From: Boqun Feng <boqun.feng@gmail.com>
To: FUJITA Tomonori <fujita.tomonori@gmail.com>
Cc: netdev@vger.kernel.org, rust-for-linux@vger.kernel.org,
andrew@lunn.ch, miguel.ojeda.sandonis@gmail.com, greg@kroah.com,
tmgross@umich.edu
Subject: Re: [PATCH net-next v3 1/3] rust: core abstractions for network PHY drivers
Date: Thu, 12 Oct 2023 00:07:55 -0700 [thread overview]
Message-ID: <ZSebS0pQfoF4eTsD@boqun-archlinux> (raw)
In-Reply-To: <20231012.154444.1868411153601666717.fujita.tomonori@gmail.com>
On Thu, Oct 12, 2023 at 03:44:44PM +0900, FUJITA Tomonori wrote:
> On Wed, 11 Oct 2023 23:34:18 -0700
> Boqun Feng <boqun.feng@gmail.com> wrote:
>
> > On Thu, Oct 12, 2023 at 02:58:24PM +0900, FUJITA Tomonori wrote:
> >> On Wed, 11 Oct 2023 11:29:45 -0700
> >> Boqun Feng <boqun.feng@gmail.com> wrote:
> >>
> >> > On Mon, Oct 09, 2023 at 10:39:10AM +0900, FUJITA Tomonori wrote:
> >> > [...]
> >> >> +impl Device {
> >> >> + /// Creates a new [`Device`] instance from a raw pointer.
> >> >> + ///
> >> >> + /// # Safety
> >> >> + ///
> >> >> + /// For the duration of the lifetime 'a, the pointer must be valid for writing and nobody else
> >> >> + /// may read or write to the `phy_device` object.
> >> >> + pub unsafe fn from_raw<'a>(ptr: *mut bindings::phy_device) -> &'a mut Self {
> >> >> + unsafe { &mut *ptr.cast() }
> >> >> + }
> >> >> +
> >> >> + /// Gets the id of the PHY.
> >> >> + pub fn phy_id(&mut self) -> u32 {
> >> >
> >> > This function doesn't modify the `self`, why does this need to be a
> >> > `&mut self` function? Ditto for a few functions in this impl block.
> >> >
> >> > It seems you used `&mut self` for all the functions, which looks like
> >> > more design work is required here.
> >>
> >> Ah, I can drop all the mut here.
> >
> > It may not be that easy... IIUC, most of the functions in the `impl`
> > block can only be called correctly with phydev->lock held. In other
> > words, their usage requires exclusive accesses. We should somehow
> > express this in the type system, otherwise someone may lose track on
> > this requirement in the future (for example, calling any function
> > without the lock held).
> >
> > A simple type trick comes to me is that
> >
> > impl Device {
> > // rename `from_raw` into `assume_locked`
> > pub unsafe fn assume_locked<'a>(ptr: *mut bindings::phy_device) -> &'a LockedDevice {
> > ...
> > }
> > }
>
> Hmm, the concept of PHYLIB is that a driver never play with a
> lock. From the perspective of PHYLIB, this abstraction is a PHY
> driver. The abstraction should not touch the lock.
>
Well, usually we want to describe such a constrait/requirement in the
type system, that's part of the Rust bindings, of course, for some
properties it may be hard, so it may be impossible.
> How can someone lose track on this requirement? The abstraction
> creates a Device instance only inside the callbacks.
>
Right now, yes. The code in the patch only "creates" a Device inside
the callbacks, but the `Device::from_raw` function doesn't mention any
of this requirement, if the design is only called inside the callbacks,
please add something in the function's `# Safety` requirement, since
voliating this may cause memory safety issue.
Type system and unsafe comments are contracts, if one API has a limited
usage by design, people should be able to find it somewhere in the
contracts.
