Google Git
Sign in
bazel / crubit / fd92b5601ba2f8c725db574b14804b610f7cae34 / . / docs / design / design.md
blob: eb385a50a0f26d0270acb71fbb8fab7cba152073 [file] [log] [blame] [view]
# High-level design of C++/Rust interop
This document describes the high-level design choices of Crubit, a C++/Rust
Bidirectional Interop Tool.
[TOC]
## C++/Rust interop goal
**The primary goal of Crubit is to enable Rust to be used side-by-side with C++
in large existing codebases.**
In the short term we would like to focus on codebases that roughly follow the
Google C++ style guide to improve the interop fidelity. Other, more diverse
codebases are possible prospective users in the long term, and their needs will
be addressed by customization and extension points.
## C++/Rust interop requirements
In support of the interop goal, we identify the following requirements:
1. **Enable using existing C++ libraries from Rust with high fidelity**
* **High fidelity means that interop will make C++ APIs available in Rust,
even when those API projections would not be idiomatic, ergonomic, or
safe** in Rust, to facilitate cheap, small step incremental migration
workflow. Based on the experience of other cross-language
interoperability systems and language migrations (for example,
Objective-C/Swift, Java/Kotlin, JavaScript/TypeScript), we believe that
working in a mixed C++/Rust codebase would be significantly harder if
some C++ APIs were not available in Rust.
* **Interop will bridge C++ constructs to Rust constructs only when the
semantics match closely**. Bridging large semantic gaps creates a risk
of making C++ APIs unusable in Rust, as well as a risk of creating
performance problems. For example, interop will not bridge destructive
Rust moves and non-destructive C++ moves; instead it will make C++ move
constructors and move assignment operators available to use in Rust
code. As another example, interop will not bridge C++ templates and Rust
generics by default.
* Interop should be **performant**, as close to having no runtime cost as
possible. The performance costs of the interop should be documented, and
where possible, intuitive to the user.
* Interop should be **ergonomic and safe**, as long as ergonomic and
safety accommodations do not hurt performance or fidelity. Where a
tradeoff is possible, the interop will choose performance and fidelity
over ergonomics; the user will be allowed to override this choice.
* **Enable owners of the C++ API to control their Rust API projection**,
for example, with attributes in C++ headers and by extending generated
bindings with a manually implemented overlay. Such an overlay will wrap
or extend generated bindings to improve ergonomics and safety.
2. **Enable using Rust libraries from C++**
* However, using C++ libraries from Rust has a higher priority than using
Rust libraries from C++.
3. **Put little to no barriers to entry**
* **Ideally, no boilerplate code** needs to be written in order to start
using a C++ library from Rust. Adding some extra information can make
the generated bindings more ergonomic to use.
* The amount of **duplicated API information is minimized**.
* **Future evolution of C++ APIs should be minimally hindered by the
presence of Rust users**.
## Proposal and high-level design
**We propose to develop our own C++/Rust interop tooling.** There are no
existing tools that satisfy all of our requirements. Modifying an existing tool
to fulfill these requirements would take more effort than building a new tool
from scratch or might require forking its codebase given that some existing
tools have goals that conflict with our goals.
See the "alternatives considered" section for a discussion of existing tools.
### Source of information about C++ API
**Interop tooling will read C++ headers**, as they contain the information
needed to generate Rust API projections and the necessary glue code. Interop
tooling that is used during builds will not read C++ source files, to maintain
the principle that C++ API information is only located in headers, and that a
C++ library can't break the build of its dependencies by changing source files.
Some interop-adjacent tools (e.g., large-scale refactoring tools that seed the
initial set of lifetime annotations) will also read C++ sources. These tools
will not be used during builds.
**Pros**
* **Minimal barrier to entry**: minimal amount of manual work is required to
start using a C++ library from Rust.
* Encourages leaf projects to start incrementally adopting Rust in new
code, or incrementally rewriting C++ targets in Rust.
* **C++ API information is located only in headers**, regardless of the
language that the API consumer is written in (C++ or Rust).
