt!("max compressed length of a 100 byte buffer: %?", x));
}
~~~~
The `extern` block is a list of function signatures in a foreign library, in this case with the
platform's C ABI. The `#[link_args]` attribute is used to instruct the linker to link against the
snappy library so the symbols are resolved.
Foreign functions are assumed to be unsafe so calls to them need to be wrapped with `unsafe {}` as a
promise to the compiler that everything contained within truly is safe. C libraries often expose
interfaces that aren't thread-safe, and almost any function that takes a pointer argument isn't
valid for all possible inputs since the pointer could be dangling, and raw pointers fall outside of
Rust's safe memory model.
Finally, the `#[fixed_stack_segment]` annotation that appears on
`main()` instructs the Rust compiler that when `main()` executes, it
should request a "very large" stack segment. More details on
stack management can be found in the following sections.
When declaring the argument types to a foreign function, the Rust compiler will not check if the
declaration is correct, so specifying it correctly is part of keeping the binding correct at
runtime.
The `extern` block can be extended to cover the entire snappy API:
~~~~ {.xfail-test}
use std::libc::{c_int, size_t};
#[link_args = "-lsnappy"]
extern {
fn snappy_compress(input: *u8,
input_length: size_t,
compressed: *mut u8,
compressed_length: *mut size_t) -> c_int;
fn snappy_uncompress(compressed: *u8,
compressed_length: size_t,
uncompressed: *mut u8,
uncompressed_length: *mut size_t) -> c_int;
fn snappy_max_compressed_length(source_length: size_t) -> size_t;
fn snappy_uncompressed_length(compressed: *u8,
compressed_length: size_t,
result: *mut size_t) -> c_int;
fn snappy_validate_compressed_buffer(compressed: *u8,
compressed_length: size_t) -> c_int;
}
~~~~
# Creating a safe interface
The raw C API needs to be wrapped to provide memory safety and make use of higher-level concepts
like vectors. A library can choose to expose only the safe, high-level interface and hide the unsafe
internal details.
Wrapping the functions which expect buffers involves using the `vec::raw` module to manipulate Rust
vectors as pointers to memory. Rust's vectors are guaranteed to be a contiguous block of memory. The
length is number of elements currently contained, and the capacity is the total size in elements of
the allocated memory. The length is less than or equal to the capacity.
~~~~ {.xfail-test}
#[fixed_stack_segment]
#[inline(never)]
pub fn validate_compressed_buffer(src: &[u8]) -> bool {
unsafe {
snappy_validate_compressed_buffer(vec::raw::to_ptr(src), src.len() as size_t) == 0
}
}
~~~~
The `validate_compressed_buffer` wrapper above makes use of an `unsafe` block, but it makes the
guarantee that calling it is safe for all inputs by leaving off `unsafe` from the function
signature.
The `validate_compressed_buffer` wrapper is also annotated with two
attributes `#[fixed_stack_segment]` and `#[inline(never)]`. The
purpose of these attributes is to guarantee that there will be
sufficient stack for the C function to execute. This is necessary
because Rust, unlike C, does not assume that the stack is allocated in
one continuous chunk. Instead, we rely on a *segmented stack* scheme,
in which the stack grows and shrinks as necessary. C code, however,
expects one large stack, and so callers of C functions must request a
large stack segment to ensure that the C routine will not run off the
end of the stack.
The compiler includes a lint mode that will report an error if you
call a C function without a `#[fixed_stack_segment]` attribute. More
details on the lint mode are given in a later section.
You may be wondering why we include a `#[inline(never)]` directive.
This directive informs the compiler never to inline this function.
While not strictly necessary, it is usually a good idea to use an
`#[inline(never)]` directive in concert with `#[fixed_stack_segment]`.
The reason is that if a fn annotated with `fixed_stack_segment` is
inlined, then its caller also inherits the `fixed_stack_segment`
annotation. This means that rather than requesting a large stack
segment only for the duration of the call into C, the large stack
segment would be used for the entire duration of the caller. This is
not necessarily *bad* -- it can for example be more efficient,
particularly if `validate_compressed_buffer()` is called multiple
times in a row -- but it does work against the purpose of the
segmented stack scheme, which is to keep stacks small and thus
conserve address space.
The `snappy_compress` and `snappy_uncompress` functions are more complex, since a buffer has to be
allocated to hold the output too.
The `snappy_max_compressed_length` function can be used to allocate a vector with the maximum
required capacity to hold the compressed output. The vector can then be passed to the
`snappy_compress` function as an output parameter. An output parameter is also passed to retrieve
the true length after compression for setting the length.
