windows-rs icon indicating copy to clipboard operation
windows-rs copied to clipboard

Published 20 hours ago verified publisher icon microsoft

Bug: _Impl trait should use `unsafe fn` if any of its parameters are pointers

Open saschanaz opened this issue 3 years ago • 8 comments

Which crate is this about?

windows

Crate version

0.32.0

Summary

#[implement(Windows::Win32::Graphics::Imaging::IWICBitmapFrameDecode)]
pub struct Foo {}

impl IWICBitmapSource_Impl for Foo {
    fn GetSize(&mut self, puiwidth: *mut u32, puiheight: *mut u32) -> windows::core::Result<()> {
        unsafe {
            *puiwidth = 0u32;
            *puiheight = 0u32;
        }
        Ok(())
    }
    /* ... */
}

Expected behavior

It should be an unsafe fn as the implementation is expected to dereference the pointer parameters.

Actual behavior

Everything is just a safe fn.

Additional comments

cargo clippy is unsatisfied:

error: this public function might dereference a raw pointer but is not marked `unsafe`
   --> src\lib.rs:149:14
    |
149 |             *puiwidth = self.decoded.borrow().basic_info.xsize;
    |              ^^^^^^^^
    |
    = note: `#[deny(clippy::not_unsafe_ptr_arg_deref)]` on by default
    = help: for further information visit https://rust-lang.github.io/rust-clippy/master/index.html#not_unsafe_ptr_arg_deref

saschanaz avatar Feb 05 '22 18:02 saschanaz

Good feedback - thanks! Will add detection for this and use unsafe fn accordingly.

kennykerr avatar Feb 09 '22 04:02 kennykerr

BTW, can this specific function accept a tuple as a return type instead?

saschanaz avatar Feb 09 '22 14:02 saschanaz

BTW, can this specific function accept a tuple as a return type instead?

I'm not sure what you mean. Do you have an example?

kennykerr avatar Feb 09 '22 17:02 kennykerr

I mean, IWICBitmapSource_Impl::GetSize has two [out] parameters, and windows-rs can convert out parameters into a return type, so why not a tuple here? 👀

saschanaz avatar Feb 10 '22 00:02 saschanaz

The challenge is figuring out whether it is appropriate just by looking at the metadata.

kennykerr avatar Feb 25 '22 04:02 kennykerr

Regarding the original issue/question, I think I need to finally look a little closer at how we delineate what is safe and unsafe in the Windows API. Right now, all WinRT APIs are safe and the rest are not. That is somewhat arbitrary, and I'd like to do something perhaps more in line with clippy's decision making here where it depends on the signature of a particular function.

kennykerr avatar Feb 25 '22 04:02 kennykerr

Could this be implemented as an attribute within the win32metadata? "This function is sound to call with any arguments/environment, requiring only the parameters satisfy the listed types"

Plecra avatar Jan 24 '23 14:01 Plecra

You could ask them. I doubt it would be simple to figure out though, given the large scope of APIs. I also think .NET has its own interpretation of safety here so it may be language specific. .NET seems to define a method as unsafe if any of its parameters include a pointer but doesn't account for value types that contain pointers. 🤷‍♂️

kennykerr avatar Jan 24 '23 16:01 kennykerr