* **Interop tooling that generates Rust API projections from a C++ header can
get exactly the same information that the C++ compiler has** when processing
a translation unit that uses one of the APIs declared within that header.
* Interop tooling can generate the most performant calls to C++ APIs,
without C++-side thunks that translate the C++ ABI into a C ABI.
* Interop tooling can autodetect implementation details that are critical
for interop but are not a part of the API surface (for example, the size
and alignment of C++ classes that have private data members).
* In alternative solutions, users need to repeat these implementation
details in sidecar files. Interop can verify that the specified
information is correct through static assertions in generated C++ code,
but the overall user experience is inferior.
**Cons**
* **Having to read C++ headers makes interop tooling more complex.**
* **The Rust projection of the C++ API is only visible in machine-generated
files.**
* These are not trivially accessible.
* There is a limit on how readable these files can be made.
* We can mitigate these issues by building tooling that shows the Rust
view of a C++ header (for example in Code Search, or in editors as an
alternative go-to-definition target).
### Customizability
Interop tooling will be sufficiently customizable to accommodate the unique
needs of different C++ libraries in the codebase. Interop should be customizable
enough to accommodate existing codebases. C++ API owners can:
* **Guide how interop tooling generates Rust API projections from C++
headers**. For example, headers can provide:
* Custom Rust names for C++ function overloads (instead of applying the
general interop strategy for function overloads),
* Custom Rust names for overloaded C++ operators,
* Custom Rust lifetimes for pointers and references mentioned in the C++
API,
* Nullability information for pointers in the C++ API,
* Assertions (verified at compile time) and promises (not verified by
tooling) that certain C++ types are trivially relocatable.
* **Provide custom logic to bridge types**, for example, mapping C++
`absl::StatusOr` to Rust `Result`.
* **Provide API overlays** that improve the automatically generated Rust API.
* For example, the overlays could inject additional methods into
automatically generated Rust types or hide some of the generated
methods.
More intrusive customization techniques will be useful for template and
macro-heavy libraries where the baseline import rules just won't work. We
believe customizability will be an essential enabler for providing high-fidelity
interop.
### Source of additional information that customizes C++ API projection into Rust
Where C++ headers don't already provide all information necessary for interop
tooling to generate a Rust API projection, we will add such information to C++
headers whenever possible. If it is not desirable to edit a certain C++ header,
extra information can be stored in a sidecar file.
Examples of additional information that interop tooling will need:
* **Nullability annotations.** C++ APIs often expose pointers that are
documented or assumed by convention to be never null, but can't be
refactored to references due to language limitations (for example,
`std::vector<MyProtobuf *>`). If C++ headers don't provide nullability
information for pointers in a machine-readable form, interop tooling has to
conservatively mark all C++ pointers as nullable in the Rust API projection.
The Rust compiler will then force users to write unnecessary (and
untestable) null checks.
* **Lifetimes of references and pointers** in C++ headers are not described in
a machine-readable way (and sometimes are not even documented in prose).
Lifetime information is essential to generate safe and idiomatic Rust APIs
from C++ headers.
#### Additional information is stored in C++ headers
**Pros**
* **Additional information needed for C++/Rust interop will be expressed as
annotations on existing syntactic elements in C++.**
* The annotations are located in the most logical place.
* The annotations are more likely to be noticed and updated by C++ API
owners.
* API owners retain full control over how the API looks in Rust.
* **C++ users may find lifetime and nullability annotations useful.** For
example, information about lifetimes is highly important to C++ and Rust
users alike.
* **C++ API definitions are only written once,** minimizing duplication and
maintenance burden.
**Cons**
* **Annotations that benefit Rust users can bother C++ API owners** who don't
care about Rust. Especially at the beginning of integrating Rust into an
existing codebase, C++ API owners can push back on adding annotations.
* To encourage adoption of annotations, we can develop tooling for C++
that uses lifetime and nullability annotations to find bugs in C++ code.
