Use #[repr(transparent)] newtype to hold FFI error codes
#696
Conversation
src/aead/aes_gcm.rs
Outdated
| GFp_aes_gcm_seal(ctx.as_ptr(), in_out.as_mut_ptr(), in_out.len(), tag, | ||
| nonce, ad.as_ptr(), ad.len()) | ||
| }) | ||
| }.into() |
There was a problem hiding this comment.
I don't find this as clear as the existing code but I guess people would learn it fast enough.
Would Result::from be a workable improvement?
There was a problem hiding this comment.
Using Result::from everywhere is fine. You have to explicitly qualify it anyways when using the ? operator if the Ok type returned by the function is not ().
Another option is to add a method like into_result to ErrorCode which solves the type deduction problem but doesn't require wrapping the whole unsafe block in another set of parens.
src/bssl.rs
Outdated
| use {c, error}; | ||
|
|
||
| /// The meaning of the error code returned by a foreign function. | ||
| pub trait Semantics { |
There was a problem hiding this comment.
I don't see the advantage of factoring this out into a trait. One of the design principles of ring is to avoid unnecessary abstractions, and at least the way the code is currently, this abstraction isn't necessary.
There was a problem hiding this comment.
Just two separate structs here then?
I had imagined that this would make it easy to share code later as features were added, but that's kind of the definition of overabstraction :)
There was a problem hiding this comment.
Also, how do you feel about using Posix to mean "returns zero on failure". It was the best, shortest thing I could think of, but bssl::PosixResult reads a bit strangely.
src/bssl.rs
Outdated
| 1 => true, | ||
| c => { | ||
| // Be pedantic in debug mode to catch some cases where function signatures are | ||
| // wrongly defined. |
There was a problem hiding this comment.
What are examples of such wrongly-defined functions?
There was a problem hiding this comment.
By wrongly defined I meant that an author adding a new extern declaration might mistakenly use the wrong return type (e.g. fn() -> bssl::ErrorCode for a function which returns a negative value on error).
There was a problem hiding this comment.
In that case I would say "any cases where [whatever type name we decide on] might be misused."
src/bssl.rs
Outdated
| #[must_use] | ||
| #[repr(transparent)] | ||
| #[derive(Debug, Clone, Copy)] | ||
| pub struct ErrorCode<S = BoringSsl> { |
There was a problem hiding this comment.
I don't think ErrorCode is a very good name for this boolean flag. I think Result would make more sense since BoringSSL's boolean results are basically Result<(), ()>s.
There was a problem hiding this comment.
Agreed. I avoided it initially since modname::Result is usually a type alias for std::result::Result with the error type defined.
src/bssl.rs
Outdated
| pub enum BoringSsl {} | ||
|
|
||
| impl Semantics for BoringSsl { | ||
| fn is_success(code: c::int) -> bool { |
There was a problem hiding this comment.
I would say, rather than defining an is_success() -> bool function, just inline this logic directly into the From implementation that does the conversion to Result<(), error::Unspecified>.
src/aead/aes_gcm.rs
Outdated
| fn GFp_AES_set_encrypt_key(key: *const u8, bits: usize, | ||
| aes_key: *mut AES_KEY) -> c::int; | ||
| aes_key: *mut AES_KEY) -> bssl::PosixStyleErrorCode; |
There was a problem hiding this comment.
Is this the only function like this you've found? I'd rather change the C code to use the regular boolean conventions and rename it, than add this complexity.
There was a problem hiding this comment.
There are also system APIs being used which return 0 on success, but to my knowledge this is the only currently used function from BoringSSL which has that convention.
|
There's also a WIN32 function which returns one on success, but uses a Based on your feedback as well as this new information, I'd like to make the following sets of changes:
I could also eliminate the POSIX-style and Win32Bool wrappers, change I was just perusing the list of good-first-bugss and saw this one. Sorry if this took more time for you to review than it would to have implemented it. Thanks for all the work you've done in the Rust community! |
|
For that one single Win32 function, why not just change the FFI declaration of the function to use function-level #[link_name = "SystemFunction036"]
#[must_use]
fn RtlGenRandom(random_buffer: *mut u8,
random_buffer_length: c::win32::ULONG)
-> c::win32::BOOLEAN;I suggest we skip the Posix case for now as I think it's trickier and also I hope we can eliminate the use of "POSIX" semantics from non-Posix functions like that AES API (in a separate PR). For the GFp/BoringSSL API, maybe we should "just" use
I suggest we just skip this, regardless.
