On Wed, Jul 27, 2022 at 01:06:28PM +0200, Miguel Ojeda wrote:
On Wed, Jul 27, 2022 at 12:08 PM Kent Gibson warthog618@gmail.com wrote:
It should never return NULL. At the moment. I would prefer to have NULL checks for all cases, not assume anything about the C implementation, and to be consistent with other places where you do NULL checks. As it stands when I see this I need to go check the C to see if this is a reasonable exception or not. And I'm lazy.
Ideally the C side would document the guarantees explicitly instead, and then the Rust side can rely on them.
Unfortunately the C header doesn't currently provide any guarantee - except in the cases where it CAN return NULL. But we can fix that.
In any case, if a given C API never returned an invalid pointer and suddenly it starts doing so in some cases, I would consider that a breaking change in practice, which would likely break C users too.
Not sure I'm onboard with that. Unless the API has a contract not to return a NULL then it is free to at a later date. The user should always assume that NULL is a possibility, even if they have never seen one.
But in practice you are probably right.
A potential compromise meanwhile is `debug_assert!` to at least test those assumptions.
I'd be fine with that. I'd also be satisfied with a comment in the Rust that the C guarantees a non-NULL where that is the case. That would at least demonstrate that the possibility has been duly considered.
Cheers, Kent.