* The pushback is likely to be short-term: if Rust takes off in a C++
codebase, C++ library owners in that codebase will need to care about
Rust users and how their API looks in Rust.
* **There may be headers that we cannot (or would not want to) change**, for
example, headers in third-party code, headers that are open-sourced, or when
first-party owners are not cooperating.
* We can apply the
[sidecar strategy](#additional-information-is-stored-in-sidecar-files)
to these headers.
#### Additional information is stored in sidecar files
Additional information needed for C++/Rust interop can be stored in sidecar
files, similarly to Swift APINotes, CLIF etc. If sidecar files get sufficiently
broad adoption (for example, if annotating third-party code turns out to be
sufficiently important that optimizing C++/Rust interop ergonomics there would
be worth it), it would make sense to write sidecar files in a Rust-like
language, as that provides the most natural way to define Rust APIs.
**Pros**
* **Sidecar files enable more broad adoption of annotations** by providing
additional interop information without modifying C++ headers. Sidecar files
will allow us to annotate headers in third-party code, headers that can't
adopt annotations for technical reasons, or headers owned by first-party
owners who are not cooperating.
**Cons**
* Like in the
[Use Rust code to customize API projection into Rust](#use-rust-code-to-customize-api-projection-into-rust)
alternative, **some part of C++ API information is duplicated**, which is a
burden for the C++ API owners.
* The projection of C++ APIs to Rust is defined in a new language.
* C++ API owners and Rust users will have to learn this language.
* If we expect wide adoption of sidecar files, we will need to create
tooling to parse, edit, and run LSCs against this language.
* **Annotations in sidecar files are more prone to become out of sync with the
C++ code.** When making changes to C++ code, engineers are less likely to
notice and update the annotations in sidecar files.
* Presubmits can catch some cases of desynchronization between C++ headers
and sidecar filles. However, presubmit errors that remind engineers to
edit more files create an inferior user experience.
* **Sidecar files create extra friction to modify the code.** Where previously
one had to edit only a C++ header and a C++ source file, now one also likely
needs to update a sidecar file.
* When engineers realize that they need to update a sidecar file, opening
another file and finding the right place to update creates extra
friction to modify code.
* Once engineers understand the extra maintenance burden associated with
sidecar files that tend to go out of sync with headers, they will be
less likely to adopt annotations in the first place.
### Glue code generation
C++/Rust interop tooling will generate executable glue code and type definitions
in Rust and in C++ (not just merely `extern "C"` function declarations) in order
to achieve the following goals:
* **Enable instantiating C++ templates from Rust, and monomorphizing Rust
generics from C++. Enable Rust types to participate in C++ inheritance
hierarchies.**
* For example, imagine Rust code using an object of type
`std::vector<MyProtobuf>`, while C++ code in the same program is never
instantiating this type. The Bazel `rust_library` target that mentions
this type must therefore be responsible for instantiating this template
and linking the resulting executable code into the final program. We
propose that this instantiation happens in an automatically generated
"glue" C++ translation unit that is a part of that `rust_library`.
* **Enable automatically wrapping C++ code to be more ergonomic in Rust.** For
example:
* `extern "C"` functions in Rust are necessarily unsafe (it is a language
rule). We would like the vast majority of C++ API projections into Rust
to be safe. In the current Rust language, we can achieve that only by
wrapping the unsafe `extern "C"` function in a safe function marked with
`#[inline(always)]`.
* C++ API owners can provide rules for automatic type bridging, for
example, mapping C++ `absl::StatusOr` to Rust `Result`. This conversion
necessitates generation of a Rust wrapper function around a C++ entry
point that takes advantage of such type bridging.
* **Provide stable locations (C++ modules, Rust crates) that "own" the types
from the language point of view.**
* For example, when we project a C++ type into Rust, its Rust definition
must be located in a Rust crate. Furthermore, all Rust users of this
type must observe it as being defined in the same crate in order for
every users to consider that they use the same type. Indeed, this is a
rule in Rust, that types defined in different crates are unrelated
types.
