Enums in FFI types are unsafe

Question

Enums in FFI types are unsafe

Stebalien opened this issue 2 years ago · comments

It looks like we're using enums in FFI types in several places, but this is inherently unsafe as we can end up creating enums with arbitrary values and the rust type system will assume that this can't happen.

This can cause problems like:

Code checking said enum value may be optimized away.
If the enum has no zero variant but a zero is passed, rust may interpret Option<Enum> as None.
Really, whatever the rust compiler wants to do.

Steven Allen commented a year ago

Fixed.

Friedel Ziegelmayer · Answer 1 · Sat Mar 19 2022 01:45:15 GMT+0800 (China Standard Time)

Asfaict all enums that are used are using repr(C) which should make them FFI safe, so I don't think these concerns apply.

Steven Allen · Answer 2 · Sun Mar 20 2022 00:16:34 GMT+0800 (China Standard Time)

It's unsafe because we call into the FFI from go without checking whether the enum variant is valid. That means we could end up constructing an "impossible" enum variant (e.g., 9999, when the only valid enum variants are 0-5). Given that the rust compiler assumes that enum variants are statically "valid" without checking, this could, e.g., cause a match statement (if implemented as a jump table) to jump to some random offset in memory.