~~~~ {.xfail-test}
pub fn compress(src: &[u8]) -> ~[u8] {
#[fixed_stack_segment]; #[inline(never)];
unsafe {
let srclen = src.len() as size_t;
let psrc = vec::raw::to_ptr(src);
let mut dstlen = snappy_max_compressed_length(srclen);
let mut dst = vec::with_capacity(dstlen as uint);
let pdst = vec::raw::to_mut_ptr(dst);
snappy_compress(psrc, srclen, pdst, &mut dstlen);
vec::raw::set_len(&mut dst, dstlen as uint);
dst
}
}
~~~~
Decompression is similar, because snappy stores the uncompressed size as part of the compression
format and `snappy_uncompressed_length` will retrieve the exact buffer size required.
~~~~ {.xfail-test}
pub fn uncompress(src: &[u8]) -> Option<~[u8]> {
#[fixed_stack_segment]; #[inline(never)];
unsafe {
let srclen = src.len() as size_t;
let psrc = vec::raw::to_ptr(src);
let mut dstlen: size_t = 0;
snappy_uncompressed_length(psrc, srclen, &mut dstlen);
let mut dst = vec::with_capacity(dstlen as uint);
let pdst = vec::raw::to_mut_ptr(dst);
if snappy_uncompress(psrc, srclen, pdst, &mut dstlen) == 0 {
vec::raw::set_len(&mut dst, dstlen as uint);
Some(dst)
} else {
None // SNAPPY_INVALID_INPUT
}
}
}
~~~~
For reference, the examples used here are also available as an [library on
GitHub](https://github.com/thestinger/rust-snappy).
# Automatic wrappers
Sometimes writing Rust wrappers can be quite tedious. For example, if
function does not take any pointer arguments, often there is no need
for translating types. In such cases, it is usually still a good idea
to have a Rust wrapper so as to manage the segmented stacks, but you
can take advantage of the (standard) `externfn!` macro to remove some
of the tedium.
In the initial section, we showed an extern block that added a call
to a specific snappy API:
~~~~ {.xfail-test}
use std::libc::size_t;
#[link_args = "-lsnappy"]
extern {
fn snappy_max_compressed_length(source_length: size_t) -> size_t;
}
#[fixed_stack_segment]
fn main() {
let x = unsafe { snappy_max_compressed_length(100) };
println(fmt!("max compressed length of a 100 byte buffer: %?", x));
}
~~~~
To avoid the need to create a wrapper fn for `snappy_max_compressed_length()`,
and also to avoid the need to think about `#[fixed_stack_segment]`, we
could simply use the `externfn!` macro instead, as shown here:
~~~~ {.xfail-test}
use std::libc::size_t;
externfn!(#[link_args = "-lsnappy"]
fn snappy_max_compressed_length(source_length: size_t) -> size_t)
fn main() {
let x = unsafe { snappy_max_compressed_length(100) };
println(fmt!("max compressed length of a 100 byte buffer: %?", x));
}
~~~~
As you can see from the example, `externfn!` replaces the extern block
entirely. After macro expansion, it will create something like this:
~~~~ {.xfail-test}
use std::libc::size_t;
// Automatically generated by
// externfn!(#[link_args = "-lsnappy"]
// fn snappy_max_compressed_length(source_length: size_t) -> size_t)
unsafe fn snappy_max_compressed_length(source_length: size_t) -> size_t {
#[fixed_stack_segment]; #[inline(never)];
return snappy_max_compressed_length(source_length);
#[link_args = "-lsnappy"]
extern {
fn snappy_max_compressed_length(source_length: size_t) -> size_t;
}
}
fn main() {
let x = unsafe { snappy_max_compressed_length(100) };
println(fmt!("max compressed length of a 100 byte buffer: %?", x));
}
~~~~
# Segmented stacks and the linter
By default, whenever you invoke a non-Rust fn, the `cstack` lint will
check that one of the following conditions holds:
1. The call occurs inside of a fn that has been annotated with
`#[fixed_stack_segment]`;
2. The call occurs inside of an `extern fn`;
3. The call occurs within a stack closure created by some other
safe fn.
All of these conditions ensure that you are running on a large stack
segmented. However, they are sometimes too strict. If your application
will be making many calls into C, it is often beneficial to promote
the `#[fixed_stack_segment]` attribute higher up the call chain. For
example, the Rust compiler actually labels main itself as requiring a
`#[fixed_stack_segment]`. In such cases, the linter is just an
annoyance, because all C calls that occur from within the Rust
compiler are made on a large stack. Another situation where this
frequently occurs is on a 64-bit architecture, where large stacks are
the default. In cases, you can disable the linter by including a
`#[allow(cstack)]` directive somewhere, which permits violations of
the "cstack" rules given above (you can also use `#[warn(cstack)]` to
convert the errors into warnings, if you prefer).
# Destructors
Foreign libraries often hand off ownership of resources to the calling code,
which should be wrapped in a destructor to provide safety and guarantee their
release.
