Basic support for FFI callbacks (at least stop segfaulting and report a proper error)

src/alloc_addresses/mod.rs

@@ -8,7 +8,7 @@ use std::cell::RefCell;
 
 use rustc_abi::{Align, Size};
 use rustc_data_structures::fx::{FxHashMap, FxHashSet};
-use rustc_middle::ty::TyCtxt;
+use rustc_middle::ty::{InstanceKind, TyCtxt};
 
 pub use self::address_generator::AddressGenerator;
 use self::reuse_pool::ReusePool;
@@ -169,9 +169,39 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
                         Align::from_bytes(1).unwrap(),
                         params,
                     );
-                    let ptr = alloc_bytes.as_ptr();
+                    let mut ptr = alloc_bytes.as_ptr();
                     // Leak the underlying memory to ensure it remains unique.
                     std::mem::forget(alloc_bytes);
+                    if let Some(GlobalAlloc::Function { instance, .. }) =
+                        this.tcx.try_get_global_alloc(alloc_id)
+                    {
+                        #[cfg(all(unix, feature = "native-lib"))]
+                        if let InstanceKind::Item(def_id) = instance.def {
+                            let sig = this.tcx.fn_sig(def_id).skip_binder().skip_binder();
+                            let closure =
+                                crate::shims::native_lib::build_libffi_closure(this, sig)?;
+                            if let Some(closure) = closure {
+                                let closure = Box::leak(Box::new(closure));
+                                // Libffi returns a **reference** to a function ptr here
+                                // (The actual argument type doesn't matter)
+                                let fn_ptr = unsafe {
+                                    closure.instantiate_code_ptr::<unsafe extern "C" fn(*const std::ffi::c_void)>()
+                                };
+                                // Therefore we need to dereference the reference to get the actual function pointer
+                                let fn_ptr = *fn_ptr;
+                                #[expect(
+                                    clippy::as_conversions,
+                                    reason = "No better way to cast a function ptr to a ptr"
+                                )]
+                                {
+                                    // After that we need to cast the function pointer to the
+                                    // expected pointer type. At this point we don't actually care about the
+                                    // type of this pointer
+                                    ptr = (fn_ptr as *const std::ffi::c_void).cast();
+                                }
+                            }
+                        }
+                    }
                     ptr
                 }
                 AllocKind::TypeId | AllocKind::Dead => unreachable!(),

src/shims/mod.rs

@@ -6,7 +6,7 @@ mod backtrace;
 mod files;
 mod math;
 #[cfg(all(unix, feature = "native-lib"))]
-mod native_lib;
+pub mod native_lib;
 mod unix;
 mod windows;
 mod x86;

src/shims/native_lib/mod.rs

@@ -1,6 +1,7 @@
 //! Implements calling functions from a native library.
 
 use std::ops::Deref;
+use std::os::raw::c_void;
 use std::sync::atomic::AtomicBool;
 
 use libffi::low::CodePtr;
@@ -330,7 +331,9 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
                 // Read the bytes that make up this argument. We cannot use the normal getter as
                 // those would fail if any part of the argument is uninitialized. Native code
                 // is kind of outside the interpreter, after all...
-                Box::from(alloc.inspect_with_uninit_and_ptr_outside_interpreter(range))
+                let ret: Box<[u8]> =
+                    Box::from(alloc.inspect_with_uninit_and_ptr_outside_interpreter(range));
+                ret
             }
             either::Either::Right(imm) => {
                 let mut bytes: Box<[u8]> = vec![0; imm.layout.size.bytes_usize()].into();
@@ -439,11 +442,67 @@ trait EvalContextExtPriv<'tcx>: crate::MiriInterpCxExt<'tcx> {
         interp_ok(match layout.ty.kind() {
             // Scalar types have already been handled above.
             ty::Adt(adt_def, args) => self.adt_to_ffitype(layout.ty, *adt_def, args)?,
-            _ => throw_unsup_format!("unsupported argument type for native call: {}", layout.ty),
+            // Functions with no declared return type (i.e., the default return)
+            // have the output_type `Tuple([])`.
+            ty::Tuple(t_list) if (*t_list).deref().is_empty() => FfiType::void(),
+            _ => {
+                throw_unsup_format!("unsupported argument type for native call: {}", layout.ty)
+            }
         })
     }
 }
 
