Re: [PATCH v13 1/6] rust: str: add radix prefixed integer parsing functions

[Andreas Hindborg <a.hindborg@kernel.org>]

"Benno Lossin" <lossin@kernel.org> writes:

> On Thu Jun 12, 2025 at 3:40 PM CEST, Andreas Hindborg wrote:
>> +pub trait ParseInt: private::FromStrRadix + TryFrom<u64> {
>> +    /// Parse a string according to the description in [`Self`].
>> +    fn from_str(src: &BStr) -> Result<Self> {
>> +        match src.deref() {
>> +            [b'-', rest @ ..] => {
>> +                let (radix, digits) = strip_radix(rest.as_ref());
>> +                // 2's complement values range from -2^(b-1) to 2^(b-1)-1.
>> +                // So if we want to parse negative numbers as positive and
>> +                // later multiply by -1, we have to parse into a larger
>> +                // integer. We choose `u64` as sufficiently large.
>> +                //
>> +                // NOTE: 128 bit integers are not available on all
>> +                // platforms, hence the choice of 64 bits.
>> +                let val =
>> +                    u64::from_str_radix(core::str::from_utf8(digits).map_err(|_| EINVAL)?, radix)
>> +                        .map_err(|_| EINVAL)?;
>> +
>> +                if val > Self::abs_min() {
>> +                    return Err(EINVAL);
>> +                }
>> +
>> +                if val == Self::abs_min() {
>> +                    return Ok(Self::MIN);
>> +                }
>> +
>> +                // SAFETY: We checked that `val` will fit in `Self` above.
>
> Sorry that it took me this long to realize, but this seems pretty weird.
> I guess this is why the `FromStrRadix` is `unsafe`.
>
> Can we just move this part of the code to `FromStrRadix` and make that
> trait safe?
>
> So essentially have:
>
>     fn from_u64(value: u64) -> Result<Self>;
>
> in `FromStrRadix` and remove `MIN`, `abs_min` and `complement`. Then
> implement it like this in the macro below:
>
>     const ABS_MIN = /* existing abs_min impl */;
>     if value > ABS_MIN {
>         return Err(EINVAL);
>     }
>     if val == ABS_MIN {
>         return Ok(<$ty>::MIN);
>     }
>     // SAFETY: We checked that `val` will fit in `Self` above.
>     let val: $ty = unsafe { val.try_into().unwrap_unchecked() };
>     (!val).wrapping_add(1)
>
> The reason that this is fine and the above is "weird" is the following:
> The current version only has `Self: FromStrRadix` which gives it access
> to the following guarantee from the `unsafe` trait:
>
>     /// The member functions of this trait must be implemented according to
>     /// their documentation.
>     ///
>     /// [`&BStr`]: kernel::str::BStr
>
> This doesn't mention `TryFrom<u64>` and thus the comment "We checked
> that `val` will fit in `Self` above" doesn't really apply: how does
> checking with the bounds given in `FromStrRadix` make `TryFrom` return
> `Ok`?

I'm having a difficult time parsing. Are you suggesting that we guard
against implementations of `TryInto<u64>` that misbehave?


Best regards,
Andreas Hindborg