"Safe" Gecko binding sugars allow undefined behavior in safe Rust

[mbrubeck]

The style::gecko_bindings::sugar module implements various safe methods and traits for FFI types from Gecko. However, many of these methods are actually unsafe because they depend on invariants that are not enforced. For example, this program has undefined behavior without using unsafe:

extern crate style;
use style::gecko_bindings::structs::nsTArray;

fn main() {
    let a = nsTArray { mBuffer: std::ptr::null_mut() };
    let b = &a[..];
}

Since the structs’ fields are public, we can’t statically enforce invariants on them. Assuming we don’t want to add runtime checks, we need to make sure these methods and impls can be used only on valid struct values. Possible solutions:

• Create wrapper types that cannot be constructed in safe code, and implement methods/traits on the wrapper types instead of the original FFI structs.
• Generate binding structs with private fields, and include the bindings and the impls in a single module.
• Generate binding structs that use pub(super) or similar to make their fields public within some trusted supermodule, but private to outside code. Not yet possible in stable Rust (Tracking issue for pub(restricted) privacy (RFC #1422) rust-lang/rust#32409).

[SimonSapin]

Generate binding structs that use pub(super) or similar to make their fields public within some trusted supermodule, but private to outside code

Another way to do this is to "flatten" that supermodule, use include!() inside of it without mod to have multiple files.