Re: [PATCH v3 09/25] rust: alloc: implement kernel `Box`

[Danilo Krummrich <dakr@kernel.org>]

On Thu, Aug 01, 2024 at 10:55:51AM +0200, Alice Ryhl wrote:
> On Thu, Aug 1, 2024 at 2:07 AM Danilo Krummrich <dakr@kernel.org> wrote:
> >
> > `Box` provides the simplest way to allocate memory for a generic type
> > with one of the kernel's allocators, e.g. `Kmalloc`, `Vmalloc` or
> > `KVmalloc`.
> >
> > In contrast to Rust's `Box` type, the kernel `Box` type considers the
> > kernel's GFP flags for all appropriate functions, always reports
> > allocation failures through `Result<_, AllocError>` and remains
> > independent from unstable features.
> >
> > Signed-off-by: Danilo Krummrich <dakr@kernel.org>
> >
> > [...]
> >
> > +    /// Constructs a `Box<T, A>` from a raw pointer.
> > +    ///
> > +    /// # Safety
> > +    ///
> > +    /// `raw` must point to valid memory, previously allocated with `A`, and at least the size of
> > +    /// type `T`.
> > +    #[inline]
> > +    pub const unsafe fn from_raw_alloc(raw: *mut T, alloc: PhantomData<A>) -> Self {
> > +        // SAFETY: Safe by the requirements of this function.
> > +        Box(unsafe { Unique::new_unchecked(raw) }, alloc)
> > +    }
> 
> I don't think it makes sense to take the PhantomData as a parameter.
> You can always create a PhantomData value out of thin air.
> 
> Box(unsafe { Unique::new_unchecked(raw) }, PhantomData)
> 
> > +    /// Consumes the `Box<T, A>`, returning a wrapped raw pointer and `PhantomData` of the allocator
> > +    /// it was allocated with.
> > +    pub fn into_raw_alloc(b: Self) -> (*mut T, PhantomData<A>) {
> > +        let b = ManuallyDrop::new(b);
> > +        let alloc = unsafe { ptr::read(&b.1) };
> > +        (b.0.as_ptr(), alloc)
> > +    }
> 
> I don't think there's any need to have this function. The caller can
> always create the PhantomData themselves. I would just keep into_raw
> only.

Agreed, I actually intended to remove this one and the above.

> 
> > +    /// Converts a `Box<T>` into a `Pin<Box<T>>`.
> > +    #[inline]
> > +    pub fn into_pin(b: Self) -> Pin<Self>
> > +    where
> > +        A: 'static,
> > +    {
> > +        // SAFETY: It's not possible to move or replace the insides of a `Pin<Box<T>>` when
> > +        // `T: !Unpin`, so it's safe to pin it directly without any additional requirements.
> > +        unsafe { Pin::new_unchecked(b) }
> > +    }
> 
> In the standard library, this functionality is provided using the From
> trait rather than an inherent method. I think it makes sense to match
> std here.

I already provide `impl<T, A> From<Box<T, A>> for Pin<Box<T, A>>` in this patch,
which just calls `Box::into_pin`.

> 
> > +impl<T, A> Drop for Box<T, A>
> > +where
> > +    T: ?Sized,
> > +    A: Allocator,
> > +{
> > +    fn drop(&mut self) {
> > +        let ptr = self.0.as_ptr();
> > +
> > +        // SAFETY: We need to drop `self.0` in place, before we free the backing memory.
> > +        unsafe { core::ptr::drop_in_place(ptr) };
> > +
> > +        // SAFETY: `ptr` is always properly aligned, dereferenceable and points to an initialized
> > +        // instance of `T`.
> > +        if unsafe { core::mem::size_of_val(&*ptr) } != 0 {
> > +            // SAFETY: `ptr` was previously allocated with `A`.
> > +            unsafe { A::free(self.0.as_non_null().cast()) };
> > +        }
> 
> You just destroyed the value by calling `drop_in_place`, so `ptr` no
> longer points at an initialized instance of `T`. Please compute
> whether the allocation has non-zero size before you call
> `drop_in_place`.

Huh! Good catch. No idea how I missed that.

> 
> Also, in normal Rust this code would leak the allocation on panic in
> the destructor. We may not care, but it's worth taking into account if
> anybody else copies this code to a different project with a different
> panic configuration.

I can add a corresponding note.

> 
> > +impl<T: 'static, A> ForeignOwnable for crate::alloc::Box<T, A>
> > +where
> > +    A: Allocator,
> > +{
> > +    type Borrowed<'a> = &'a T;
> > +
> > +    fn into_foreign(self) -> *const core::ffi::c_void {
> > +        crate::alloc::Box::into_raw(self) as _
> > +    }
> > +
> > +    unsafe fn borrow<'a>(ptr: *const core::ffi::c_void) -> &'a T {
> > +        // SAFETY: The safety requirements for this function ensure that the object is still alive,
> > +        // so it is safe to dereference the raw pointer.
> > +        // The safety requirements of `from_foreign` also ensure that the object remains alive for
> > +        // the lifetime of the returned value.
> > +        unsafe { &*ptr.cast() }
> > +    }
> > +
> > +    unsafe fn from_foreign(ptr: *const core::ffi::c_void) -> Self {
> > +        // SAFETY: The safety requirements of this function ensure that `ptr` comes from a previous
> > +        // call to `Self::into_foreign`.
> > +        unsafe { crate::alloc::Box::from_raw(ptr as _) }
> > +    }
> > +}
> 
> You may want to also implement ForeignOwnable for Pin<Box<T>>. See:
> https://lore.kernel.org/all/20240730-foreign-ownable-pin-box-v1-1-b1d70cdae541@google.com/

Yeah, I think I've also seen another patch that it about to add a function to
convert a `Box` back into uninit state.

Depending how fast you need ForeignOwnable for Pin<Box<T>>, do you prefer to
contribute a corresponding patch to this series?

> 
> Alice
>