Distinguish repr(C) ZSTs from others in ABI compatibility rules#157973
Distinguish repr(C) ZSTs from others in ABI compatibility rules#157973Jules-Bertholet wants to merge 6 commits into
repr(C) ZSTs from others in ABI compatibility rules#157973Conversation
|
rustbot has assigned @Mark-Simulacrum. Use Why was this reviewer chosen?The reviewer was selected based on:
|
| /// - Alignment 1 | ||
| /// - Not `repr(C)` | ||
| /// - Not a `repr(transparent)` wrapper around a type that fails to satisfy these conditions | ||
| /// - Not an array whose element type fails to satisfy these conditions |
There was a problem hiding this comment.
We exempt arrays for 2 reasons:
- A future version of C, or some other language we would like to do FFI with, might allow passing arrays to functions directly by value, in a way that would conflict with these guarantees
- It would be nice to also use "trivial ABI" in the specification of
repr(C), and we need this clause for that. See discussion at repr(ordered_fields) rfcs#3845 (comment)
We could also simplify this clause by saying merely:
| /// - Not an array whose element type fails to satisfy these conditions | |
| /// - Not an array |
The downside would be a larger breaking change.
Note that repr(transparent) will need to be adjusted to account for this change (by rejecting non-trivial arrays as "additional" fields).
There was a problem hiding this comment.
I'm fine with saying that "all arrays with trivial-ABI element type have trivial ABI".
However, even that less-breaking version breaks ghost again, right? Similar to dtolnay/ghost#41. ghost uses a zero-length array of *const T, which definitely does not have trivial ABI. I don't know why they do that...
EDIT: Ah, ghost is saved by having a repr(Rust) type around the array, under the rules discussed here.
There was a problem hiding this comment.
Some C ABIs pass and return ZSTs by pointer. But () should never be returned by pointer, as it must match void. To account for this, we have to weaken the present guarantee of "any two types with size 0 and alignment 1 are ABI-compatible" to exclude repr(C).
I think the implication here is that () is repr(C)? Am I reading that right? Where do we make that guarantee? Or is the thinking that the language here would make () and #[repr(C)] struct Foo; not ABI compatible?
One callout is that ZSTs aren't (I think?) standardized -- C and C++ without extensions both require types to be non-ZST if I remember right (e.g., see https://stackoverflow.com/a/2632075). Maybe that has changed since then though?
It seems like at minimum, it would be nice to avoid weakening this guarantee for Rust ABI even if we do so for C ABIs as a result of the weird platforms.
There was a problem hiding this comment.
Or is the thinking that the language here would make
()and#[repr(C)] struct Foo;not ABI compatible?
Yes, this.
One callout is that ZSTs aren't (I think?) standardized
Correct.
| /// - Any two types fulfilling all the following conditions are ABI-compatible; | ||
| /// such types are said to have "trivial ABI": |
There was a problem hiding this comment.
| /// - Any two types fulfilling all the following conditions are ABI-compatible; | |
| /// such types are said to have "trivial ABI": | |
| /// - Any two types with "trivial ABI" are ABI-compatible. | |
| /// A type has trivial ABI if is satisfies all of the following: |
|
I think I do agree with this modulo wording nits, though maybe I misread and my suggestion above (to require "all fields must have trivial ABI" rather than the oddly negated @rust-lang/opsem @rust-lang/lang what do you think? I think we do have to take back a bit of what we promised here, since we did promise too much. The current docs are plain wrong for // This is returned by-ptr.
#[repr(C)]
struct T1 {}
// This matches a C function returning `void`.
type T2 = ();In argument position they do have the same ABI, but the way we achieve this is silly: we pass a pointer for Note that we also have to adjust the logic for
I cratered the 2nd part and found 0 regressions. I don't know how to measure the fallout from the 1st breakage. We should implement this in Miri, but even that will just give us a very incomplete partial picture. That said, given that the current docs are wrong, we have to do something. The only actually open question (in my eyes) is how bespoke we want the rules to be with the aim of breaking less code.
|
Co-authored-by: Brian Smith <brian@briansmith.org> Co-authored-by: Ralf Jung <post@ralfj.de>
Co-authored-by: Ralf Jung <post@ralfj.de>
View all comments
(Split out from compiler implementation in #156112)
Some C ABIs pass and return ZSTs by pointer. But
()should never be returned by pointer, as it must matchvoid. To account for this, we have to weaken the present guarantee of "any two types with size 0 and alignment 1 are ABI-compatible" to excluderepr(C).Fixes rust-lang/unsafe-code-guidelines#552; see also #78586, #155299.
Also related to #155984.
@rustbot label T-lang A-ABI needs-fcp