+pub fn build_libffi_closure<'tcx, 'this>(
+    this: &'this MiriInterpCx<'tcx>,
+    fn_ptr: rustc_middle::ty::FnSig<'tcx>,
+) -> InterpResult<'tcx, Option<libffi::middle::Closure<'this>>> {
+    let mut args = Vec::new();
+    for input in fn_ptr.inputs().iter() {
+        let layout = match this.layout_of(*input) {
+            Ok(layout) => layout,
+            Err(e) => {
+                tracing::info!(?e, "Skip closure");
+                return interp_ok(None);
+            }
+        };
+        let ty = match this.ty_to_ffitype(layout).report_err() {
+            Ok(ty) => ty,
+            Err(e) => {
+                tracing::info!(?e, "Skip closure");
+                return interp_ok(None);
+            }
+        };
+        args.push(ty);
+    }
+    let res_type = fn_ptr.output();
+    let res_type = {
+        let layout = match this.layout_of(res_type) {
+            Ok(layout) => layout,
+            Err(e) => {
+                tracing::info!(?e, "Skip closure");
+                return interp_ok(None);
+            }
+        };
+        match this.ty_to_ffitype(layout).report_err() {
+            Ok(ty) => ty,
+            Err(e) => {
+                tracing::info!(?e, "Skip closure");
+                return interp_ok(None);
+            }
+        }
+    };
+    let closure_builder = libffi::middle::Builder::new().args(args).res(res_type);
+    let data = CallbackData {
+        args: fn_ptr.inputs().to_vec(),
+        result: fn_ptr.output(),
+        this,
+        //link_name: *link_name,
+    };
+    let data = Box::leak(Box::new(data));
+    let closure = closure_builder.into_closure(callback_callback, data);
+    interp_ok(Some(closure))
+}
+
 impl<'tcx> EvalContextExt<'tcx> for crate::MiriInterpCx<'tcx> {}
 pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
     /// Call the native host function, with supplied arguments.
@@ -536,3 +595,45 @@ pub trait EvalContextExt<'tcx>: crate::MiriInterpCxExt<'tcx> {
         interp_ok(true)
     }
 }
+
+struct CallbackData<'a, 'tcx> {
+    args: Vec<Ty<'tcx>>,
+    #[expect(dead_code, reason = "It's there for later")]
+    result: Ty<'tcx>,
+    this: &'a MiriInterpCx<'tcx>,
+}
+
+unsafe extern "C" fn callback_callback(
+    cif: &libffi::low::ffi_cif,
+    _result: &mut c_void,
+    args: *const *const c_void,
+    infos: &CallbackData<'_, '_>,
+) {
+    debug_assert_eq!(cif.nargs.try_into(), Ok(infos.args.len()));
+    let mut rust_args = Vec::with_capacity(infos.args.len());
+    // We cast away the pointer to pointer to get a pointer to the actual argument
+    let mut args = args.cast::<c_void>();
+    for arg in &infos.args {
+        let scalar = match arg.kind() {
+            ty::RawPtr(..) => {
+                let ptr = StrictPointer::new(Provenance::Wildcard, Size::from_bytes(args.addr()));
+                // This offset moves the pointer to the next argument
+                args = unsafe { args.offset(1) };
+                Scalar::from_pointer(ptr, infos.this)
+            }
+            // the other types
+            _ => todo!(),
+        };
+        rust_args.push(scalar);
+    }
+
+    // We abort the execution at this point as we cannot return the
+    // expected value here.
+    eprintln!(
+        "Tried to call a function pointer via FFI boundary. \
+         That's not supported yet by miri\nThis function pointer was registered by a call to `{}` \
+         using an argument of the type `{}`",
+        "todo: fill in name", "todo: fill in type"
+    );
+    std::process::exit(1);
+}

