Re: [PATCH] rust: alloc: use `spare_capacity_mut` to reduce unsafe

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Danilo Krummrich <dakr@kernel.org>
To: Benno Lossin <benno.lossin@proton.me>
Cc: "Tamir Duberstein" <tamird@gmail.com>,
	"Miguel Ojeda" <ojeda@kernel.org>,
	"Alex Gaynor" <alex.gaynor@gmail.com>,
	"Boqun Feng" <boqun.feng@gmail.com>,
	"Gary Guo" <gary@garyguo.net>,
	"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
	"Andreas Hindborg" <a.hindborg@kernel.org>,
	"Alice Ryhl" <aliceryhl@google.com>,
	"Trevor Gross" <tmgross@umich.edu>,
	rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: alloc: use `spare_capacity_mut` to reduce unsafe
Date: Mon, 17 Mar 2025 18:30:55 +0100	[thread overview]
Message-ID: <Z9hcT4KPwgtHmiTT@cassiopeiae> (raw)
In-Reply-To: <D8IPQUN25M12.2CIZR4QHJ201N@proton.me>

On Mon, Mar 17, 2025 at 05:22:15PM +0000, Benno Lossin wrote:
> On Mon Mar 17, 2025 at 6:09 PM CET, Danilo Krummrich wrote:
> > On Mon, Mar 17, 2025 at 10:39:05AM -0400, Tamir Duberstein wrote:
> >> On Mon, Mar 17, 2025 at 10:34 AM Benno Lossin <benno.lossin@proton.me> wrote:
> >> > On Mon Mar 17, 2025 at 12:42 PM CET, Tamir Duberstein wrote:
> >> > > Use `spare_capacity_mut` in the implementation of `push` to reduce the
> >> > > use of `unsafe`. Both methods were added in commit 2aac4cd7dae3 ("rust:
> >> > > alloc: implement kernel `Vec` type").
> >> > >
> >> > > Signed-off-by: Tamir Duberstein <tamird@gmail.com>
> >> > > ---
> >> > >  rust/kernel/alloc/kvec.rs | 11 ++---------
> >> > >  1 file changed, 2 insertions(+), 9 deletions(-)
> >> > >
> >> > > diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> >> > > index ae9d072741ce..d2bc3d02179e 100644
> >> > > --- a/rust/kernel/alloc/kvec.rs
> >> > > +++ b/rust/kernel/alloc/kvec.rs
> >> > > @@ -285,15 +285,8 @@ pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit<T>] {
> >> > >      pub fn push(&mut self, v: T, flags: Flags) -> Result<(), AllocError> {
> >> > >          self.reserve(1, flags)?;
> >> > >
> >> > > -        // SAFETY:
> >> > > -        // - `self.len` is smaller than `self.capacity` and hence, the resulting pointer is
> >> > > -        //   guaranteed to be part of the same allocated object.
> >> > > -        // - `self.len` can not overflow `isize`.
> >> > > -        let ptr = unsafe { self.as_mut_ptr().add(self.len) };
> >> > > -
> >> > > -        // SAFETY:
> >> > > -        // - `ptr` is properly aligned and valid for writes.
> >> > > -        unsafe { core::ptr::write(ptr, v) };
> >> > > +        // The call to `reserve` was successful so the spare capacity is at least 1.
> >> > > +        self.spare_capacity_mut()[0].write(v);
> >> >
> >> > I think the code uses unsafe to avoid a bounds check, but I'm not 100%
> >> > sure. Danilo might remember more info.
> >
> > Yes, that was the justification to use unsafe calls instead.
> >
> > (This may also justify keeping dec_len() unsafe, since otherwise it would
> > introduce an additional boundary check for pop().)
> 
> If we use saturating_sub then we don't need a bounds check (at least on
> non-debug builds), right? 

	fn dec_len(&mut self, count: usize) -> &mut [T] {
	    self.len = self.len.saturating_sub(count);

	    // Potentially broken, since maybe `count > self.len`, hence need an
	    // additional check.
	    unsafe { slice::from_raw_parts_mut(self.as_mut_ptr().add(self.len), count) }
	}

next prev parent reply	other threads:[~2025-03-17 17:31 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-03-17 11:42 [PATCH] rust: alloc: use `spare_capacity_mut` to reduce unsafe Tamir Duberstein
2025-03-17 11:50 ` Alice Ryhl
2025-03-17 14:34 ` Benno Lossin
2025-03-17 14:39   ` Tamir Duberstein
2025-03-17 17:09     ` Danilo Krummrich
2025-03-17 17:22       ` Benno Lossin
2025-03-17 17:30         ` Danilo Krummrich [this message]
2025-03-17 17:41           ` Benno Lossin
2025-03-17 17:55             ` Tamir Duberstein
2025-03-18  9:22               ` Alice Ryhl
2025-03-18 11:53                 ` Danilo Krummrich

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=Z9hcT4KPwgtHmiTT@cassiopeiae \
    --to=dakr@kernel.org \
    --cc=a.hindborg@kernel.org \
    --cc=alex.gaynor@gmail.com \
    --cc=aliceryhl@google.com \
    --cc=benno.lossin@proton.me \
    --cc=bjorn3_gh@protonmail.com \
    --cc=boqun.feng@gmail.com \
    --cc=gary@garyguo.net \
    --cc=linux-kernel@vger.kernel.org \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=tamird@gmail.com \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.