Perhaps Rust Needs "Defer"

&gt; So now I am confused, am I allowed to free() the Vec&#x27;s pointer directly or not?<p>No, you are not; simple as that. Miri is right. Rust using malloc&#x2F;free behind the scenes is an internal implementation detail you are not supposed to rely on. Rust used to use a completely different memory allocator, and this code would have crashed at runtime if it were still the case. Since when is undocumented information obtained from strace a stable API?<p>It&#x27;s not like you can rely on Rust references and C pointers being identical in the ABI either, but the sample in the post blithely conflates them.<p>&gt; It might be a bit surprising to a pure Rust developer given the Vec guarantees, but since the C side could pass anything, we must be defensive.<p>This is just masking bugs that otherwise could have been caught by sanitizers. Better to leave it out.

The way to do this in idiomatic Rust is to make a wrapper type that implements drop:<p><pre><code> struct MyForeignPtr(*mut c_void); impl Drop for MyForeignPtr { fn drop(&amp;mut self) { unsafe { my_free_func(self.0); } } } </code></pre> Then wrap the foreign pointer with MyForeignPtr as soon as it crosses the FFI boundary into your Rust code, and only ever access the raw pointer via this wrapper object. Don&#x27;t pass the raw pointer around.

Would `Vec::into_boxed_slice` [1] be the answer here? It gives you a `Box&lt;[Foo]&gt;`, which doesn&#x27;t have a capacity (it still knows its own length).<p>1: <a href="https:&#x2F;&#x2F;doc.rust-lang.org&#x2F;std&#x2F;vec&#x2F;struct.Vec.html#method.into_boxed_slice" rel="nofollow">https:&#x2F;&#x2F;doc.rust-lang.org&#x2F;std&#x2F;vec&#x2F;struct.Vec.html#method.int...</a>

Fun fact: Box&lt;T&gt; is allowed in C FFI in arguments and return types. From C&#x27;s perspective it&#x27;s a non-NULL pointer to T, but on the Rust side it gets memory management like a native Rust type.<p>Option&lt;Box&lt;T&gt;&gt; is allowed too, and it&#x27;s a nullable pointer. Similarly &amp;mut T is supported.<p>Using C-compatible Rust types in FFI function declarations can remove a lot of boilerplate. Unfortunately, Vec and slices aren&#x27;t one of them.

Anyone who needs to handle FFI in Rust, should read the FFI chapter in Rustonomicon: <a href="https:&#x2F;&#x2F;doc.rust-lang.org&#x2F;nomicon&#x2F;ffi.html" rel="nofollow">https:&#x2F;&#x2F;doc.rust-lang.org&#x2F;nomicon&#x2F;ffi.html</a><p>Unsafe Rust is indeed very hard to write correctly. Rustonomicon is a good start to learn unsafe Rust.

&gt; Let&#x27;s ignore for now that this will surprise every C developer out there that have been doing if (NULL != ptr) free(ptr) for 50 years now.<p>If you&#x27;ve been doing C for five decades, it&#x27;s a shame not to have noticed that it&#x27;s totally fine to pass a NULL pointer to free().<p>FWIW, I don&#x27;t otherwise agreed with the thesis. I&#x27;ve written probably ten FFI wrappers around C libraries now, and in every case I was able to store C pointers in some Rust struct or other, where I could free them in a Drop implementation.<p>I also think it&#x27;s not actually that unusual for C allocators (other than the truly ancient malloc(3C) family) to require you to pass the allocation size back to the free routine. Often this size is static, so you just use sizeof on the thing you&#x27;re freeing, but when it&#x27;s not, you keep track of it yourself. This avoids the need for the allocator to do something like intersperse capacity hints before the pointers it returns.

Why would anyone expect that they can free in one language something that was allocated in another? The allocator might work completely differently and require completely different actions to free.

The article only shows Rust code calling the FFI API but suggests that C&#x2F;C++ might also be used to call the API.<p>In these cases I can imagine the caller passing in a pointer&#x2F;reference to uninitialised stack memory, which is also UB in the last version if the allocating code! A `&amp;mut T` must always point to a valid `T` and must not point to uninitialised memory.<p>It seems to me like it&#x27;d be best to take a `&amp;mut MaybeUninit&lt;T&gt;` parameter instead, and write through that. A further upside is that now if the caller _is_ Rust code, you can use MaybeUninit to reserve the stack space for the `OwningArrayC&lt;T&gt;` and then after the FFI call you can use `assume_init` to move an owned, initialised `OwningArrayC&lt;T&gt;` out of the `MaybeUninit` and get all of Rust&#x27;s usual automatic `Drop` guarantees: This is the defer you wanted all along.

Implement Drop on a custom guard type. Boom. There you go.

I would totally use a Swift-style concise defer. Writing the idiomatic wrapper struct and implementing Drop is obtuse and repetitive. Both wrapper structs and the scopeguard macro approach have to be wasting compilation time.<p>I have a lot of FFI code paths that end up easier to understand if you use the C-style instead of the Rusty approach.<p>Readability and comp time should be important even in FFI code paths

This article makes no sense. I don&#x27;t know why you&#x27;d ever think you can allocate a Rust object, pass it to C code, and assume it&#x27;s safe for that C code to call free() on it. This would be true for any other pair of languages when crossing an FFI boundary.<p>A possible &quot;defer&quot; keyword has nothing to do with any of this, and will not help you.<p>Rust doesn&#x27;t need &quot;defer&quot;.

