-
Notifications
You must be signed in to change notification settings - Fork 13k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Create windows/api.rs
for safer FFI
#116816
Conversation
If someone else familiiar with Windows wants to get to this before me, be my guest, but queueing this for now. |
Thanks @workingjubilee! I'd be interested in a general vibe check. Like do you think this is a good idea in principle (the specific implementation aside). |
Yes, I do. I think |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
There were a few "hrm, really?" moments but then I did the doublecheck on the types/etc. and it seems exactly what we want. Perfect, no notes.
@bors r+ |
…kingjubilee Rollup of 8 pull requests Successful merges: - rust-lang#116534 (Remove -Zdep-tasks.) - rust-lang#116739 (Make `E0277` use short paths) - rust-lang#116816 (Create `windows/api.rs` for safer FFI) - rust-lang#116945 (When encountering sealed traits, point types that implement it) - rust-lang#117025 (Cleanup and improve `--check-cfg` implementation) - rust-lang#117256 (Parse rustc version at compile time) - rust-lang#117268 (`rustc_interface` cleanups) - rust-lang#117277 (fix failure to detect a too-big-type after adding padding) r? `@ghost` `@rustbot` modify labels: rollup
Rollup merge of rust-lang#116816 - ChrisDenton:api.rs, r=workingjubilee Create `windows/api.rs` for safer FFI FFI is inherently unsafe. For memory safety we need to assert that some contract is being upheld on both sides of the FFI, though of course we can only ever check our side. In Rust, `unsafe` blocks are used to assert safety and `// SAFETY` comments describing why it is safe. Currently in sys/windows we have a lot of this unsafety spread all over the place, with variations on the same unsafe patterns repeated. And because of the repitition and frequency, we're a bit lax with the safety comments. This PR aims to fix this and to make FFI safety more auditable by creating an `api` module with the goal of centralising and consolidating this unsafety. It contains thin wrappers around the Windows API that make most functions safe to call or, if that's not possible, then at least safer. Note that its goal is *only* to address safety. It does not stray far from the Windows API and intentionally does not attempt to make higher lever wrappers around, for example, file handles. This is better left to the existing modules. The windows/api.rs file has a top level comment to help future contributors understand the intent of the module and the design decisions made. I chose two functions as a first tentative step towards the above goal: - [`GetLastError`](https://learn.microsoft.com/en-us/windows/win32/api/errhandlingapi/nf-errhandlingapi-getlasterror) is trivially safe. There's no reason to wrap it in an `unsafe` block every time. So I simply created a safe `get_last_error` wrapper. - [`SetFileInformationByHandle`](https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-setfileinformationbyhandle) is more complex. It essentially takes a generic type but over a C API which necessitates some amount of ceremony. Rather than implementing similar unsafe patterns in multiple places, I provide a safe `set_file_information_by_handle` that takes a Rusty generic type and handles converting that to the form required by the C FFI. r? libs
