libs (ffi)
std::c_vec modulestd::c_str under a new std::ffi module, not exporting the c_str
module.CString on Rust-owned bytes, providing a static assertion that a
pile of bytes has no interior nuls but has a trailing nul.The primary motivation for this RFC is to work out the stabilization of the
c_str and c_vec modules. Both of these modules exist for interoperating with
C types to ensure that values can cross the boundary of Rust and C relatively
safely. These types also need to be designed with ergonomics in mind to ensure
that it's tough to get them wrong and easy to get them right.
The current CString and CVec types are quite old and are long due for a
scrutinization, and these types are currently serving a number of competing
concerns:
CString can both take ownership of a pointer as well as inspect a
pointer.CString is always allocated/deallocated on the libc heap.CVec looks like a slice but does not quite act like one.CString looks like a byte slice but does not quite act like one.Vec and String types as well as the str and
slice modules.In general all of this functionality needs to be reconciled with one another to provide a consistent and coherence interface when operating with types originating from C.
In refactoring all usage could be categorized into one of three categories:
The current CString attempts to handle all three of these concerns all at
once, somewhat conflating desires. Additionally, CVec provides a fairly
different interface than CString while providing similar functionality.
std::ffiNote: an old implementation of the design below can be found in a branch of mine
The entire c_str module will be deleted as-is today and replaced with the
following interface at the new location std::ffi:
#[deriving(Clone, PartialEq, PartialOrd, Eq, Ord, Hash)]
pub struct CString { /* ... */ }
impl CString {
pub fn from_slice(s: &[u8]) -> CString { /* ... */ }
pub fn from_vec(s: Vec<u8>) -> CString { /* ... */ }
pub unsafe fn from_vec_unchecked(s: Vec<u8>) -> CString { /* ... */ }
pub fn as_slice(&self) -> &[libc::c_char] { /* ... */ }
pub fn as_slice_with_nul(&self) -> &[libc::c_char] { /* ... */ }
pub fn as_bytes(&self) -> &[u8] { /* ... */ }
pub fn as_bytes_with_nul(&self) -> &[u8] { /* ... */ }
}
impl Deref<[libc::c_char]> for CString { /* ... */ }
impl Show for CString { /* ... */ }
pub unsafe fn c_str_to_bytes<'a>(raw: &'a *const libc::c_char) -> &'a [u8] { /* ... */ }
pub unsafe fn c_str_to_bytes_with_nul<'a>(raw: &'a *const libc::c_char) -> &'a [u8] { /* ... */ }
The new CString API is focused solely on providing a static assertion that a
byte slice contains no interior nul bytes and there is a terminating nul byte.
A CString is usable as a slice of libc::c_char similar to how a Vec is
usable as a slice, but a CString can also be viewed as a byte slice with a
concrete u8 type. The default of libc::c_char was chosen to ensure that
.as_ptr() returns a pointer of the right value. Note that CString does not
provide a DerefMut implementation to maintain the static guarantee that there
are no interior nul bytes.
CStringOne of the major departures from today's API is how a CString is constructed.
Today this can be done through the CString::new function or the ToCStr
trait. These two construction vectors serve two very different purposes, one for
C-originating data and one for Rust-originating data. This redesign of CString
is solely focused on going from Rust to C (case 1 above) and only supports
constructors in this flavor.
The first constructor, from_slice, is intended to allow CString to implement
an on-the-stack buffer optimization in the future without having to resort to a
Vec with its allocation. This is similar to the optimization performed by
with_c_str today. Of the other two constructors, from_vec will consume a
vector, assert there are no 0 bytes, an then push a 0 byte on the end. The
from_vec_unchecked constructor will not perform the verification, but will
still push a zero. Note that both of these constructors expose the fact that a
CString is not necessarily valid UTF-8.
The ToCStr trait is removed entirely (including from the prelude) in favor of
these construction functions. This could possibly be re-added in the future, but
for now it will be removed from the module.
*const libc::c_charInstead of using CString to look at a *const libc::c_char, the module now
provides two conversion functions to go from a C string to a byte slice. The
signature of this function is similar to the new std::slice::from_raw_buf
function and will use the lifetime of the pointer itself as an anchor for the
lifetime of the returned slice.
These two functions solve the use case (2) above where a C string just needs to
be inspected. Because a C string is fundamentally just a pile of bytes, it's
interpreted in Rust as a u8 slice. With these two functions, all of the
following functions will also be deprecated:
std::str::from_c_str - this function should be replaced with
ffi::c_str_to_bytes plus one of str::from_utf8 or
str::from_utf8_unchecked.String::from_raw_buf - similarly to from_c_str, each step should be
composed individually to perform the required checks. This would involve using
ffi::c_str_to_bytes, str::from_utf8, and .to_string().String::from_raw_buf_len - this should be replaced the same way as
String::from_raw_buf except that slice::from_raw_buf is used instead of
ffi.c_vecThe new ffi module serves as a solution to desires (1) and (2) above, but
the third use case is left unsolved so far. This is what the current c_vec
module is attempting to solve, but it does so in a somewhat ad-hoc fashion. The
constructor for the type takes a proc destructor to invoke when the vector is
dropped to allow for custom destruction. To make matters a little more
interesting, the CVec type provides a default constructor which invokes
libc::free on the pointer.
Transferring ownership of pointers without a custom deallocation function is in
general quite a dangerous operation for libraries to perform. Not all platforms
support the ability to malloc in one library and free in the other, and this
is also generally considered an antipattern.
Creating a custom wrapper struct with a simple Deref and Drop implementation
as necessary is likely to be sufficient for this use case, so this RFC proposes
removing the entire c_vec module with no replacement. It is expected that a
utility crate for interoperating with raw pointers in this fashion may manifest
itself on crates.io, and inclusion into the standard library can be considered
at that time.
The design above has been implemented in a branch of mine where the
fallout can be seen. The primary impact of this change is that the to_c_str
and with_c_str methods are no longer in the prelude by default, and
CString::from_* must be called in order to create a C string.
Whenever Rust works with a C string, it's tough to avoid the cost associated with the initial length calculation. All types provided here involve calculating the length of a C string up front, and no type is provided to operate on a C string without calculating its length.
With the removal of the ToCStr trait, unnecessary allocations may be made
when converting to a CString. For example, a Vec<u8> can be called by
directly calling CString::from_vec, but it may be more frequently called via
CString::from_slice, resulting in an unnecessary allocation. Note, however,
that one would have to remember to call into_c_str on the ToCStr trait, so
it doesn't necessarily help too too much.
The ergonomics of operating C strings have been somewhat reduced as part of
this design. The CString::from_slice method is somewhat long to call
(compared to to_c_string), and convenience methods of going straight from a
*const libc::c_char were deprecated in favor of only supporting a conversion
to a slice.
There is an alternative RFC
which discusses pursuit of today's general design of the c_str module as
well as a refinement of its current types.
The from_vec_unchecked function could do precisely 0 work instead of always
pushing a 0 at the end.
On some platforms, libc::c_char is not necessarily just one byte, which
these types rely on. It's unclear how much this should affect the design of
this module as to how important these platforms are.
Are the *_with_nul functions necessary on CString?