2017-05-21 21:47:32 -04:00
|
|
|
# rlua -- High level bindings between Rust and Lua
|
|
|
|
|
2017-05-22 23:24:30 -04:00
|
|
|
[![Build Status](https://travis-ci.org/chucklefish/rlua.svg?branch=master)](https://travis-ci.org/chucklefish/rlua)
|
2018-02-10 19:04:18 -05:00
|
|
|
[![Latest Version](https://img.shields.io/crates/v/rlua.svg)](https://crates.io/crates/rlua)
|
|
|
|
[![API Documentation](https://docs.rs/rlua/badge.svg)](https://docs.rs/rlua)
|
2017-05-22 23:24:30 -04:00
|
|
|
|
2018-02-10 19:04:18 -05:00
|
|
|
[Guided Tour](examples/guided_tour.rs)
|
2017-06-25 22:25:28 -04:00
|
|
|
|
2018-03-12 17:50:48 -04:00
|
|
|
This library is a high level interface between Rust and Lua. Its major goals
|
|
|
|
are to expose as easy to use, practical, and flexible of an API between Rust and
|
|
|
|
Lua as possible, while also being *completely* safe.
|
|
|
|
|
|
|
|
`rlua` is NOT designed to be a perfect zero cost wrapper over the Lua C API,
|
|
|
|
because such a wrapper cannot maintain the safety guarantees that `rlua` is
|
|
|
|
designed to have. Every place where the Lua C API may trigger an error longjmp
|
|
|
|
in any way is protected by `lua_pcall`, and the user of the library is protected
|
|
|
|
from directly interacting with unsafe things like the Lua stack, and there is
|
|
|
|
overhead associated with this safety. However, performance *is* a focus of the
|
|
|
|
library to the extent possible while maintaining safety, so if you encounter
|
|
|
|
something that egregiously worse than using the Lua C API directly, or simply
|
|
|
|
something you feel could perform better, feel free to file a bug report.
|
2018-02-10 17:50:04 -05:00
|
|
|
|
|
|
|
There are currently a few missing pieces of this API:
|
|
|
|
|
2018-01-26 21:36:13 -05:00
|
|
|
* Security limits on Lua code such as total instruction limits / memory limits
|
|
|
|
and control over which potentially dangerous libraries (e.g. io) are
|
|
|
|
available to scripts.
|
2017-05-22 10:52:32 -04:00
|
|
|
* Lua profiling support
|
2017-06-25 18:27:10 -04:00
|
|
|
* "Context" or "Sandboxing" support. There should be the ability to set the
|
|
|
|
`_ENV` upvalue of a loaded chunk to a table other than `_G`, so that you can
|
|
|
|
have different environments for different loaded chunks.
|
2018-03-12 17:50:48 -04:00
|
|
|
* Quantifying performance differences to direct use of the Lua C API.
|
2017-05-21 21:47:32 -04:00
|
|
|
|
|
|
|
Additionally, there are ways I would like to change this API, once support lands
|
|
|
|
in rustc. For example:
|
|
|
|
|
2017-08-02 17:04:44 -04:00
|
|
|
* Currently, variadics are handled entirely with tuples and traits implemented
|
|
|
|
by macro for tuples up to size 12, it would be great if this was replaced
|
2018-02-10 17:50:04 -05:00
|
|
|
with real variadic generics when this is available in Rust.
|
2017-05-21 21:47:32 -04:00
|
|
|
|
2017-10-14 18:53:05 -04:00
|
|
|
## API stability
|
2017-05-22 03:09:59 -04:00
|
|
|
|
2017-10-14 18:53:05 -04:00
|
|
|
This library is very much Work In Progress, so there is a some API churn.
|
|
|
|
Currently, it follows a pre-1.0 semver, so all API changes should be accompanied
|
|
|
|
by 0.x version bumps.
|
2017-05-22 03:09:59 -04:00
|
|
|
|
2017-06-25 18:27:10 -04:00
|
|
|
## Safety and panics
|
2017-05-21 22:04:32 -04:00
|
|
|
|
2017-08-02 17:04:44 -04:00
|
|
|
The goal of this library is complete safety, it should not be possible to cause
|
|
|
|
undefined behavior whatsoever with the API, even in edge cases. There is,
|
|
|
|
however, QUITE a lot of unsafe code in this crate, and I would call the current
|
2018-02-11 06:23:52 -05:00
|
|
|
safety level of the crate "Work In Progress". Still, I am not *currently* aware
|
|
|
|
of any way to cause UB, and UB is considered the most serious kind of bug, so if
|
|
|
|
you find the ability to cause UB with this API *at all*, please file a bug
|
|
|
|
report.