* When we project a Rust type into C++ we could repeat its C++ definition
in C++ code any number of times (for example, in every C++ user of a
Rust type). This is technically fine because C++ allows the same type to
be defined multiple types within a program. Nevertheless, such
duplication is error-prone.
### Glue code is generated as C++ and Rust source code
Interop tooling will generate glue code as C++ and Rust source files, which are
then compiled with an unmodified compiler for that language. The alternative is
to generate LLVM IR or object files with machine code directly from interop
tooling.
**Pros**
* **It is easy to inject customizations provided by API owners into generated
source code.**
* The customizations will be written in the target language, making it
(hopefully) intuitive to write them.
* **Generated source code can be easily inspected by compiler engineers**
while debugging interop problems and compiler bugs.
* **Generated source code can be inspected and understood by interop users,**
who are not compiler experts.
* LLVM IR wouldn't be meaningful to them.
* **Generated source code is processed by the regular toolchain like any other
code in the project.**
* It automatically benefits from all performance optimizations and
sanitizers that are newly implemented in Clang and Rust compilers.
* **We avoid adding a new tool that generates unique LLVM IR patterns.**
* We avoid making the job of the C++ toolchain maintainers harder.
**Cons**
* **Interop tooling will be limited to generating LLVM IR and machine code
that Clang and Rust compilers can generate.**
### Glue code and API projections will assume implementation details of the target execution environment
To provide the most ergonomic and performant interop, C++/Rust interop tooling
will allow the target codebase to opt into assuming various implementation
details of the target execution environment. For example:
* When calling C++ from Rust, interop tooling can either wrap C++ functions in
thunks with a C calling convention, or call C++ entry points directly.
Thunks cause code bloat and can collectively add up to become a performance
problem, so it is desirable to call C++ entry points from Rust directly.
Interop tooling can do that only if it may assume a specific target platform
and C++ ABI.
Implementation details of the target execution environment that are considered
stable enough will be reflected in API projections, for example:
* The C++ standard does not specify sizes of integer types (`short`, `int`,
`long` etc.) To map them to Rust, interop tooling will need to assume a size
that they have on the platform that targets in practice. The alternative
would be to create target-agnostic integer types (for example, `Int` in
Swift is a strong typedef for `Int32` on 32-bit targets, and `Int64` on
64-bit targets), but this makes it harder to provide idiomatic, transparent,
high-performance interop.
* The C++ standard does not specify whether standard library types like
`std::vector` are trivially relocatable; it is an implementation detail.
Universal interop tooling would have to conservatively assume
non-trivially-relocatable types. Interop tooling specific to certain
environments can rely on libc++ providing a trivially-relocatable
`std::vector` and project it into Rust in a much more ergonomic way.
**Pros**
* **Interop tooling will generate the most performant code sequences** to call
foreign language functions.
* If interop tooling generates portable code, it would have some overhead.
The overhead can be eliminated by C++ and Rust optimizers at least in
some cases, but at the cost of increased build times. For example,
eliminating thunks would require turning on LTO, which is not fast, and
usually only used for release builds. It is much preferable to not
generate thunks in the first place, if the target platform does not need
them.
* **Ergonomics of API projections will be improved.**
* For example, whether a C++ type is trivially relocatable or not is an
implementation detail in C++, transparent to C++ users of that type, but
it makes a huge ergonomic difference in the Rust API projection.
**Cons**
* **C++ code will have additional evolution constraints.**
* For example, changing a type from trivially relocatable to non-trivially
relocatable is a non-API-breaking change for C++ users, but it would
break Rust users.
* **It would be more difficult to switch internal environments to a different
C++ standard library.**
* **Code that is deployed in environments that have incompatible
implementation details won't be able to use this C++/Rust interop system.**
* Alternatively, these executables would have to bring a suitable
execution environment with them (e.g., a copy of libc++).