Never used it, but I follow wg14, ISO&#x27;s workgroup that maintains the C programming language specification. From there, it looks like defer is one of the most important improvements since the go programming language and I&#x27;ve seen a good number of examples were it prevents mistakes, makes the code more readable and avoids use of goto.<p>I can only hope it &#x27;infects&#x27; other languages.

The first attempt appears to try and transfer ownership of the allocated memory from the Vec to C, so my first question is, why not allocate the returned memory using libc::malloc?<p>But I do recognize that the code in the post was a simplified example, and it&#x27;s possible that the flexibility of `Vec` is actually used; perhaps elements are pushed into the `Vec` dynamically or something, and it would be inconvenient to simulate that with `libc::malloc` et al. But even then, in an environment that&#x27;s not inherently memory starved, a viable approach might be to build up the data in a `Vec`, and then allocate a properly-sized region using `libc::malloc` and copy the data into it.<p>Another option might be to maintain something like a BTreeMap indexed by pointer on the Rust side, keeping track of the capacity there so it can be recovered on free.

Instead of passing around the capacity in a struct or as an extra out parameter until you call free, could you instead branch on capacity == 0 in get_foos and set *out_foos to a null pointer? Just because the vector struct never has a null pointer doesn’t mean you can’t use the null pointer in your own API.

One popular implementation of &quot;defer&quot; in Rust is the scopeguard crate [0]. Behind the scenes, all it does is create an object that will run your function once it&#x27;s dropped (usually when it falls out of scope). It can be more robust than manually sprinkling library-specific free()s everywhere for FFI, since the function will also be run during an unwinding panic, sort of like a &quot;finally&quot; block. I&#x27;ve certainly found it helpful for one-off uses of certain APIs that I can&#x27;t be bothered to write a bunch of Drop boilerplate for.<p>[0] <a href="https:&#x2F;&#x2F;docs.rs&#x2F;scopeguard&#x2F;latest&#x2F;scopeguard&#x2F;" rel="nofollow">https:&#x2F;&#x2F;docs.rs&#x2F;scopeguard&#x2F;latest&#x2F;scopeguard&#x2F;</a>

