Idiomatic Rust plugin system

 

I want to outsource some code for a plugin system. Inside my project, I have a trait called Provider which is the code for my plugin system. If you activate the feature "consumer" you can use plugins; if you don't, you are an author of plugins.

I want authors of plugins to get their code into my program by compiling to a shared library. Is a shared library a good design decision? The limitation of the plugins is using Rust anyway.

Does the plugin host have to go the C way for loading the shared library: loading an unmangled function?

I just want authors to use the trait Provider for implementing their plugins and that's it. After taking a look at sharedlib and libloading, it seems impossible to load plugins in a idiomatic Rust way.

I'd just like to load trait objects into my ProviderLoader : 

// lib.rs

pub struct Sample { ... }

pub trait Provider { 
    fn get_sample(&self) -> Sample;
}

pub struct ProviderLoader {
    plugins: Vec<Box<Provider>>
}

When the program is shipped, the file tree would look like: 

.
├── fancy_program.exe
└── providers
    ├── fp_awesomedude.dll
    └── fp_niceplugin.dll

Is that possible if plugins are compiled to shared libs? This would also affect the decision of the plugins' crate-type.

Do you have other ideas? Maybe I'm on the wrong path so that shared libs aren't the holy grail.

I first posted this on the Rust forum. A friend advised me to give it a try on Stack Overflow.

UPDATE 3/27/2018:

After using plugins this way for some time, I have to caution that in my experience things do get out of sync, and it can be very frustrating to debug (strange segfaults, weird OS errors). Even in cases where my team independently verified the dependencies were in sync, passing non-primitive structs between the dynamic library binaries tended to fail on OS X for some reason. I'd like to revisit this, find what cases it happens in, and perhaps open an issue with Rust, but I'm going to advise caution with this going forward.

LLDB and valgrind are near-essential to debug these issues.

Intro

I've been investigating things along these lines myself, and I've found there's little official documentation for this, so I decided to play around!

First let me note, as there is little official word on these properties please do not rely on any code here if you're trying to keep planes in the air or nuclear missiles from errantly launching, at least not without doing far more comprehensive testing than I've done. I'm not responsible if the code here deletes your OS and emails an erroneous tearful confession of committing the Zodiac killings to your local police; we're on the fringes of Rust here and things could change from one release or toolchain to another.

You can view my experimentation at the following Github repository: Rust Plugin Playground. This code is not particularly robust, but with minor tweaks to the PLUGIN_DIR static in host/src/lib.rs you can load plugins for debug/release as well as switching between .so/.dylib/.dll per OS. I have personally tested this on Rust 1.20 stable in both debug and release configurations on Windows 10 ( stable-x86_64-pc-windows-msvc ) and Cent OS 7 ( stable-x86_64-unknown-linux-gnu ). To test you'll have to manually cargo build (--release) the plugin crate, and then cargo test (--release) the host crate.

Approach

The approach I took was a shared common crate both crates listed as a dependency defining common struct and trait definitions. At first, I was also going to test having a struct with the same structure, or trait with the same definitions, defined independently in both libraries, but I opted against it because it's too fragile and you wouldn't want to do it in a real design. That said, if anybody wants to test this, feel free to do a PR on the repository above and I will update this answer.

In addition, the Rust plugin was declared dylib . I'm not sure how compiling as cdylib would interact, since I think it would mean that upon loading the plugin there are two versions of the Rust standard library hanging around (since I believe cdylib statically links the Rust stdlib into the shared object).