|
2017-06-25 18:27:10 -04:00
|
|
|
|
2018-02-10 17:50:04 -05:00
|
|
|
Another goal of this library is complete protection from panics and aborts.
|
|
|
|
Currently, it should not be possible for a script to trigger a panic or abort
|
|
|
|
(with some important caveats described below). Similarly to the safety goal,
|
|
|
|
there ARE several internal panics and even aborts in `rlua` source, but they
|
|
|
|
should not be possible to trigger, and if you trigger them this should be
|
|
|
|
considered a bug.
|
|
|
|
|
2018-03-12 17:50:48 -04:00
|
|
|
Caveats to the panic / abort guarantee:
|
2018-02-10 17:50:04 -05:00
|
|
|
|
|
|
|
* `rlua` reserves the right to panic on API usage errors. Currently, the only
|
2018-03-12 18:13:22 -04:00
|
|
|
time this will happen is when passed a handle type from a mismatched `Lua`
|
|
|
|
instance.
|
2018-02-10 17:50:04 -05:00
|
|
|
* Currently, there are no memory or execution limits on scripts, so untrusted
|
|
|
|
scripts can always at minimum infinite loop or allocate arbitrary amounts of
|
|
|
|
memory.
|
2017-12-04 01:47:04 -05:00
|
|
|
* The internal Lua allocator is set to use `realloc` from `libc`, but it is
|
2018-02-10 17:50:04 -05:00
|
|
|
wrapped in such a way that OOM errors are guaranteed to *abort*. This is
|
2018-02-10 19:13:56 -05:00
|
|
|
not currently such a huge deal outside of untrusted scripts, as this matches
|
|
|
|
the behavior of Rust itself. Doing this allows the internals of `rlua` to,
|
|
|
|
in certain cases, call 'm' Lua C API functions with the garbage collector
|
|
|
|
disabled and know that these cannot error. Eventually, `rlua` will support
|
|
|
|
memory limits on scripts, and those memory limits will cause regular memory
|
|
|
|
errors rather than OOM aborts.
|
2018-03-06 07:04:50 -05:00
|
|
|
* `rustc` version `1.24.0` on Windows contains a
|
|
|
|
[bug](https://github.com/rust-lang/rust/issues/48251) which affects `rlua`
|
|
|
|
error handling, turning any Lua script error into an abort. If you are
|
|
|
|
using Rust `1.24.0` on windows, please upgrade to `1.24.1`.
|
2018-02-10 17:50:04 -05:00
|
|
|
|
|
|
|
Yet another goal of the library is to, in all cases, safely handle panics
|
|
|
|
generated by Rust callbacks. Panic unwinds in Rust callbacks should currently
|
|
|
|
be handled correctly -- the unwind is caught and carried across the Lua API
|
2018-02-10 18:00:53 -05:00
|
|
|
boundary as a regular Lua error in a way that prevents Lua from catching it.
|
2018-02-10 17:50:04 -05:00
|
|
|
This is done by overriding the normal Lua 'pcall' and 'xpcall' with custom
|
|
|
|
versions that cannot catch errors that are actually from Rust panics, and by
|
2018-02-10 18:00:53 -05:00
|
|
|
handling panic errors on the receiving Rust side by resuming the panic.
|
2018-02-10 17:50:04 -05:00
|
|
|
|
Change strategies for handling the Lua stack during panics
Previously, on an internal panic, the Lua stack would be reset before panicking
in an attempt to make sure that such panics would not cause stack leaks or leave
the stack in an unknown state. Now, such panic handling is done in stack_guard
and stack_err_guard instead, and this is for a few reasons:
1) The previous approach did NOT handle user triggered panics that were outside
of `rlua`, such as a panic in a ToLua / FromLua implementation. This is
especially bad since most other panics would be indicative of an internal bug
anyway, so the utility of keeping `rlua` types usable after such panics was
questionable. It is much more sensible to ensure that `rlua` types are
usable after *user generated* panics.
2) Every entry point into `rlua` should be guarded by a stack_guard or
stack_err_guard anyway, so this should restore the Lua stack on exiting back
to user code in all cases.
3) The method of stack restoration no longer *clears* the stack, only resets it
to what it previously was. This allows us, potentially, to keep values at
the beginning of the Lua stack long term and know that panics will not
clobber them. There may be a way of dramatically speeding up ref types by
using a small static area at the beginning of the stack instead of only the
registry, so this may be important.