A type with the same functionality as owned boxes can be implemented by
wrapping `malloc` and `free`:
~~~~
use std::cast;
use std::libc::{c_void, size_t, malloc, free};
use std::ptr;
use std::unstable::intrinsics;
// a wrapper around the handle returned by the foreign code
pub struct Unique<T> {
priv ptr: *mut T
}
impl<T: Send> Unique<T> {
pub fn new(value: T) -> Unique<T> {
#[fixed_stack_segment];
#[inline(never)];
unsafe {
let ptr = malloc(std::sys::size_of::<T>() as size_t) as *mut T;
assert!(!ptr::is_null(ptr));
// `*ptr` is uninitialized, and `*ptr = value` would attempt to destroy it
intrinsics::move_val_init(&mut *ptr, value);
Unique{ptr: ptr}
}
}
// the 'r lifetime results in the same semantics as `&*x` with ~T
pub fn borrow<'r>(&'r self) -> &'r T {
unsafe { cast::copy_lifetime(self, &*self.ptr) }
}
// the 'r lifetime results in the same semantics as `&mut *x` with ~T
pub fn borrow_mut<'r>(&'r mut self) -> &'r mut T {
unsafe { cast::copy_mut_lifetime(self, &mut *self.ptr) }
}
}
#[unsafe_destructor]
impl<T: Send> Drop for Unique<T> {
fn drop(&mut self) {
#[fixed_stack_segment];
#[inline(never)];
unsafe {
let x = intrinsics::init(); // dummy value to swap in
// moving the object out is needed to call the destructor
ptr::replace_ptr(self.ptr, x);
free(self.ptr as *c_void)
}
}
}
// A comparison between the built-in ~ and this reimplementation
fn main() {
{
let mut x = ~5;
*x = 10;
} // `x` is freed here
{
let mut y = Unique::new(5);
*y.borrow_mut() = 10;
} // `y` is freed here
}
~~~~
# Linking
In addition to the `#[link_args]` attribute for explicitly passing arguments to the linker, an
`extern mod` block will pass `-lmodname` to the linker by default unless it has a `#[nolink]`
attribute applied.
# Unsafe blocks
Some operations, like dereferencing unsafe pointers or calling functions that have been marked
unsafe are only allowed inside unsafe blocks. Unsafe blocks isolate unsafety and are a promise to
the compiler that the unsafety does not leak out of the block.
Unsafe functions, on the other hand, advertise it to the world. An unsafe function is written like
this:
~~~~
unsafe fn kaboom(ptr: *int) -> int { *ptr }
~~~~
This function can only be called from an `unsafe` block or another `unsafe` function.
# Accessing foreign globals
Foreign APIs often export a global variable which could do something like track
global state. In order to access these variables, you declare them in `extern`
blocks with the `static` keyword:
~~~{.xfail-test}
use std::libc;
#[link_args = "-lreadline"]
extern {
static rl_readline_version: libc::c_int;
}
fn main() {
println(fmt!("You have readline version %d installed.",
rl_readline_version as int));
}
~~~
Alternatively, you may need to alter global state provided by a foreign
interface. To do this, statics can be declared with `mut` so rust can mutate
them.
~~~{.xfail-test}
use std::libc;
use std::ptr;
#[link_args = "-lreadline"]
extern {
static mut rl_prompt: *libc::c_char;
}
fn main() {
do "[my-awesome-shell] $".as_c_str |buf| {
unsafe { rl_prompt = buf; }
// get a line, process it
unsafe { rl_prompt = ptr::null(); }
}
}
~~~
# Foreign calling conventions
Most foreign code exposes a C ABI, and Rust uses the platform's C calling convention by default when
calling foreign functions. Some foreign functions, most notably the Windows API, use other calling
conventions. Rust provides the `abi` attribute as a way to hint to the compiler which calling
convention to use:
~~~~
#[cfg(target_os = "win32")]
#[abi = "stdcall"]
#[link_name = "kernel32"]
extern {
fn SetEnvironmentVariableA(n: *u8, v: *u8) -> int;
}
~~~~
The `abi` attribute applies to a foreign module (it cannot be applied to a single function within a
module), and must be either `"cdecl"` or `"stdcall"`. The compiler may eventually support other
calling conventions.
# Interoperability with foreign code
Rust guarantees that the layout of a `struct` is compatible with the platform's representation in C.
A `#[packed]` attribute is available, which will lay out the struct members without padding.
However, there are currently no guarantees about the layout of an `enum`.
Rust's owned and managed boxes use non-nullable pointers as handles which point to the contained
object. However, they should not be manually created because they are managed by internal
allocators. Borrowed pointers can safely be assumed to be non-nullable pointers directly to the
type. However, breaking the borrow checking or mutability rules is not guaranteed to be safe, so
prefer using raw pointers (`*`) if that's needed because the compiler can't make as many assumptions
about them.
Vectors and strings share the same basic memory layout, and utilities are available in the `vec` and
`str` modules for working with C APIs. However, strings are not terminated with `\0`. If you need a
NUL-terminated string for interoperability with C, you should use the `c_str::to_c_str` function.
The standard library includes type aliases and function definitions for the C standard library in
the `libc` module, and Rust links against `libc` and `libm` by default.
|