Tests

General Notes

  • The structs I tested were not declared #repr(C) . This could provide an extra layer of safety by guaranteeing a layout, but I was most curious about writing "pure" Rust plugins with as little "treating Rust like C" fiddling as possible. We already know you can use Rust via FFI by wrapping things in opaque pointers, manually dropping, and such, so it's not very enlightening to test this.
  • The function signature I used was pub fn foo(args) -> output with the #[no_mangle] directive, it turns out that rustfmt automatically changes extern "Rust" fn to simply fn . I'm not sure I agree with this in this case since they are most certainly "extern" functions here, but I will choose to abide by rustfmt .
  • Remember that even though this is Rust, this has elements of unsafety because libloading (or the unstable DynamicLib functionality) will not type check the symbols for you. At first I thought my Vec test was proving you couldn't pass Vecs between host and plugin until I realized on one end I had Vec<i32> and on the other I had Vec<usize>
  • Interestingly, there were a few times I pointed an optimized test build to an unoptimized plugin and vice versa and it still worked. However, I still can't in good faith recommending building plugins and host applications with different toolchains, and even if you do, I can't promise that for some reason rustc/llvm won't decide to do certain optimizations on one version of a struct and not another. In addition, I'm not sure if this means that passing types through FFI prevents certain optimizations such as Null Pointer Optimizations from occurring.
  • You're still limited to calling bare functions, no Foo::bar because of the lack of name mangling. In addition, due to the fact that functions with trait bounds are monomorphized, generic functions and structs are also out. The compiler can't know you're going to call foo<i32> so no foo<i32> is going to be generated. Any functions over the plugin boundary must take only concrete types and return only concrete types.
  • Similarly, you have to be careful with lifetimes for similar reasons, since there's no static lifetime checking Rust is forced to believe you when you say a function returns &'a when it's really &'b .

    • Native Rust

    The first tests I performed were on no custom structures; just pure, native Rust types. This would give a baseline for if this is even possible. I chose three baseline types: &mut i32 , &mut Vec , and Option<i32> -> Option<i32> . These were all chosen for very specific reasons: the &mut i32 because it tests a reference, the &mut Vec because it tests growing the heap from memory allocated in the host application, and the Option as a dual purpose of testing passing by move and matching a simple enum.

    All three work as expected. Mutating the reference mutates the value, pushing to a Vec works properly, and the Option works properly whether Some or None .

    Shared Struct Definition

    This was meant to test if you could pass a non-builtin struct with a common definition on both sides between plugin and host. This works as expected, but as mentioned in the "General Notes" section, can't promise you Rust won't fail to optimize and/or optimize a structure definition on one side and not another. Always test your specific use case and use CI in case it changes.

    Boxed Trait Object

    This test uses a struct whose definition is only defined on the plugin side, but implements a trait defined in a common crate, and returns a Box<Trait> . This works as expected. Calling trait_obj.fun() works properly.

    At first I actually anticipated there would be issues with dropping without making the trait explicitly have Drop as a bound, but it turns out Drop is properly called as well (this was verified by setting the value of a variable declared on the test stack via raw pointer from the struct's drop function). (Naturally I'm aware drop is always called even with trait objects in Rust, but I wasn't sure if dynamic libraries would complicate it).

    NOTE :

    I did not test what would happen if you load a plugin, create a trait object, then drop the plugin (which would likely close it). I can only assume this is potentially catastrophic. I recommend keeping the plugin open as long as the trait object persists.

    Remarks

    Plugins work exactly as you'd expect just linking a crate naturally, albeit with some restrictions and pitfalls. As long as you test, I think this is a very natural way to go. It makes symbol loading more bearable, for instance, if you only need to load a new function and then receive a trait object implementing an interface. It also avoids nasty C memory leaks because you couldn't or forgot to load a drop / free function. That said, be careful, and always test!

    There is no official plugin system, and you cannot do plugins loaded at runtime in pure Rust. I saw some discussions about doing a native plugin system, but nothing is decided for now, and maybe there will never be any such thing. You can use one of these solutions:

  • You can extend your code with native dynamic libraries using FFI. To use the C ABI, you have to use repr(C) , no_mangle attribute, extern etc. You will find more information by searching Rust FFI on the internets. With this solution, you must use raw pointers: they come with no safety guarantee (ie you must use unsafe code).

    Of course, you can write your dynamic library in Rust, but to load it and call the functions, you must go through the C ABI. This means that the safety guarantees of Rust do not apply there. Furthermore, you cannot use the highest level Rust's functionalities as trait , enum , etc. between the library and the binary.

  • If you do not want this complexity, you can use a language adapted to expand Rust: with which you can dynamically add functions to your code and execute them with same guarantees as in Rust. This is, in my opinion, the easier way to go: if you have the choice, and if the execution speed is not critical, use this to avoid tricky C/Rust interfaces .

    Here is a (not exhaustive) list of languages that can easily extend Rust:

  • Gluon, a functional language like Haskell
  • Dyon, a small but powerful scripting language intended for video games
  • Lua with rlua or hlua

    • You can also use Python or Javascript, or see the list in awesome-rust.

    链接地址: http://www.djcxy.com/p/96500.html

    上一篇: Kubernetes Pod以CrashLoopBackOff失败

    下一篇: 习惯Rust插件系统