Re: [PATCH v13 1/6] rust: str: add radix prefixed integer parsing functions

["Benno Lossin" <lossin@kernel.org>]

On Thu Jun 12, 2025 at 3:40 PM CEST, Andreas Hindborg wrote:
> +pub trait ParseInt: private::FromStrRadix + TryFrom<u64> {
> +    /// Parse a string according to the description in [`Self`].
> +    fn from_str(src: &BStr) -> Result<Self> {
> +        match src.deref() {
> +            [b'-', rest @ ..] => {
> +                let (radix, digits) = strip_radix(rest.as_ref());
> +                // 2's complement values range from -2^(b-1) to 2^(b-1)-1.
> +                // So if we want to parse negative numbers as positive and
> +                // later multiply by -1, we have to parse into a larger
> +                // integer. We choose `u64` as sufficiently large.
> +                //
> +                // NOTE: 128 bit integers are not available on all
> +                // platforms, hence the choice of 64 bits.
> +                let val =
> +                    u64::from_str_radix(core::str::from_utf8(digits).map_err(|_| EINVAL)?, radix)
> +                        .map_err(|_| EINVAL)?;
> +
> +                if val > Self::abs_min() {
> +                    return Err(EINVAL);
> +                }
> +
> +                if val == Self::abs_min() {
> +                    return Ok(Self::MIN);
> +                }
> +
> +                // SAFETY: We checked that `val` will fit in `Self` above.

Sorry that it took me this long to realize, but this seems pretty weird.
I guess this is why the `FromStrRadix` is `unsafe`.

Can we just move this part of the code to `FromStrRadix` and make that
trait safe?

So essentially have:

    fn from_u64(value: u64) -> Result<Self>;

in `FromStrRadix` and remove `MIN`, `abs_min` and `complement`. Then
implement it like this in the macro below:

    const ABS_MIN = /* existing abs_min impl */;
    if value > ABS_MIN {
        return Err(EINVAL);
    }
    if val == ABS_MIN {
        return Ok(<$ty>::MIN);
    }
    // SAFETY: We checked that `val` will fit in `Self` above.
    let val: $ty = unsafe { val.try_into().unwrap_unchecked() };
    (!val).wrapping_add(1)

The reason that this is fine and the above is "weird" is the following:
The current version only has `Self: FromStrRadix` which gives it access
to the following guarantee from the `unsafe` trait:

    /// The member functions of this trait must be implemented according to
    /// their documentation.
    ///
    /// [`&BStr`]: kernel::str::BStr

This doesn't mention `TryFrom<u64>` and thus the comment "We checked
that `val` will fit in `Self` above" doesn't really apply: how does
checking with the bounds given in `FromStrRadix` make `TryFrom` return
`Ok`?

If we move this code into the implementation of `FromStrRadix`, then we
are locally in a context where we *know* the concrete type of `Self` and
can thus rely on "checking" being the correct thing for `TryFrom`.

With this adjustment, I can give my RB, but please let me take a look
before you send it again :)

---
Cheers,
Benno

> +                let val: Self = unsafe { val.try_into().unwrap_unchecked() };
> +
> +                Ok(val.complement())
> +            }
> +            _ => {
> +                let (radix, digits) = strip_radix(src);
> +                Self::from_str_radix(digits, radix).map_err(|_| EINVAL)
> +            }
> +        }
> +    }
> +}