Regards,
Boqun
next prev parent reply other threads:[~2023-10-12 7:08 UTC|newest]
Thread overview: 91+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-10-09 1:39 [PATCH net-next v3 0/3] Rust abstractions for network PHY drivers FUJITA Tomonori
2023-10-09 1:39 ` [PATCH net-next v3 1/3] rust: core " FUJITA Tomonori
2023-10-09 3:17 ` Trevor Gross
2023-10-09 12:19 ` Benno Lossin
2023-10-09 13:02 ` Andrew Lunn
2023-10-09 13:56 ` Benno Lossin
2023-10-09 14:13 ` Andrew Lunn
2023-10-11 14:16 ` FUJITA Tomonori
2023-10-09 12:59 ` Miguel Ojeda
2023-10-09 13:49 ` FUJITA Tomonori
2023-10-09 14:32 ` Miguel Ojeda
2023-10-09 15:15 ` FUJITA Tomonori
2023-10-09 15:19 ` Miguel Ojeda
2023-10-09 15:11 ` Greg KH
2023-10-09 15:24 ` FUJITA Tomonori
2023-10-09 15:39 ` Miguel Ojeda
2023-10-09 15:50 ` FUJITA Tomonori
2023-10-11 9:59 ` Miguel Ojeda
2023-10-11 23:18 ` FUJITA Tomonori
2023-10-13 11:59 ` Miguel Ojeda
2023-10-13 15:15 ` FUJITA Tomonori
2023-10-13 18:33 ` Miguel Ojeda
2023-10-14 12:31 ` FUJITA Tomonori
2023-10-14 16:19 ` Miguel Ojeda
2023-10-12 0:29 ` FUJITA Tomonori
2023-10-09 21:07 ` Trevor Gross
2023-10-09 21:21 ` Andrew Lunn
2023-10-11 7:04 ` FUJITA Tomonori
2023-10-09 13:54 ` Andrew Lunn
2023-10-09 14:48 ` Miguel Ojeda
2023-10-09 17:04 ` Andrew Lunn
2023-10-12 3:59 ` FUJITA Tomonori
2023-10-12 4:43 ` Trevor Gross
2023-10-12 7:09 ` FUJITA Tomonori
2023-10-11 18:29 ` Boqun Feng
2023-10-12 5:58 ` FUJITA Tomonori
2023-10-12 6:34 ` Boqun Feng
2023-10-12 6:44 ` FUJITA Tomonori
2023-10-12 7:02 ` FUJITA Tomonori
2023-10-12 7:13 ` Boqun Feng
2023-10-12 7:32 ` Trevor Gross
2023-10-12 7:58 ` FUJITA Tomonori
2023-10-12 9:10 ` Benno Lossin
2023-10-13 4:17 ` Boqun Feng
2023-10-13 5:45 ` FUJITA Tomonori
2023-10-13 7:56 ` Benno Lossin
2023-10-13 9:53 ` FUJITA Tomonori
2023-10-13 10:03 ` Benno Lossin
2023-10-13 10:53 ` FUJITA Tomonori
2023-10-14 7:47 ` Benno Lossin
2023-10-14 21:55 ` Andrew Lunn
2023-10-14 22:18 ` Benno Lossin
2023-10-14 22:33 ` Andrew Lunn
2023-10-14 4:11 ` Boqun Feng
2023-10-14 11:59 ` Miguel Ojeda
2023-10-12 7:07 ` Boqun Feng [this message]
2023-10-09 1:39 ` [PATCH net-next v3 2/3] MAINTAINERS: add Rust PHY abstractions to the ETHERNET PHY LIBRARY FUJITA Tomonori
2023-10-09 1:39 ` [PATCH net-next v3 3/3] net: phy: add Rust Asix PHY driver FUJITA Tomonori
2023-10-09 3:22 ` Trevor Gross
2023-10-09 7:23 ` Jiri Pirko
2023-10-09 10:58 ` Miguel Ojeda
2023-10-09 11:41 ` FUJITA Tomonori
2023-10-09 12:32 ` Andrew Lunn
2023-10-09 14:01 ` Miguel Ojeda
2023-10-09 14:31 ` Andrew Lunn
2023-10-09 15:27 ` Miguel Ojeda
2023-10-09 15:35 ` Miguel Ojeda
2023-10-09 16:09 ` Andrew Lunn
2023-10-09 10:10 ` Greg KH
2023-10-12 11:57 ` FUJITA Tomonori
2023-10-09 12:42 ` Benno Lossin
2023-10-09 13:15 ` Andrew Lunn
2023-10-09 13:45 ` Benno Lossin
2023-10-09 12:48 ` [PATCH net-next v3 0/3] Rust abstractions for network PHY drivers Andrew Lunn
2023-10-09 12:53 ` Miguel Ojeda
2023-10-09 13:06 ` Greg KH
2023-10-09 14:13 ` Miguel Ojeda
2023-10-09 14:52 ` Greg KH
2023-10-09 15:06 ` Miguel Ojeda
2023-10-09 15:14 ` Greg KH
2023-10-09 15:15 ` Miguel Ojeda
2023-10-09 13:24 ` Andrew Lunn
2023-10-09 13:36 ` Miguel Ojeda
2023-10-09 14:21 ` Andrea Righi
2023-10-09 14:22 ` Miguel Ojeda
2023-10-09 14:56 ` Andrew Lunn
2023-10-09 15:04 ` Greg KH
2023-10-09 15:10 ` Miguel Ojeda
2023-10-09 15:15 ` Miguel Ojeda
2023-10-09 14:56 ` Greg KH
2023-10-09 15:09 ` Andrea Righi
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZSebS0pQfoF4eTsD@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=andrew@lunn.ch \
--cc=fujita.tomonori@gmail.com \
--cc=greg@kroah.com \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.