### Interop tooling should be maintainable and evolvable for a long time
We should design and implement C++/Rust interop tooling in such a way that we
can maintain and evolve it for more than a decade. If Rust becomes tightly
integrated into an existing C++ project, specific requirements for interop and
API projection rules will keep changing. The more Rust adoption we will have,
the more library and team-specific interop customizations we will have to
support, and the more it will make sense for the performance team to tweak
generated code to implement sweeping optimizations. These kinds of changes
should be readily possible, and they should not create conflicts of interest
between diferent users of the interop tooling.
### Interop tooling should facilitate C++ to Rust migration
C++/Rust interop tooling should try to create a favorable environment for
migrating C++ code to Rust. Specifically, projections of C++ APIs into Rust
should be implementable in Rust. This way, a C++ library can be converted from
C++ into Rust transparently for its users, as its public API won't change.
## Alternatives Considered: Design decisions
### Repeat C++ API completely in a separate IDL
Instead of reading C++ headers in the interop tooling, we would require the user
to repeat the C++ API in some other form, for example, in a Rust-based IDL like
in the cxx crate, or in sidecar files in a completely new format.
**Pros**
* **Interop tooling can be simpler if it does not have to read C++ headers**.
But even under this alternative approach, tooling might want to read C++
headers, nullifying this advantage. For example, tooling might want to
automatically generate an initial Rust snippet or to suggest in presubmits
to adjust the Rust code that mirrors a C++ API when that C++ API changes.
* The **most natural way to define Rust APIs** is by using Rust code or
Rust-like syntax in sidecar files.
* **Available Rust APIs are defined in easily accessible checked-in files.**
* **API definitions written by a human might have higher quality, on
average.**
**Cons**
* **A big part of the C++ API needs to be duplicated** to reliably match the
Rust code with the C++ declarations. The initial code can be generated by
tooling, but it has to be kept in sync. This is a burden for the C++ API
owners, potentially a bigger one than allowing annotations in C++ headers.
* There is a risk that C++ API owners might refuse to own IDL files.
* The need to create a sidecar file creates a **barrier to start using C++
libraries from Rust.**
* While the duplication overhead is justifiable for widely-used libraries,
it is relatively high for libraries with few users and binaries, making
it less likely that leaf teams will start adopting Rust.
* **When the C++ API is changed, the Rust definitions become out-of-sync with
it.** Tooling needs to detect this, and the Rust definitions need to be
changed (either manually or tool-assisted).
* There is no effective way to verify Rust binding code at the presubmit time
of a C++ library other than building downstream projects.
* **Mapping Rust API definitions to the original C++ API definitions is more
complicated and error-prone**. For example, how would we target a specific
overload of a function or constructor?
* There is a **risk that individual teams will build team-specific tooling
that generates IDL files** from C++ headers or generates both IDL files and
C++ headers from a single source. These solutions are unlikely to scale to
existing large codebases and will likely only work for that specific team.
### Use Rust code to customize API projection into Rust
An alternative to storing additional information in C++ headers is to put it
into Rust code. For example, the cxx crate requires users to re-state the C++
API in Rust syntax, adding information about lifetimes and nullability. The pros
and cons of this choice are the same as when defining a special IDL that repeats
the C++ API completely (see above).
### Generate glue code in binary formats
Instead of generating glue code as textual sources, interop tooling could use
Clang and LLVM APIs to emit object files with C++ glue code and use Rust
compiler APIs to generate rmeta and rlib files with Rust glue code.
**Pros**
* **More flexibility in the code that can be generated.** Controlling LLVM IR
generation allows interop tooling to generate code that an unmodified
compiler can't generate from textual source code. For example, the Rust
language does not have any constructs that map to `linkonce_odr` functions
in LLVM IR; if the interop tooling embedded the Rust compiler as a library
and had more control over how it generates the IR, we could make that
happen.
**Cons**
* Injecting customizations provided by API owners is harder.
* LLVM, Clang, and Rust compiler APIs are not stable. The format of Rust
metadata files is not stable either. The larger the API subset we consume
from Clang and Rust, the more difficult it becomes to maintain the tooling.
