3 releases (breaking)

0.3.0 Oct 25, 2021
0.2.0 Apr 7, 2020
0.1.0 Apr 21, 2018

#2756 in Rust patterns

Download history 29201/week @ 2023-10-19 28878/week @ 2023-10-26 26320/week @ 2023-11-02 26638/week @ 2023-11-09 28493/week @ 2023-11-16 16808/week @ 2023-11-23 49996/week @ 2023-11-30 38744/week @ 2023-12-07 34291/week @ 2023-12-14 12281/week @ 2023-12-21 18247/week @ 2023-12-28 37028/week @ 2024-01-04 36737/week @ 2024-01-11 40941/week @ 2024-01-18 31864/week @ 2024-01-25 28787/week @ 2024-02-01

146,850 downloads per month
Used in 2 crates

MIT license

48KB
646 lines

FFI Helpers

License Crates.io Documentation

A crate to make working with FFI code easier.

This is the open-source version of a utility crate we use at work. The original purpose was to make it easier for Rust modules (DLLs) to integrate with our main GUI application. We found it to be particularly elegant and robust to use, so thought it'd be a nice thing to share with the world.

Features

This tries to give you a set of abstractions upon which safe APIs can be built. It tries to deal with several issues commonly encountered when writing FFI code.

Error Handling

Error handling is done via a private thread-local LAST_ERROR variable which lets you indicate a error using a similar mechanism to errno.

The idea is if a Rust function returns a Result::Err(_), it'll pass that error to LAST_ERROR and then return an obviously wrong value (e.g. null or 0). The caller then checks for this return and can inspect LAST_ERROR for more information.

A macro is provided to let you inspect LAST_ERROR from C.

Null Pointers

The null_pointer_check!() macro will check whether some nullable thing is null, if so it'll bail with an erroneous return value (null for functions returning pointers or 0 for integers) and set the LAST_ERROR to indicate a null pointer was encountered.

We use a Nullable trait to represent anything which has some sort of "obviously invalid" value (e.g. null pointers, 0).

pub trait Nullable {
    const NULL: Self;

    fn is_null(&self) -> bool;
}

The null_pointer_check!() then lets you check whether a particular thing is invalid, setting the LAST_ERROR, and returning early from the current function with Nullable::NULL.

In practice, this turns out to make handling the possibility of invalid input quite ergonomic.

struct Foo {
  data: Vec<u8>,
}

#[no_mangle]
unsafe extern "C" fn foo_get_data(foo: *const Foo) -> *const u8 {
    null_pointer_check!(foo);

    let foo = &*foo;
    foo.data.as_ptr()
}

Exception Safety

Exception safety becomes a concern when a bit of Rust code panics and tries to unwind across the FFI barrier. At the moment this will abort the program and, while no longer straight up Undefined Behaviour, this is still a massive pain to work around.

There is a catch_panic() function that lets you execute some code and will catch any unwinding, updating the LAST_ERROR appropriately. The catch_panic!() macro makes this a little easier and works with the Nullable trait so you can bail out of a function, returning an error (Nullable::NULL).

Splitting a Closure Into Data and Code

It's quite common for FFI functions that work with callbacks to accept an additional void *user_data argument pointing to any extra state the user may want to use. It doesn't allow the programmer to use

The split_closure() function can be used to "split" a pointer to a closure into a pointer to its data and an unsafe extern "C" fn() which can be used as a callback.

Rust closures are implemented by generating a custom type to contain any captured state, and an impl for FnMut() (or Fn(), or FnOnce()). This function works by casting the closure pointer to void * (this is our data) and defining a trampoline function which will cast the data back and invoke the closure.

It's essentially a generalisation of this:

fn split<C>(closure: &mut C) -> (*mut c_void, unsafe extern "C" fn(*mut c_void))
where C: FnMut()
{
    unsafe extern "C" fn trampoline<T>(user_data: *mut c_void) {
        let closure: &mut T = &mut *(user_data as *mut T);

        closure();
    }

    (closure as *mut C as *mut c_void, trampoline::<T>)
}

Asynchronous Tasks

The Task API helps handle the tricky concurrency issues you encounter when running a job on a background thread and then trying to expose this to C, while maintaining memory- and thread-safety.

The Task trait itself is quite simple:

pub trait Task: Send + Sync + Clone {
    type Output: Send + Sync;
    fn run(&self, cancel_tok: &CancellationToken) -> Result<Self::Output, Error>;
}

You then generate the bindings via the export_task!() macro. This will declare various extern "C" functions for spawning the Task on a background thread, periodically checking whether it's done, allowing you to cancel the task, then retrieve the result and clean everything up properly afterwards.

This is probably the crate's killer feature as it lets you to painlessly run Rust tasks in the background, allowing you to integrate it into a larger application/GUI.

It is highly recommended to visit the task module's docs for a more detailed explanation.

Dependencies

~0.4–1MB
~22K SLoC