From C to Rust

So let’s birth with one thing easy: we bear some struct that we desire to
initialize with some values. The values in that struct manufacture no longer require
allocation themselves and we desire to enable passing this final worth
spherical. The keep it be distributed would not subject to us, let’s appropriate save it on
the stack for this case. The muse is that after the initialization
that thing might even be handed spherical safely and printed.

#consist of 
#consist of 
#consist of 

struct role {
    const char *establish;
    bool disabled;
    int flag;
};

int predominant() {
    struct role r;
    r.establish = "traditional";
    r.flag = 1;
    r.disabled = fraudulent;
    printf("%s (%d, %s)n", r.establish, r.flag, r.disabled ? "resplendent" :  "fraudulent");
}

Now let’s write this in Rust. Let’s no longer read the medical doctors too a lot, let’s
appropriate enact a 1:1 translation to roughly the same but by using unsafe.
One indicate right here before you read the code: we’re purposefully searching for to
originate an object that seems acquainted to Rust programmers and might even be viewed
as public API. So we use a &’static str right here as a substitute of a C string so
there are some modifications to the C code.

use std:: mem;

struct Role {
    establish: &'static str,
    disabled: bool,
    flag: u32,
}

fn predominant() {
    let role = unsafe {
        let mut role: Role = mem:: zeroed();
        role.establish = "traditional";
        role.flag = 1;
        role.disabled = fraudulent;
        role
    };

    println!("{} ({}, {})", role.establish, role.flag, role.disabled);
}

So straight one will quiz why unsafe is required right here and the acknowledge is
that useless to claim you manufacture no longer want it right here. Alternatively this code will be using a
suboptimal operate: std::mem::zeroed. While you dawdle this on a recent Rust
compiler that you might perhaps ranking this consequence:

thread 'predominant' haunted at 'attempted to zero-initialize form `Role`,
  which is invalid', src/predominant.rs: 11: 30

On older Rust compilers this code will dawdle but it changed into as soon as by no are available within the market actuality
honest. So how will we solve this? The compiler already tells us that we
must make use of one thing else:

warning: the form `Role` does no longer allow zero-initialization
  --> src/predominant.rs: 11: 30
   |
11 | let mut role: Role = mem::zeroed();
   |                      ^^^^^^^^^^^^^
   |                      |
   |                      this code causes undefined behavior when completed
   |                      abet: use `MaybeUninit` as a substitute, and greatest name
   |                         `assume_init` after initialization is done
   |

So why does this form no longer reinforce zero initialization? What’s going to we must
substitute? Can zeroed no longer be passe at all? Some of that you might additionally narrate that
the acknowledge is #[repr(C)] on the struct to force a C structure but that
won’t solve the challenge. We if fact be told must attain for MaybeUninit as
the compiler indicates. So let’s attempt that first and then afterwards we
decide out why we would like it:

use std:: mem:: MaybeUninit;

struct Role {
    establish: &'static str,
    disabled: bool,
    flag: u32,
}

fn predominant() {
    let role = unsafe {
        let mut uninit = MaybeUninit:: <Role>:: uninit();
        let role = uninit.as_mut_ptr();
        (*role).establish = "traditional";
        (*role).flag = 1;
        (*role).disabled = fraudulent;
        uninit.assume_init()
    };

    println!("{} ({}, {})", role.establish, role.flag, role.disabled);
}

By swapping out zeroed for MaybeUninit all the pieces modifications. We are capable of no
longer manipulate our struct straight, we now must manipulate a raw
pointer. On legend of that raw pointer does no longer enforce deref and on legend of
Rust has no -> operator we now must dereference the pointer
completely to put the fields with that awkward syntax.

So initially: why does this work now and what changed? The acknowledge
lies within the incontrovertible fact that any earn cherish a mutable reference (&mut) or
worth on the stack in itself (even in unsafe) that might be capable
out of doors of unsafe code aloof needs to be in a sound impart at all instances.
zeroed returns a zeroed struct and there just isn’t any such thing as a bellow that that is a
capable illustration of either the struct or the fields interior it. So in
particular our &’static str reference is under no circumstances capable all
zeroed out.