* To generate object files the interop tooling has to ensure that its
Clang/LLVM version and configuration is identical with the Clang compiler
used to build other C++ code.
* We can solve this problem, but it makes the system more fragile,
compared to using existing C++ and Rust compilers to compile generated
sources.
* From time to time LLVM introduces bugs that cause miscompilations. If
interop tooling embeds LLVM, we would be adding another tool that toolchain
engineers will need to look into when debugging a miscompilation. We would
be making the job of C++ toolchain maintainers harder.
## Alternatives Considered: Existing tools
### bindgen
[bindgen](https://rust-lang.github.io/rust-bindgen/) **automatically generates
Rust bindings from C and C++ headers**, which it consumes using libclang. The
generated **bindings are pure Rust code** that interfaces with C and C++ using
Rust’s [built-in FFI for C](https://doc.rust-lang.org/nomicon/ffi.html)
(`#[repr(C)]` to indicate that a struct should use C memory layout and `extern
"C"` to indicate that a function should use a C calling convention). C++
functions are handled by generating a Rust `extern "C"` function that has the
same ABI as the C++ function and attaching a `link_name` attribute with the
mangled name.
See
[here](https://manishearth.github.io/blog/2021/02/22/integrating-rust-and-c-plus-plus-in-firefox/)
for an in-depth description of the use of bindgen in Stylo, a Rust component in
Firefox.
**Pros**
* **The oldest and the most mature** of the existing C++ interop tools
(developed
[since Feb 2012](https://github.com/rust-lang/rust-bindgen/commit/9fe92b0cfd48d5ebd1c82af8b1ff041f8c416a65)).
**Cons**
* **Deficiencies in safety and ergonomics**, for example:
* References are imported as pointers. No lifetimes, no null-safety.
* Constructors and destructors are not called automatically.
* Overloads are distinguished by a numbered suffix in Rust. These numbers
clutter the source code and are hard to remember, as they have no
meaning. Adding overloads can change the numbering and hence break Rust
callers.
* It is **impossible to use C++ inline functions and templates** from Rust
because of bindgen’s architecture[^1]. The architecture is unlikely to
change, and therefore, this is a dealbreaker.
**Evaluation**
bindgen could be used in a project that has very limited C++ interop needs.
However, creating safe and ergonomic wrappers for the generated bindings would
require additional effort. Our vision and goals for C++ interop are very
different from what bindgen provides.
### cbindgen
[cbindgen](https://github.com/eqrion/cbindgen) **automatically generates C or
C++ headers for Rust libraries which expose a public C API**.
**Pros**
* **An old and mature tool** (developed
[since March 2017](https://github.com/eqrion/cbindgen/commit/215d3a987b223d4a1a878e2385c8677d5ae3a80b)).
**Cons**
* **Shallow understanding of Rust's modules and types**.
* [`cbindgen`'s docs](https://github.com/eqrion/cbindgen/blob/master/docs.md)
point out that "A major limitation of cbindgen is that it does not
understand Rust's module system or namespacing. This means that if
cbindgen sees that it needs the definition for MyType and there exists
two things in your project with the type name MyType, it won't know what
to do. Currently, cbindgen's behaviour is unspecified if this happens."
* This limitation seems mostly caused by building `cbindgen` on top of
[the `syn` crate](https://docs.rs/syn). `syn` is able to parse Rust
source code into an AST, but there is no facility at the `syn` level for
type deduction or module traversal. Building such functionality would
require replicating parts of the `rustc` compiler into `cbindgen`, or
alternatively rewriting `cbindgen` on top of
[the `rustc_driver` crate](https://doc.rust-lang.org/stable/nightly-rustc/rustc_driver/)).
* **Support of only `extern "C"` functions**.
* Supporting Rust functions that use the default calling convention would
require generating not only C/C++ headers, but also generating Rust
source with `extern "C"` thunks that trampoline into the original
function (requiring that `cbindgen` starts generating Rust sources).
* **Support of only `#[repr(C)]` structs**.