Sounds good to me, if we need the newtypes. |
|
Both approaches statically guarantee that error codes are being checked, so the issue is more about the conversion to With the free function, the consumer must know the return code semantics at each call site, whereas with the newtype, the return code semantics must only be known at the declaration, and conversion can be done thoughtlessly via The presence or absence of I understand the proliferation of return type wrappers being undesirable, especially given the efforts to oxidize |
|
OK, I think in this PR we should go with your approach for the |
|
Got it! I'll make the changes later today. Do you want the path to the type to be |
ecstatic-morse
force-pushed
the
ffi-return-type
branch
from
0c8c066
to
c217559
Compare
appveyor.yml
Outdated
| @@ -11,7 +11,7 @@ platform: | |||
| environment: | |||
| matrix: | |||
| - TOOLCHAIN_VERSION: 14.0 | |||
| RUST: 1.26.0 | |||
| RUST: 1.28.0 | |||
There was a problem hiding this comment.
This should be done as a separate PR and we should be doing Rust 1.29.1.
There was a problem hiding this comment.
Is there a reason this isn't just "stable" instead of an explicit version number?
src/aead/aes_gcm.rs
Outdated
| @@ -172,6 +172,9 @@ mod tests { | |||
| } | |||
|
|
|||
| extern "C" { | |||
| // AES_set_encrypt_key returns 0 on success, unlike most BoringSSL functions. | |||
| // https://github.com/google/boringssl/blob/28babde159253bfa9003a445242605806fff5f1f/include/openssl/aes.h#L83 | |||
There was a problem hiding this comment.
Please remove the link to the BoringSSL code. If the comment being linked to is missing in ring then we should add the comment to ring.
There was a problem hiding this comment.
I added a comment to ring. I'm going to fix this issue next, making it irrelevant.
src/bssl.rs
Outdated
| 1 => Ok(()), | ||
| _ => Err(error::Unspecified), | ||
| /// A `c::int` returned from a foreign function containing **1** if the function was successful | ||
| /// or **0** if an error occurred. This is the convention used by BoringSSL. |
There was a problem hiding this comment.
Let's remove the "This is the convention used by BoringSSL." I don't want to conflate ring with BoringSSL.
src/bssl.rs
Outdated
| /// or **0** if an error occurred. This is the convention used by BoringSSL. | ||
| #[must_use] | ||
| #[repr(transparent)] | ||
| #[derive(Debug, Clone, Copy)] |
There was a problem hiding this comment.
Let's put #[derive(...)] first unless there's some reason not to. I usually sort these alphabetically when I remember to.
src/bssl.rs
Outdated
| c => { | ||
| // Be pedantic in debug mode to catch any cases where functions are mistakenly | ||
| // declared to return a BoringSSL-style error code when they really have | ||
| // different semantics. |
There was a problem hiding this comment.
The comment is not necessary; let's just remove it.
src/bssl.rs
Outdated
| // Be pedantic in debug mode to catch any cases where functions are mistakenly | ||
| // declared to return a BoringSSL-style error code when they really have | ||
| // different semantics. | ||
| debug_assert_eq!(c, 0, "BoringSSL functions should return 0 or 1"); |
There was a problem hiding this comment.
I suggest "bssl::Result value must be be 0 or 1" instead.
src/bssl.rs
Outdated
| mod tests { | ||
| mod result { | ||
| use {bssl, c}; | ||
| use std::mem; |
There was a problem hiding this comment.
use core::mem instead of std::mem. In general we use core instead of std whenever possible.
ecstatic-morse
force-pushed
the
ffi-return-type
branch
from
0834861
to
7ede26d
Compare
|
@ecstatic-morse This looks great. Please squash this PR into a single commit that ends with the "I agree ..." statement. The commit message should be wrapped to ~72 characters. I suggest this as the commit message (wrapped to ~72 characters): |
This commit introduces a `#[repr(transparent)]` newtype to represent the return type of foreign functions which return 1 on success and 0 on failure. This type is `#[must_use]`, so these return codes must be checked by the caller. It also adds `#[must_use]` to foreign functions which use a different convention to return an error. I agree to license my contributions to each file under the terms given at the top of each file I changed.
ecstatic-morse
force-pushed
the
ffi-return-type
branch
from
7ede26d
to
d3ee0a0
Compare
|
Squashed and rebased. |
|
Thanks! |
Resolves #451.
This PR changes the definition of some foreign functions to return a
bssl::ErrorCodeinstead ofc::int.Converting to a
Resultis now done through a conversion function rather thanbssl::map_result. It also defines marker traits for the two widely used return code conventions in this library:I agree to license my contributions to each file under the terms given
at the top of each file I changed.