74: Automated pull from upstream `master` r=tshepang a=github-actions[bot] This PR pulls the following changes from the upstream repository: * rust-lang/rust#117363 * rust-lang/rust#116405 * rust-lang/rust#117415 * rust-lang/rust#117414 * rust-lang/rust#117411 * rust-lang/rust#117403 * rust-lang/rust#117398 * rust-lang/rust#117396 * rust-lang/rust#117389 * rust-lang/rust#116862 * rust-lang/rust#117405 * rust-lang/rust#117395 * rust-lang/rust#117390 * rust-lang/rust#117383 * rust-lang/rust#117376 * rust-lang/rust#117370 * rust-lang/rust#117357 * rust-lang/rust#117356 * rust-lang/rust#117317 * rust-lang/rust#117132 * rust-lang/rust#117068 * rust-lang/rust#112463 * rust-lang/rust#117267 * rust-lang/rust#116939 * rust-lang/rust#117387 * rust-lang/rust#117385 * rust-lang/rust#117382 * rust-lang/rust#117371 * rust-lang/rust#117365 * rust-lang/rust#117350 * rust-lang/rust#117205 * rust-lang/rust#117177 * rust-lang/rust#117147 * rust-lang/rust#116485 * rust-lang/rust#117328 * rust-lang/rust#117332 * rust-lang/rust#117089 * rust-lang/rust#116733 * rust-lang/rust#116889 * rust-lang/rust#116270 * rust-lang/rust#117354 * rust-lang/rust#117337 * rust-lang/rust#117312 * rust-lang/rust#117082 * rust-lang/rust#117043 * rust-lang/rust#115968 * rust-lang/rust#117336 * rust-lang/rust#117325 * rust-lang/rust#117322 * rust-lang/rust#117259 * rust-lang/rust#117170 * rust-lang/rust#117335 * rust-lang/rust#117319 * rust-lang/rust#117316 * rust-lang/rust#117311 * rust-lang/rust#117162 * rust-lang/rust#115773 * rust-lang/rust#116447 * rust-lang/rust#117149 * rust-lang/rust#116240 * rust-lang/rust#117123 * rust-lang/rust#81746 * rust-lang/rust#117038 * rust-lang/rust#116609 * rust-lang/rust#117309 * rust-lang/rust#117277 * rust-lang/rust#117268 * rust-lang/rust#117256 * rust-lang/rust#117025 * rust-lang/rust#116945 * rust-lang/rust#116816 * rust-lang/rust#116739 * rust-lang/rust#116534 * rust-lang/rust#117253 * rust-lang/rust#117302 * rust-lang/rust#117197 * rust-lang/rust#116471 * rust-lang/rust#117294 * rust-lang/rust#117287 * rust-lang/rust#117281 * rust-lang/rust#117270 * rust-lang/rust#117247 * rust-lang/rust#117246 * rust-lang/rust#117212 * rust-lang/rust#116834 * rust-lang/rust#103208 * rust-lang/rust#117166 * rust-lang/rust#116751 * rust-lang/rust#116858 * rust-lang/rust#117272 * rust-lang/rust#117266 * rust-lang/rust#117262 * rust-lang/rust#117241 * rust-lang/rust#117240 * rust-lang/rust#116868 * rust-lang/rust#114998 * rust-lang/rust#116205 * rust-lang/rust#117260 * rust-lang/rust#116035 * rust-lang/rust#113183 * rust-lang/rust#117249 * rust-lang/rust#117243 * rust-lang/rust#117188 * rust-lang/rust#117114 * rust-lang/rust#117106 * rust-lang/rust#117032 * rust-lang/rust#116968 * rust-lang/rust#116581 * rust-lang/rust#117228 * rust-lang/rust#117221 * rust-lang/rust#117214 * rust-lang/rust#117207 * rust-lang/rust#117202 * rust-lang/rust#117194 * rust-lang/rust#117143 * rust-lang/rust#117095 * rust-lang/rust#116905 * rust-lang/rust#117171 * rust-lang/rust#113262 * rust-lang/rust#112875 * rust-lang/rust#116983 * rust-lang/rust#117148 * rust-lang/rust#117115 * rust-lang/rust#116818 * rust-lang/rust#115872 * rust-lang/rust#117193 * rust-lang/rust#117175 * rust-lang/rust#117009 * rust-lang/rust#117008 * rust-lang/rust#116931 * rust-lang/rust#116553 * rust-lang/rust#116401 * rust-lang/rust#117180 * rust-lang/rust#117173 * rust-lang/rust#117163 * rust-lang/rust#117159 * rust-lang/rust#117154 * rust-lang/rust#117152 * rust-lang/rust#117141 * rust-lang/rust#117111 * rust-lang/rust#117172 * rust-lang/rust#117168 * rust-lang/rust#117160 * rust-lang/rust#117158 * rust-lang/rust#117150 * rust-lang/rust#117136 * rust-lang/rust#117133 * rust-lang/rust#116801 * rust-lang/rust#117165 * rust-lang/rust#117113 * rust-lang/rust#117102 * rust-lang/rust#117076 * rust-lang/rust#116236 * rust-lang/rust#116993 * rust-lang/rust#117139 * rust-lang/rust#116482 * rust-lang/rust#115796 * rust-lang/rust#117135 * rust-lang/rust#117127 * rust-lang/rust#117010 * rust-lang/rust#116943 * rust-lang/rust#116841 * rust-lang/rust#116792 * rust-lang/rust#116714 * rust-lang/rust#116396 * rust-lang/rust#116094 * rust-lang/rust#117126 * rust-lang/rust#117105 * rust-lang/rust#117093 * rust-lang/rust#117092 * rust-lang/rust#117091 * rust-lang/rust#117081 * rust-lang/rust#116773 * rust-lang/rust#117124 * rust-lang/rust#116461 * rust-lang/rust#116435 * rust-lang/rust#116319 * rust-lang/rust#116238 * rust-lang/rust#116998 * rust-lang/rust#116300 * rust-lang/rust#117103 * rust-lang/rust#117086 * rust-lang/rust#117074 * rust-lang/rust#117070 * rust-lang/rust#117046 * rust-lang/rust#116859 * rust-lang/rust#107159 * rust-lang/rust#116033 * rust-lang/rust#107009 * rust-lang/rust#117087 * rust-lang/rust#117073 * rust-lang/rust#117064 * rust-lang/rust#117040 * rust-lang/rust#116978 * rust-lang/rust#116960 * rust-lang/rust#116837 * rust-lang/rust#116835 * rust-lang/rust#116849 * rust-lang/rust#117071 * rust-lang/rust#117069 * rust-lang/rust#117051 * rust-lang/rust#117049 * rust-lang/rust#117044 * rust-lang/rust#117042 * rust-lang/rust#105666 * rust-lang/rust#116606 * rust-lang/rust#117066 * rust-lang/rust#115324 * rust-lang/rust#117062 * rust-lang/rust#117000 * rust-lang/rust#117007 * rust-lang/rust#117018 * rust-lang/rust#116256 * rust-lang/rust#117041 * rust-lang/rust#117037 * rust-lang/rust#117034 * rust-lang/rust#116989 * rust-lang/rust#116985 * rust-lang/rust#116950 * rust-lang/rust#116956 * rust-lang/rust#116932 * rust-lang/rust#117031 * rust-lang/rust#117030 * rust-lang/rust#117028 * rust-lang/rust#117026 * rust-lang/rust#116992 * rust-lang/rust#116981 * rust-lang/rust#116955 * rust-lang/rust#116928 * rust-lang/rust#116312 * rust-lang/rust#116368 * rust-lang/rust#116922 * rust-lang/rust#117021 * rust-lang/rust#117020 * rust-lang/rust#117019 * rust-lang/rust#116975 * rust-lang/rust#106601 * rust-lang/rust#116734 * rust-lang/rust#117013 * rust-lang/rust#116995 * rust-lang/rust#116990 * rust-lang/rust#116974 * rust-lang/rust#116964 * rust-lang/rust#116961 * rust-lang/rust#116917 * rust-lang/rust#116911 * rust-lang/rust#114521 * rust-lang/rust#117011 * rust-lang/rust#116958 * rust-lang/rust#116951 * rust-lang/rust#116966 * rust-lang/rust#116965 * rust-lang/rust#116962 * rust-lang/rust#116946 * rust-lang/rust#116899 * rust-lang/rust#116785 * rust-lang/rust#116838 * rust-lang/rust#116875 * rust-lang/rust#116874 * rust-lang/rust#115214 * rust-lang/rust#116810 * rust-lang/rust#116940 * rust-lang/rust#116921 * rust-lang/rust#116906 * rust-lang/rust#116896 * rust-lang/rust#116650 * rust-lang/rust#116132 * rust-lang/rust#116037 * rust-lang/rust#116923 * rust-lang/rust#116912 * rust-lang/rust#116908 * rust-lang/rust#116883 * rust-lang/rust#116829 * rust-lang/rust#116795 * rust-lang/rust#116761 * rust-lang/rust#116663 * rust-lang/rust#114534 * rust-lang/rust#116402 * rust-lang/rust#116493 * rust-lang/rust#116046 * rust-lang/rust#116887 * rust-lang/rust#116885 * rust-lang/rust#116879 * rust-lang/rust#116870 * rust-lang/rust#116865 * rust-lang/rust#116856 * rust-lang/rust#116812 * rust-lang/rust#116815 * rust-lang/rust#116814 * rust-lang/rust#116713 * rust-lang/rust#116830 Co-authored-by: Matthias Krüger <[email protected]> Co-authored-by: antoyo <[email protected]> Co-authored-by: Antoni Boucher <[email protected]> Co-authored-by: bors <[email protected]> Co-authored-by: Esteban Küber <[email protected]> Co-authored-by: Kjetil Kjeka <[email protected]> Co-authored-by: clubby789 <[email protected]> Co-authored-by: okaneco <[email protected]> Co-authored-by: David Tolnay <[email protected]> Co-authored-by: Nadrieril <[email protected]> Co-authored-by: Celina G. Val <[email protected]> Co-authored-by: Ralf Jung <[email protected]> Co-authored-by: Zalathar <[email protected]> Co-authored-by: Havard Eidnes <[email protected]> Co-authored-by: Jacob Pratt <[email protected]> Co-authored-by: Kjetil Kjeka <[email protected]>