2018-03-08 10:59:50 -05:00
|
|
|
`rlua` should also be panic safe in another way as well, which is that any `Lua`
|
|
|
|
instances or handles should remain usable after a user triggered panic, and such
|
|
|
|
panics should not break internal invariants or leak Lua stack space. This is
|
|
|
|
mostly important to safely use `rlua` types in Drop impls, as you should not be
|
|
|
|
using panics for general error handling.
|
|
|
|
|
2018-02-10 17:50:04 -05:00
|
|
|
In summary, here is a list of `rlua` behaviors that should be considered a bug.
|
|
|
|
If you encounter them, a bug report would be very welcome:
|
|
|
|
|
2018-02-11 06:23:52 -05:00
|
|
|
* If you can cause UB at all with `rlua` without typing the word "unsafe",
|
2018-02-11 18:12:20 -05:00
|
|
|
this is absolutely 100% a bug.
|
2018-02-10 17:50:04 -05:00
|
|
|
* If your code panics / aborts with a message that contains the string "rlua
|
|
|
|
internal error", this is a bug.
|
|
|
|
* The above is true even for the internal panic about running out of stack
|
|
|
|
space! There are a few ways to generate normal script errors by running out
|
|
|
|
of stack, but if you encounter a *panic* based on running out of stack, this
|
|
|
|
is a bug.
|
2018-02-11 18:12:20 -05:00
|
|
|
* If you load the "debug" library (which requires typing "unsafe"), every
|
|
|
|
safety / panic / abort guarantee goes out the window. The debug library can
|
|
|
|
be used to do extremely scary things. If you use the debug library and
|
|
|
|
encounter a bug, it may still very well be a bug, but try to find a
|
|
|
|
reproduction that does not involve the debug library first.
|
2018-02-10 17:50:04 -05:00
|
|
|
* When the internal version of Lua is built using the `gcc` crate, and
|
|
|
|
`cfg!(debug_assertions)` is true, Lua is built with the `LUA_USE_APICHECK`
|
|
|
|
define set. Any abort caused by this internal Lua API checking is
|
|
|
|
*absolutely* a bug, particularly because without `LUA_USE_APICHECK` it would
|
|
|
|
generally be unsafe.
|
2018-02-10 17:59:20 -05:00
|
|
|
* Lua C API errors are handled by lonjmp. *ALL* instances where the Lua C API
|
2018-02-19 18:16:43 -05:00
|
|
|
would longjmp should be protected from Rust, except in internal callbacks
|
|
|
|
where this is intentional. If you detect that `rlua` is triggering a
|
|
|
|
longjmp over your Rust stack frames, this is a bug!
|
2018-03-06 07:04:50 -05:00
|
|
|
* If you can somehow handle a panic in a Rust callback from Lua, this is a
|
|
|
|
bug.
|
Change strategies for handling the Lua stack during panics
Previously, on an internal panic, the Lua stack would be reset before panicking
in an attempt to make sure that such panics would not cause stack leaks or leave
the stack in an unknown state. Now, such panic handling is done in stack_guard
and stack_err_guard instead, and this is for a few reasons:
1) The previous approach did NOT handle user triggered panics that were outside
of `rlua`, such as a panic in a ToLua / FromLua implementation. This is
especially bad since most other panics would be indicative of an internal bug
anyway, so the utility of keeping `rlua` types usable after such panics was
questionable. It is much more sensible to ensure that `rlua` types are
usable after *user generated* panics.
2) Every entry point into `rlua` should be guarded by a stack_guard or
stack_err_guard anyway, so this should restore the Lua stack on exiting back
to user code in all cases.
3) The method of stack restoration no longer *clears* the stack, only resets it
to what it previously was. This allows us, potentially, to keep values at
the beginning of the Lua stack long term and know that panics will not
clobber them. There may be a way of dramatically speeding up ref types by
using a small static area at the beginning of the stack instead of only the
registry, so this may be important.
2018-03-08 10:59:50 -05:00
|
|
|
* If you detect that, after catching a panic, a `Lua` or handle method is
|
|
|
|
triggering other bugs or there is a Lua stack space leak, this is a bug.
|
|
|
|
`rlua` instances are supposed to remain fully usable in the face of user
|
|
|
|
triggered panics. This guarantee does NOT extend to panics marked with
|
|
|
|
"rlua internal error" simply because that is already indicative of a
|
|
|
|
separate bug, but it may be true in many cases anyway.
|