A mutable reference must also by no come converse an invalid object, so doing
let role = &mut *uninit.as_mut_ptr() if that object just isn’t any longer fully
initialized will be nasty.

So let’s appropriate settle for that MaybeUninit is required and we must deal
with raw references right here. It be a runt bit cumbersome but it would not seek
too spoiled. Unfortunately we’re aloof using it nasty. Endure in mind how I
mentioned that constructing “protected issues” that manufacture no longer uphold the guarantees of
that protected thing just isn’t any longer allowed, even in unsafe code? We’re if fact be told having
exactly this happen in our code. To illustrate (*role).establish creates a
&mut &’static str within the support of the scenes which is illegitimate, even though we’re going to no longer
seek it since the memory the keep it sides to just isn’t any longer initialized.

So now we bear two original considerations: we know that &mut X just isn’t any longer allowed, but
*mut X is. How will we ranking this? Ironically except Rust 1.51 it changed into as soon as
very no longer going to earn the kind of thing with out breaking the guidelines. As of late
you will be ready to use the addr_of_mut! macro. So we’re going to enact this:

let name_ptr = std:: ptr:: addr_of_mut!((*role).establish);

Astronomical, so now we bear this pointer. How will we write into it? Can no longer you
appropriate dereference and put?

let name_ptr = std:: ptr:: addr_of_mut!((*role).establish);
*name_ptr = "traditional";

Over again, dereferencing is illegitimate, so we must enact one thing else. We are capable of
use the write come as a substitute:

addr_of_mut!((*role).establish).write("traditional");

Are we okay now? Endure in mind how we passe a normal struct? If we read the
documentation we learn that there are no longer any guarantees of the kind of struct at
all. I’m slightly obvious we’re going to rely on issues being aligned as even the
long-established motivating GitHub arena greatest calls out
#[repr(packed)] but let’s be better protected than sorry. So we now either
substitute to #[repr(C)] or we use write_unaligned as a substitute which is
suitable if Rust had been to take for a member of the struct to be unaligned. So
this might perhaps additionally perhaps be the final model:

use std:: mem:: MaybeUninit;
use std:: ptr:: addr_of_mut;

struct Role {
    establish: &'static str,
    disabled: bool,
    flag: u32,
}

fn predominant() {
    let role = unsafe {
        let mut uninit = MaybeUninit:: <Role>:: uninit();
        let role = uninit.as_mut_ptr();

        addr_of_mut!((*role).establish).write_unaligned("traditional");
        addr_of_mut!((*role).flag).write_unaligned(1);
        addr_of_mut!((*role).disabled).write_unaligned(fraudulent);

        uninit.assume_init()
    };

    println!("{} ({}, {})", role.establish, role.flag, role.disabled);
}

Is my Unsafe Lawful?

It be 2022 and I will admit that I now no longer feel confident writing unsafe
Rust code. The foundations had been potentially constantly advanced but I know from discovering out
a few unsafe Rust code over decades that most unsafe code appropriate did
no longer care about these guidelines and appropriate neglected them. There is a reason
that addr_of_mut! did no longer ranking added to the language except 1.53. Even
this day the medical doctors every scream there are no longer any guarantees on the alignment on native
rust struct reprs but a few code assumes now that write slightly than
write_unaligned is suitable.

Towards the last few years it seem to bear took space that the Rust builders
has made writing unsafe Rust extra tough in apply and the guidelines are so
advanced now that it be very tough to love for a informal programmer.
This has made one of Rust’s greatest capabilities less and no more approachable.

I’m now no longer narrate that is appropriate. In actuality, I factor in that is under no circumstances a
gigantic constructing. C interop is a runt bit fragment of what made Rust gigantic, and that
we’re constructing such large boundaries must be viewed as undesirable. More
importantly: the compiler just isn’t any longer precious in declaring after I’m doing
one thing nasty. The compiler does no longer warn that no longer using addr_of_mut!
is nasty. It also does no longer warn if I’m using write as a substitute of
write_unaligned and even consulting the medical doctors does no longer define this.

Making unsafe extra ergonomic is a tough challenge for obvious but it might bear to additionally perhaps be
worth addressing. On legend of one thing is clear: other folks won’t be stopping
writing unsafe code any time quickly.