* Default memory layout of Rust structs is
[unspecified](https://rust-lang.github.io/unsafe-code-guidelines/layout/structs-and-tuples.html#default-layout-repr-rust:~:text=the%20default%20layout%20of%20structs%20is%20not%20specified)
and therefore cannot be determined by code examination at the `syn`
level.
* Even if the memory layout could be determined, the layout can change in
a future compiler version, or change depending on compilation command
line flags. To prevent using stale layout information, the
auto-generated FFI code should therefore include compile-time assertions
that the layout didn't change from the FFI generation time. The
assertions should be present both in the generated C/C++ headers *and*
on the Rust side (requiring that `cbindgen` starts generating Rust
sources). The assertions would effectively verify that the FFI
generation is driven by the build system (i.e. by Bazel, or Cargo, or
GN/ninja, rather than manually) and that the integration between the FFI
tools and the build system doesn't have any bugs (e.g. that it
faithfully replicates all relevent compilation flags).
**Evaluation**
cbindgen could be used in a project that can create a narrow `extern "C"` /
`#[repr(C)]` API and that is ready to manage the risk of incorrect name/module
resolution. Wrapping additional Rust APIs would require extra effort.
**Take-aways for Crubit design**
Notes and observations about `cbindgen` can guide some design aspects of
Crubit's [`cc_bindings_from_rs`](../cc_bindings_from_rs/README.md) tool
(that similarly to `cbindgen` generates C++ bindings for Rust crates).
Using internal compiler knowledge (e.g. memory layout of structs, name and type
resolution) requires that `cc_bindings_from_rs` depends on
`rustc_driver` and other internal crates of `rustc`. The API of these crates is
unstable which might increase the risk and maintenance cost of Crubit.
Nevertheless, our experience with maintaining tools based on (also unstable)
Clang APIs suggests that this extra risk and cost is likely going to be
acceptable.
Build determinism requires that the Rust compiler produces the same output for
the same set of inputs (the same compiler version, the same command-line flags,
the same sources, etc.). This means that (despite
[conservative reservations about layout determinism](https://rust-lang.github.io/unsafe-code-guidelines/layout/structs-and-tuples.html#default-layout-repr-rust:~:text=A%20note%20on%20determinism))
it should be okay to assume that `cc_bindings_from_rs` and `rustc` invocations
will observe the same memory layout of structs, but this requires that
`cc_bindings_from_rs` is built against exactly the same version of
`rustc_driver` libraries as `rustc`. (This should also be reinforced by
compile-time assertions in the generated FFI layer.)
### cxx
[cxx](https://cxx.rs/) generates **Rust bindings for C++ APIs and vice versa**
from an **interface definition language (IDL) included inline in Rust source
code.** cxx generates Rust and C++ source code from IDL definitions. To check
that the IDL definitions match the actual C++ API, cxx inserts static
assertions[^2] into the generated C++ code; it does not, however, read the C++
headers itself. cxx contains built-in bindings for various Rust and C++ standard
library types that are not customizable.
As far as we understand, cxx has the following design constraints and goals:
* **Ship a stable product for its intended audience.**
* As a consequence, improvements such as integrating move semantics are
not going to be accepted soon. We understand that cxx is not a vehicle
for experimentation. cxx maintainers would prefer us to first show that
our ideas work in a fork of cxx or in a different system, such as
autocxx, and that our improvements pull their weight given the added
complexity.
* **Remain simple and transparent.** There is a limit on the amount of
complexity that will be tolerated.
* There is a chance that improvements such as modeling C++ move semantics
or various attempts at eliminating thunks will not be ever accepted in
upstream cxx.
* **Non-goal: Automatically provide high fidelity interop.**
* cxx is designed for the use case of an executable where C++ and Rust
parts communicate through a narrow interface.
* **Non-goal: Automatically provide the most performant interop in as many
cases as possible.** For example:
* cxx does not attempt to eliminate C++-side thunks. Instead, using LTO is
recommended.