tests/native-lib/fail/call_function_ptr.notrace.stderr

@@ -0,0 +1,35 @@
+warning: sharing memory with a native function called via FFI
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |         call_fn_ptr(Some(nop)); // this one is not
+   |         ^^^^^^^^^^^^^^^^^^^^^^ sharing memory with a native function
+   |
+   = help: when memory is shared with a native function call, Miri stops tracking initialization and provenance for that memory
+   = help: in particular, Miri assumes that the native call initializes all memory it has access to
+   = help: Miri also assumes that any part of this memory may be a pointer that is permitted to point to arbitrary exposed memory
+   = help: what this means is that Miri will easily miss Undefined Behavior related to incorrect usage of this shared memory, so you should not take a clean Miri run as a signal that your FFI code is UB-free
+   = note: BACKTRACE:
+   = note: inside `pass_fn_ptr` at tests/native-lib/fail/call_function_ptr.rs:LL:CC
+note: inside `main`
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |     pass_fn_ptr()
+   |     ^^^^^^^^^^^^^
+
+warning: sharing a function pointer with a native function called via FFI
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |         call_fn_ptr(Some(nop)); // this one is not
+   |         ^^^^^^^^^^^^^^^^^^^^^^ sharing a function pointer with a native function
+   |
+   = help: calling Rust functions from C is not supported and will, in the best case, crash the program
+   = note: BACKTRACE:
+   = note: inside `pass_fn_ptr` at tests/native-lib/fail/call_function_ptr.rs:LL:CC
+note: inside `main`
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |     pass_fn_ptr()
+   |     ^^^^^^^^^^^^^
+
+Tried to call a function pointer via FFI boundary. That's not supported yet by miri
+This function pointer was registered by a call to `todo: fill in name` using an argument of the type `todo: fill in type`

tests/native-lib/fail/call_function_ptr.rs

@@ -0,0 +1,21 @@
+//@revisions: trace notrace
+//@[trace] only-target: x86_64-unknown-linux-gnu i686-unknown-linux-gnu
+//@[trace] compile-flags: -Zmiri-native-lib-enable-tracing
+//@compile-flags: -Zmiri-permissive-provenance
+
+fn main() {
+    pass_fn_ptr()
+}
+
+fn pass_fn_ptr() {
+    extern "C" {
+        fn call_fn_ptr(s: Option<extern "C" fn()>);
+    }
+
+    extern "C" fn nop() {}
+
+    unsafe {
+        call_fn_ptr(None); // this one is fine
+        call_fn_ptr(Some(nop)); // this one is not
+    }
+}

tests/native-lib/fail/call_function_ptr.trace.stderr

@@ -0,0 +1,36 @@
+warning: sharing memory with a native function called via FFI
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |         call_fn_ptr(Some(nop)); // this one is not
+   |         ^^^^^^^^^^^^^^^^^^^^^^ sharing memory with a native function
+   |
+   = help: when memory is shared with a native function call, Miri can only track initialisation and provenance on a best-effort basis
+   = help: in particular, Miri assumes that the native call initializes all memory it has written to
+   = help: Miri also assumes that any part of this memory may be a pointer that is permitted to point to arbitrary exposed memory
+   = help: what this means is that Miri will easily miss Undefined Behavior related to incorrect usage of this shared memory, so you should not take a clean Miri run as a signal that your FFI code is UB-free
+   = help: tracing memory accesses in native code is not yet fully implemented, so there can be further imprecisions beyond what is documented here
+   = note: BACKTRACE:
+   = note: inside `pass_fn_ptr` at tests/native-lib/fail/call_function_ptr.rs:LL:CC
+note: inside `main`
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |     pass_fn_ptr()
+   |     ^^^^^^^^^^^^^
+
+warning: sharing a function pointer with a native function called via FFI
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |         call_fn_ptr(Some(nop)); // this one is not
+   |         ^^^^^^^^^^^^^^^^^^^^^^ sharing a function pointer with a native function
+   |
+   = help: calling Rust functions from C is not supported and will, in the best case, crash the program
+   = note: BACKTRACE:
+   = note: inside `pass_fn_ptr` at tests/native-lib/fail/call_function_ptr.rs:LL:CC
+note: inside `main`
+  --> tests/native-lib/fail/call_function_ptr.rs:LL:CC
+   |
+LL |     pass_fn_ptr()
+   |     ^^^^^^^^^^^^^
+
+Tried to call a function pointer via FFI boundary. That's not supported yet by miri
+This function pointer was registered by a call to `todo: fill in name` using an argument of the type `todo: fill in type`

tests/native-lib/ptr_read_access.c

@@ -68,3 +68,10 @@ EXPORT uintptr_t do_one_deref(const int32_t ***ptr) {
 EXPORT void pass_fn_ptr(void f(void)) {
   (void)f; // suppress unused warning
 }
+
+/* Test: function_ptrs */
+EXPORT void call_fn_ptr(void f(void)) {
+    if (f != NULL) {
+        f();
+    }
+}