From: Alice Ryhl <aliceryhl@google.com>
To: Tamir Duberstein <tamird@gmail.com>
Cc: "Burak Emir" <bqe@google.com>,
"Yury Norov" <yury.norov@gmail.com>,
"Rasmus Villemoes" <linux@rasmusvillemoes.dk>,
"Viresh Kumar" <viresh.kumar@linaro.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v3] rust: add bindings and API for bitmap.h and bitops.h.
Date: Tue, 11 Mar 2025 10:13:59 +0000 [thread overview]
Message-ID: <Z9AM57PG08UuijDB@google.com> (raw)
In-Reply-To: <CAJ-ks9nR9AcqK8WfHDshG4h+K9PzEa8Lwr3odn99r34y=zzWgA@mail.gmail.com>
On Mon, Mar 10, 2025 at 12:44:59PM -0400, Tamir Duberstein wrote:
> Hi Burak, some comments inline. Hopefully I haven't missed important
> context from previous versions.
>
> On Mon, Mar 10, 2025 at 12:21 PM Burak Emir <bqe@google.com> wrote:
> > +/// # Invariants
> > +///
> > +/// * `ptr` is obtained from a successful call to `bitmap_zalloc` and
> > +/// holds the address of an initialized array of unsigned long
> > +/// that is large enough to hold `nbits` bits.
> > +pub struct Bitmap {
> > + /// Pointer to an array of unsigned long.
> > + ptr: NonNull<usize>,
> > + /// How many bits this bitmap stores. Must be < 2^32.
> > + nbits: usize,
>
> How come this isn't held as u32? There's a lot of conversion to u32
> sprinkled around.
Then we would need conversions to usize in other places. I think the
right choice of type in the public API here is usize, but the underlying
C API uses int in various places.
> > +#[cold]
> > +fn panic_not_in_bounds_lt(arg: &'static str, len: usize, val: usize) -> ! {
> > + panic!("{arg} must be less than length {len}, was {val}");
> > +}
>
> Have you considered using build_error or returning an error?
I think using build error for these is a bad idea. It's a hack that Rust
doesn't support well, and the optimizer will not always be able to prove
that the integer is in bounds.
> > + /// Constructs a new [`Bitmap`].
> > + ///
> > + /// Fails with AllocError if `nbits` is greater than or equal to 2^32,
> > + /// or when the bitmap could not be allocated.
> > + ///
> > + /// # Example
> > + ///
> > + /// ```
> > + /// # use kernel::bitmap::Bitmap;
> > + ///
> > + /// fn new_bitmap() -> Bitmap {
> > + /// Bitmap::new(128, GFP_KERNEL).unwrap()
> > + /// }
> > + /// ```
> > + #[inline]
> > + pub fn new(nbits: usize, flags: Flags) -> Result<Self, AllocError> {
> > + if let Ok(nbits_u32) = u32::try_from(nbits) {
> > + // SAFETY: nbits == 0 is permitted and nbits fits in u32.
> > + let ptr = unsafe { bindings::bitmap_zalloc(nbits_u32, flags.as_raw()) };
> > + // Zero-size allocation is ok and yields a dangling pointer.
> > + let ptr = NonNull::new(ptr).ok_or(AllocError)?;
> > + Ok(Bitmap { ptr, nbits })
> > + } else {
> > + Err(AllocError)
> > + }
> > + }
>
> Similar question to above: why return an error here but panic in the setters?
Out of memory is something the caller must handle. There's no way for
the caller to avoid it.
Out of bounds is a bug in the caller. The caller can avoid it by not
passing too large indices.
Alice
next prev parent reply other threads:[~2025-03-11 10:14 UTC|newest]
Thread overview: 14+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-10 16:19 [PATCH v3] rust: add bindings and API for bitmap.h and bitops.h Burak Emir
2025-03-10 16:44 ` Tamir Duberstein
[not found] ` <CACQBu=UB2etHuSFoCHYWw6YwzHry9rwkV6U3uoNe+E3BBW+NYg@mail.gmail.com>
[not found] ` <CAJ-ks9nN0MJ5pPS040CKY+aQOwX621TFtS_=L9T3WemJ0kwPdw@mail.gmail.com>
[not found] ` <CACQBu=VbcL6bWV2iEH_0bJW4yw0S2F0L7sA97KkBgfzqmOCMLA@mail.gmail.com>
2025-03-10 22:28 ` Burak Emir
2025-03-11 10:13 ` Alice Ryhl [this message]
2025-03-10 16:53 ` Miguel Ojeda
2025-03-10 18:18 ` Yury Norov
2025-03-10 19:14 ` Miguel Ojeda
2025-03-10 21:12 ` Burak Emir
2025-03-10 18:12 ` Yury Norov
2025-03-10 22:01 ` Burak Emir
2025-03-10 23:01 ` Yury Norov
2025-03-11 10:07 ` Alice Ryhl
2025-03-11 14:33 ` Yury Norov
2025-03-12 6:58 ` Alice Ryhl
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9AM57PG08UuijDB@google.com \
--to=aliceryhl@google.com \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=bqe@google.com \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=linux@rasmusvillemoes.dk \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
--cc=viresh.kumar@linaro.org \
--cc=yury.norov@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.