* cxx considers it acceptable to allocate all objects of "opaque" types on
the heap. Users who find these heap allocations unacceptable for
performance reasons are expected to implement a different C++ entry
point that does not hit this limitation and bind it to Rust instead of
the original C++ API. Heap allocation is acceptable for many C++ classes
in most environments, but the exceptions are important enough for us
that this is a major restriction.
**Pros**
* **Mature and ergonomic enough today for mixing C++ and Rust in existing
codebases with limited C++ interop needs.**
* We avoid being on a tech island.
**Cons**
* cxx’s stability goal makes it **hard to experiment with how the Rust API
looks.**
* **Our goals are unlikely to align well with the goals of the intended user
audience of cxx.** We would be pulling cxx in directions that make it a
worse product for its current users.
* **Almost no customizability**. Users who are not satisfied with what cxx
does are expected to wrap the target C++ API in a different C++ API that is
more friendly to cxx.
* cxx tries to be compatible with most standard C++ implementations found in
the real world, so it **cannot take advantage of unique guarantees provided
by the target execution environment.**
**Evaluation**
cxx could be used in projects with limited C++/Rust interop requirements.
However, we would not be able to implement many interop features that we
consider essential (for example, move semantics, templates).
### autocxx
[autocxx](https://github.com/google/autocxx) **automatically generates Rust
bindings from C++ headers**. As the name implies, it automatically generates IDL
definitions for cxx, which then produces the actual bindings. In addition,
autocxx generates its own Rust and C++ code to extend the Rust API beyond what
cxx itself would provide, for example to support passing POD types by value.
autocxx consumes C++ headers indirectly by first running bindgen on them and
then parsing the Rust code output by bindgen.
autocxx’s
[design goals](https://www.chromium.org/Home/chromium-security/memory-safety/rust-and-c-interoperability)
are similar to our own in this document.
We did a case study on using an existing project's C++ API from Rust using
autocxx.
**Pros**
* **Low barrier to entry**: Bindings are generated from C++ headers, no need
to write duplicate API definitions.
* **Ergonomic mappings** for many C++ constructs.
* **Open to contributions that change the generated Rust APIs** or make
architectural changes.
**Cons**
* **Relatively new and immature.**
* **Cannot (yet) consume complex headers without errors.** We’ve managed to
import some actual Spanner headers, but there are still enough outstanding
issues that we can’t yet do anything useful with Spanner.
* **Architecture can make modifications difficult.** autocxx is built on top
of two other tools, bindgen and cxx, and the interfaces between these
components can make it harder to make a modification than it would be in a
monolithic tool. Specifically:
* autocxx uses bindgen to generate a description of the C++ API that it
can parse easily (as opposed to trying to parse C++ headers either
directly or using Clang APIs). Since bindgen was not intended for this
purpose, its output lacks some information that autocxx needs, so
autocxx [has forked](https://crates.io/crates/autocxx-bindgen) bindgen
to adapt it to its needs. The forked version emits additional
information about the C++ API in the form of attributes attached to
various API elements.
* bindgen in turn is built on the libclang API, which doesn’t surface all
of the functionality available through Clang’s C++ API. Adding features
to libclang requires additional effort and has a 6 month lead time to
appear in a stable release (to become eligible to be used from bindgen).
* When errors occur, it can be hard to figure out which of the components
is responsible.
* Adding features can require touching multiple components, which requires
commits to multiple repositories.
**Evaluation**
We initially intended to use autocxx to prototype various interop ideas and
potentially as a basis for a field trial. We still believe this would be
feasible, but after trying to modify autocxx and its bindgen fork during an
internal C++/Rust interop study, we feel that autocxx’s complex architecture is
enough of an impediment that we could achieve our goals with less total effort
by creating an interop tool from scratch that consists of a single codebase and
uses the Clang C++ API to directly interface with Clang.
[^1]: Doing so would require either generating C++ source code or interfacing
deeply enough with Clang to generate object code for inline functions and
template instantiation.
[^2]: And tricks such as suitable type conversions that force the C++ compiler
to perform appropriate checks at compile time.