&gt; libc::free &gt; Hmm...ok...Well that&#x27;s a bit weird,<p>It _really_ isn&#x27;t, it&#x27;s actually exactly how C (or C++) works if you have library allocating something for you you also need to use that library to free it as especially in context of linked libraries you can&#x27;t be sure how something was allocated, if it used some arena, if maybe some of you libraries use jemalloc and others do not etc. So it&#x27;s IMHO a very basic 101 of using external C&#x2F;C++ libraries fact fully unrelated to rust (through I guess it is common for this to be not thought well).<p>Also it&#x27;s normal even if everything uses the same alloc because of the following point:<p>&gt; So now I am confused, am I allowed to free() the Vec&lt;T&gt;&#x27;s pointer directly or not?<p>no and again not rust specific, free is always a flat freeing `Vec&lt;T&gt;&#x27;s` aren&#x27;t guaranteed to be flat (depending on T), and even if, some languages have small vec optimizations (through rust I thing guarantees that it&#x27;s not done with `Vec` even in the future for FFI compatibility reasons)<p>so the get to go solution for most FFI languages boundaries (not rust specific) is you create &quot;C external&quot; (here rust) types in their language, hand out pointer which sometimes are opaque (C doesn&#x27;t know the layout) and then _hand them back for cleanup_ cleaning them up in their language.<p>i.e. you would have e.g. a `drop_vec_u8` extern C function which just does &quot;create vec from ptr and drop it&quot; (which should get compiled to just a free in case of e.g. `Vec&lt;u8&gt;` but will also properly work for `Vec&lt;MyComplexType&gt;`.<p>&gt; Box::from_raw(foos);<p>:wut_emoji:??<p>in many languages memory objects are tagged and treating one type as another in context of allocations is always a hazard, this can even happen to you in C&#x2F;C++ in some cases (e.g. certain arena allocators)<p>again this is more a missing knowledge in context of cross language C FFI in general then rust specific (maybe someone should write a &quot;Generic Cross Language C FFI&quot; knowledge web book, I mean while IMHO it is basic&#x2F;foundational knowledge it is very often not thought well at all)<p>&gt; OwningArrayC &gt; defer!{ super::MYLIB_free_foos(&amp;mut foos); }<p>the issue here isn&#x27;t rust missing defer or goto or the borrow checker, but trying to write C in rust while OwningArrayC as used in the blog is a overlap of anti-patterns wanting to use but not use rust memory management at the same time in a inconsistent way<p>If you want to &quot;free something except not if it has been moved&quot; rust has a mechanic for it: `Drop`. I.e. the most fundamental parts of rust (memory) resource management.<p>If you want to attach drop behavior to an existing type there is a well known pattern called drop guard, i.e. a wrapper type impl Drop i.e. `struct Guard(OwnedArrayC); impl Drop for Guard {...} maybe also impl DerefMut for Guard`. (Or `Guard(Option&lt;..&gt;)` or `Guard(&amp;mut ...)` etc. depending on needs, like e.g. wanting to be able to move it out conveniently).<p>In rust it is a huge anti pattern to have a guard for a resource and not needing to access the resource through the guard (through you will have to do it sometimes) as it often conflicts with borrow checker and for RAII like languages in general is more error prone. Which is also why `scopeguard` provides a guard which wrapps the data you need to cleanup. That is if you use `scopeguard::guard` and similar instead of `scopeguard::defer!` macro which is for convenience when the cleanup is on global state. I.e. you can use `guard(foos, |foos| super::MYLIB_free_foos(&amp;mut foos))` instead of deferr and it would work just fin.<p>Through also there is a design issue with super::MYLIB_free_foos(&amp;mut foos) itself. If you want `OwningArrayC` to actually (in rust terms) own the array then passing `&amp;mut foos` is a problem as after the function returns you still have foos with a dangling pointer. So again it shows that there is a the way `OwningArrayC` is done is like trying to both use and not use rusts memory management mechanics at the same time (also who owns the allocation of OwningArrayC itself is not clear in this APIs).<p>I can give following recommendations (outside of using `guard`):<p>- if Vec doesn&#x27;t get modified use `Box&lt;[T]&gt;` instead<p>- if vec is always accessed through rust consider passing a `Box&lt;Vec&lt;T&gt;&gt;` around instead and always converting to&#x2F;from `Box&lt;Vec&lt;T&gt;&gt;`&#x2F;`&amp;Vec&lt;T&gt;`&#x2F;`&amp;mut Vec&lt;T&gt;`, Box&#x2F;&amp;&#x2F;&amp;mut have some defactor memory repr compatibilities with pointer so you can directly place them in a ffi boundary (I think it&#x27;s guaranteed for Box&#x2F;&amp;&#x2F;&amp;mut T and de-facto for `Option&lt;Box&#x2F;&amp;&#x2F;&amp;mut T&gt;` (nullpointer == None)<p>- if that is performance wise non desirable and you can&#x27;t pass something like `OnwingArrayC` by value either specify that the caller always should (stack) allocate the `OnwingArrayC` itself then only use `OnwingArrayC` at the boundary i.e. directly convert it to `Vec&lt;T&gt;` as needed (through this can easily be less clear about `Vec&lt;T&gt;`, and `&amp;mut Vec&lt;T&gt;` and `&amp;mut [T]` dereferenced)<p>- In general if `OwningArrayC` is just for passing parameter bundles with a convention of it always being stack allocated by the caller then you also really should only use it for the transfer of the parameters and not automatic resource management, i.e. you should directly convert it to `Vec` at the boundary (and maybe in some edge cases use scopeguard::guard, but then converting it to a Vec is likely faster&#x2F;easier to do). Also specify exactly what you do with the callee owned pointer in `OwningArrayC` i.e. do we always treat it ass dangling even if there are errors, do we set it to empty vec &#x2F;no capacity as part of conversion to Vec and it&#x27;s only moved if that was done etc. Also write a `From&lt;&amp;mut OwningArrayC&gt; for Vec` impl, I recommend setting cap+len to zero in it).<p>And yes FFI across languages is _always_ hard, good teaching material often missing and in Rust can be even harder as you have to comply with C soundness on one side and Rust soundness on the other (but I mean also true for Python,Java etc.). Through not necessary for any of the problems in the article IMHO. And even if we just speak about C to C FFI of programs build separately the amount of subtle potentially silent food guns is pretty high (like all the issues in this article and more + a bunch of other issues of ABI incompatibility risks and potentially also linker time optimization related risk).

This only addresses a small point in the article, but you can shrink capacity to size before passing a Vec to C, then assume capacity = size when you need to free the Vec.

Defer is awful compared to just implementing drop.

1) Do not free memory allocated in one language (even more: in one library unless explicitly documented so) into another. Rust can use a custom allocator, and what it uses by default is an implementation detail that can change at a blink.<p>2) Do not use Vec&lt;T&gt; to pass arrays to C. Use boxed slices. Do not even try to allocate a Vec and free a Box... how can it even work?!<p>3) free(ptr) can be called even in ptr is NULL<p>4) ... I frankly stopped reading. I will never know if Rust actually needs Go&#x27;s defer or not.

We have defer, it’s called impl Drop

If you come (as the author does to the conclusion)<p><pre><code> &gt; Rust + FFI is nasty and has a lot of friction. </code></pre> ...then I would say you have been living a little bit of a charmed life. FFI in most languages has improved beyond all recognition in the last 15 years. When I look at FFI in rust I can&#x27;t believe how ergonomic and clean it is compared to say PerlXS (which was the old way of doing FFI in perl).

No, it doesn’t. There are better ways to abstract away RAII, and it is a strictly bad pattern in Rust to not rely on Drop. The author needs to stop writing C and Go, both being arguably bad languages.