74: Automated pull from upstream `master` r=tshepang a=github-actions[bot] This PR pulls the following changes from the upstream repository: * rust-lang/rust#117363 * rust-lang/rust#116405 * rust-lang/rust#117415 * rust-lang/rust#117414 * rust-lang/rust#117411 * rust-lang/rust#117403 * rust-lang/rust#117398 * rust-lang/rust#117396 * rust-lang/rust#117389 * rust-lang/rust#116862 * rust-lang/rust#117405 * rust-lang/rust#117395 * rust-lang/rust#117390 * rust-lang/rust#117383 * rust-lang/rust#117376 * rust-lang/rust#117370 * rust-lang/rust#117357 * rust-lang/rust#117356 * rust-lang/rust#117317 * rust-lang/rust#117132 * rust-lang/rust#117068 * rust-lang/rust#112463 * rust-lang/rust#117267 * rust-lang/rust#116939 * rust-lang/rust#117387 * rust-lang/rust#117385 * rust-lang/rust#117382 * rust-lang/rust#117371 * rust-lang/rust#117365 * rust-lang/rust#117350 * rust-lang/rust#117205 * rust-lang/rust#117177 * rust-lang/rust#117147 * rust-lang/rust#116485 * rust-lang/rust#117328 * rust-lang/rust#117332 * rust-lang/rust#117089 * rust-lang/rust#116733 * rust-lang/rust#116889 * rust-lang/rust#116270 * rust-lang/rust#117354 * rust-lang/rust#117337 * rust-lang/rust#117312 * rust-lang/rust#117082 * rust-lang/rust#117043 * rust-lang/rust#115968 * rust-lang/rust#117336 * rust-lang/rust#117325 * rust-lang/rust#117322 * rust-lang/rust#117259 * rust-lang/rust#117170 * rust-lang/rust#117335 * rust-lang/rust#117319 * rust-lang/rust#117316 * rust-lang/rust#117311 * rust-lang/rust#117162 * rust-lang/rust#115773 * rust-lang/rust#116447 * rust-lang/rust#117149 * rust-lang/rust#116240 * rust-lang/rust#117123 * rust-lang/rust#81746 * rust-lang/rust#117038 * rust-lang/rust#116609 * rust-lang/rust#117309 * rust-lang/rust#117277 * rust-lang/rust#117268 * rust-lang/rust#117256 * rust-lang/rust#117025 * rust-lang/rust#116945 * rust-lang/rust#116816 * rust-lang/rust#116739 * rust-lang/rust#116534 * rust-lang/rust#117253 * rust-lang/rust#117302 * rust-lang/rust#117197 * rust-lang/rust#116471 * rust-lang/rust#117294 * rust-lang/rust#117287 * rust-lang/rust#117281 * rust-lang/rust#117270 * rust-lang/rust#117247 * rust-lang/rust#117246 * rust-lang/rust#117212 * rust-lang/rust#116834 * rust-lang/rust#103208 * rust-lang/rust#117166 * rust-lang/rust#116751 * rust-lang/rust#116858 * rust-lang/rust#117272 * rust-lang/rust#117266 * rust-lang/rust#117262 * rust-lang/rust#117241 * rust-lang/rust#117240 * rust-lang/rust#116868 * rust-lang/rust#114998 * rust-lang/rust#116205 * rust-lang/rust#117260 * rust-lang/rust#116035 * rust-lang/rust#113183 * rust-lang/rust#117249 * rust-lang/rust#117243 * rust-lang/rust#117188 * rust-lang/rust#117114 * rust-lang/rust#117106 * rust-lang/rust#117032 * rust-lang/rust#116968 * rust-lang/rust#116581 * rust-lang/rust#117228 * rust-lang/rust#117221 * rust-lang/rust#117214 * rust-lang/rust#117207 * rust-lang/rust#117202 * rust-lang/rust#117194 * rust-lang/rust#117143 * rust-lang/rust#117095 * rust-lang/rust#116905 * rust-lang/rust#117171 * rust-lang/rust#113262 * rust-lang/rust#112875 * rust-lang/rust#116983 * rust-lang/rust#117148 * rust-lang/rust#117115 * rust-lang/rust#116818 * rust-lang/rust#115872 * rust-lang/rust#117193 * rust-lang/rust#117175 * rust-lang/rust#117009 * rust-lang/rust#117008 * rust-lang/rust#116931 * rust-lang/rust#116553 * rust-lang/rust#116401 * rust-lang/rust#117180 * rust-lang/rust#117173 * rust-lang/rust#117163 * rust-lang/rust#117159 * rust-lang/rust#117154 * rust-lang/rust#117152 * rust-lang/rust#117141 * rust-lang/rust#117111 * rust-lang/rust#117172 * rust-lang/rust#117168 * rust-lang/rust#117160 * rust-lang/rust#117158 * rust-lang/rust#117150 * rust-lang/rust#117136 * rust-lang/rust#117133 * rust-lang/rust#116801 * rust-lang/rust#117165 * rust-lang/rust#117113 * rust-lang/rust#117102 * rust-lang/rust#117076 * rust-lang/rust#116236 * rust-lang/rust#116993 * rust-lang/rust#117139 * rust-lang/rust#116482 * rust-lang/rust#115796 * rust-lang/rust#117135 * rust-lang/rust#117127 * rust-lang/rust#117010 * rust-lang/rust#116943 * rust-lang/rust#116841 * rust-lang/rust#116792 * rust-lang/rust#116714 * rust-lang/rust#116396 * rust-lang/rust#116094 * rust-lang/rust#117126 * rust-lang/rust#117105 * rust-lang/rust#117093 * rust-lang/rust#117092 * rust-lang/rust#117091 * rust-lang/rust#117081 * rust-lang/rust#116773 * rust-lang/rust#117124 * rust-lang/rust#116461 * rust-lang/rust#116435 * rust-lang/rust#116319 * rust-lang/rust#116238 * rust-lang/rust#116998 * rust-lang/rust#116300 * rust-lang/rust#117103 * rust-lang/rust#117086 * rust-lang/rust#117074 * rust-lang/rust#117070 * rust-lang/rust#117046 * rust-lang/rust#116859 * rust-lang/rust#107159 * rust-lang/rust#116033 * rust-lang/rust#107009 * rust-lang/rust#117087 * rust-lang/rust#117073 * rust-lang/rust#117064 * rust-lang/rust#117040 * rust-lang/rust#116978 * rust-lang/rust#116960 * rust-lang/rust#116837 * rust-lang/rust#116835 * rust-lang/rust#116849 * rust-lang/rust#117071 * rust-lang/rust#117069 * rust-lang/rust#117051 * rust-lang/rust#117049 * rust-lang/rust#117044 * rust-lang/rust#117042 * rust-lang/rust#105666 * rust-lang/rust#116606 * rust-lang/rust#117066 * rust-lang/rust#115324 * rust-lang/rust#117062 * rust-lang/rust#117000 * rust-lang/rust#117007 * rust-lang/rust#117018 * rust-lang/rust#116256 * rust-lang/rust#117041 * rust-lang/rust#117037 * rust-lang/rust#117034 * rust-lang/rust#116989 * rust-lang/rust#116985 * rust-lang/rust#116950 * rust-lang/rust#116956 * rust-lang/rust#116932 * rust-lang/rust#117031 * rust-lang/rust#117030 * rust-lang/rust#117028 * rust-lang/rust#117026 * rust-lang/rust#116992 * rust-lang/rust#116981 * rust-lang/rust#116955 * rust-lang/rust#116928 * rust-lang/rust#116312 * rust-lang/rust#116368 * rust-lang/rust#116922 * rust-lang/rust#117021 * rust-lang/rust#117020 * rust-lang/rust#117019 * rust-lang/rust#116975 * rust-lang/rust#106601 * rust-lang/rust#116734 * rust-lang/rust#117013 * rust-lang/rust#116995 * rust-lang/rust#116990 * rust-lang/rust#116974 * rust-lang/rust#116964 * rust-lang/rust#116961 * rust-lang/rust#116917 * rust-lang/rust#116911 * rust-lang/rust#114521 * rust-lang/rust#117011 * rust-lang/rust#116958 * rust-lang/rust#116951 * rust-lang/rust#116966 * rust-lang/rust#116965 * rust-lang/rust#116962 * rust-lang/rust#116946 * rust-lang/rust#116899 * rust-lang/rust#116785 * rust-lang/rust#116838 * rust-lang/rust#116875 * rust-lang/rust#116874 * rust-lang/rust#115214 * rust-lang/rust#116810 * rust-lang/rust#116940 * rust-lang/rust#116921 * rust-lang/rust#116906 * rust-lang/rust#116896 * rust-lang/rust#116650 * rust-lang/rust#116132 * rust-lang/rust#116037 * rust-lang/rust#116923 * rust-lang/rust#116912 * rust-lang/rust#116908 * rust-lang/rust#116883 * rust-lang/rust#116829 * rust-lang/rust#116795 * rust-lang/rust#116761 * rust-lang/rust#116663 * rust-lang/rust#114534 * rust-lang/rust#116402 * rust-lang/rust#116493 * rust-lang/rust#116046 * rust-lang/rust#116887 * rust-lang/rust#116885 * rust-lang/rust#116879 * rust-lang/rust#116870 * rust-lang/rust#116865 * rust-lang/rust#116856 * rust-lang/rust#116812 * rust-lang/rust#116815 * rust-lang/rust#116814 * rust-lang/rust#116713 * rust-lang/rust#116830 Co-authored-by: antoyo <[email protected]> Co-authored-by: Antoni Boucher <[email protected]> Co-authored-by: bors <[email protected]> Co-authored-by: Esteban Küber <[email protected]> Co-authored-by: Kjetil Kjeka <[email protected]> Co-authored-by: clubby789 <[email protected]> Co-authored-by: okaneco <[email protected]> Co-authored-by: David Tolnay <[email protected]> Co-authored-by: Nadrieril <[email protected]> Co-authored-by: Celina G. Val <[email protected]> Co-authored-by: Ralf Jung <[email protected]> Co-authored-by: Zalathar <[email protected]> Co-authored-by: Havard Eidnes <[email protected]> Co-authored-by: Jacob Pratt <[email protected]> Co-authored-by: Kjetil Kjeka <[email protected]> Co-authored-by: Matthias Krüger <[email protected]>
// Const assert that the size is less than u32::MAX. | ||
// Uses a trait to workaround restriction on using generic types in inner items. | ||
trait Win32SizeOf: Sized { | ||
const WIN32_SIZE_OF: u32 = { | ||
let size = core::mem::size_of::<Self>(); | ||
assert!(size <= u32::MAX as usize); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment says about less than u32::MAX
, but actual code checks assert!(size <= u32::MAX as usize);
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I assume this is because the size should not exceed u32::MAX
, right @ChrisDenton? Happy to r+ a patch changing the comment to that effect.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah, I probably meant to write "less than or equal" but "not exceed" reads better.
library: fix comment about const assert in win api Resolves [comment ](rust-lang#116816 (comment)) r? `@workingjubilee`
Rollup merge of rust-lang#118669 - klensy:comment-fix, r=workingjubilee library: fix comment about const assert in win api Resolves [comment ](rust-lang#116816 (comment)) r? `@workingjubilee`
FFI is inherently unsafe. For memory safety we need to assert that some contract is being upheld on both sides of the FFI, though of course we can only ever check our side. In Rust,
unsafe
blocks are used to assert safety and// SAFETY
comments describing why it is safe. Currently in sys/windows we have a lot of this unsafety spread all over the place, with variations on the same unsafe patterns repeated. And because of the repitition and frequency, we're a bit lax with the safety comments.This PR aims to fix this and to make FFI safety more auditable by creating an
api
module with the goal of centralising and consolidating this unsafety. It contains thin wrappers around the Windows API that make most functions safe to call or, if that's not possible, then at least safer. Note that its goal is only to address safety. It does not stray far from the Windows API and intentionally does not attempt to make higher lever wrappers around, for example, file handles. This is better left to the existing modules. The windows/api.rs file has a top level comment to help future contributors understand the intent of the module and the design decisions made.I chose two functions as a first tentative step towards the above goal:
GetLastError
is trivially safe. There's no reason to wrap it in anunsafe
block every time. So I simply created a safeget_last_error
wrapper.SetFileInformationByHandle
is more complex. It essentially takes a generic type but over a C API which necessitates some amount of ceremony. Rather than implementing similar unsafe patterns in multiple places, I provide a safeset_file_information_by_handle
that takes a Rusty generic type and handles converting that to the form required by the C FFI.r? libs