From: Boqun Feng <boqun.feng@gmail.com>
To: Miguel Ojeda <miguel.ojeda.sandonis@gmail.com>
Cc: FUJITA Tomonori <fujita.tomonori@gmail.com>,
netdev@vger.kernel.org, rust-for-linux@vger.kernel.org,
andrew@lunn.ch, hkallweit1@gmail.com, tmgross@umich.edu,
ojeda@kernel.org, alex.gaynor@gmail.com, gary@garyguo.net,
bjorn3_gh@protonmail.com, benno.lossin@proton.me,
a.hindborg@samsung.com, aliceryhl@google.com,
anna-maria@linutronix.de, frederic@kernel.org,
tglx@linutronix.de, arnd@arndb.de, jstultz@google.com,
sboyd@kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH net-next v3 4/8] rust: time: Implement addition of Ktime and Delta
Date: Thu, 17 Oct 2024 10:03:21 -0700 [thread overview]
Message-ID: <ZxFDWRIrgkuneX7_@boqun-archlinux> (raw)
In-Reply-To: <CANiq72mbWVVCA_EjV_7DtMYHH_RF9P9Br=sRdyLtPFkythST1w@mail.gmail.com>
On Thu, Oct 17, 2024 at 06:33:23PM +0200, Miguel Ojeda wrote:
> On Thu, Oct 17, 2024 at 11:31 AM FUJITA Tomonori
> <fujita.tomonori@gmail.com> wrote:
> >
> > We could add the Rust version of add_safe method. But looks like
> > ktime_add_safe() is used by only some core systems so we don't need to
> > add it now?
>
> There was some discussion in the past about this -- I wrote there a
> summary of the `add` variants:
>
> https://lore.kernel.org/rust-for-linux/CANiq72ka4UvJzb4dN12fpA1WirgDHXcvPurvc7B9t+iPUfWnew@mail.gmail.com/
>
> I think this is a case where following the naming of the C side would
> be worse, i.e. where it is worth not applying our usual guideline.
> Calling something `_safe`/`_unsafe` like the C macros would be quite
> confusing for Rust.
>
> Personally, I would prefer that we stay consistent, which will help
> when dealing with more code. That is (from the message above):
>
> - No suffix: not supposed to wrap. So, in Rust, map it to operators.
> - `_unsafe()`: wraps. So, in Rust, map it to `wrapping` methods.
> - `_safe()`: saturates. So, in Rust, map it to `saturating` methods.
>
> (assuming I read the C code correctly back then.)
>
> And if there are any others that are Rust-unsafe, then map it to
> `unchecked` methods, of course.
>
The point I tried to make is that `+` operator of Ktime can cause
overflow because of *user inputs*, unlike the `-` operator of Ktime,
which cannot cause overflow as long as Ktime is implemented correctly
(as a timestamp). Because the overflow possiblity is exposed to users,
then we need to 1) document it and 2) provide saturating_add() (maybe
also checked_add() and overflowing_add()) so that users won't need to do
the saturating themselves:
let mut kt = Ktime::ktime_get();
let d: Delta = <maybe a userspace input>;
// kt + d may overflow, so checking
if let Some(_) = kt.as_ns().checked_add(d.as_nanos()) {
// not overflow, can add
kt = kt + d;
} else {
// set kt to KTIME_SEC_MAX
}
instead, they can do:
let kt = Ktime::ktime_get();
let d: Delta = <maybe a userspace input>;
kt = kt.saturating_add(d);
but one thing I'm not sure is since it looks like saturating to
KTIME_SEC_MAX is the current C choice, if we want to do the same, should
we use the name `add_safe()` instead of `saturating_add()`? FWIW, it
seems harmless to saturate at KTIME_MAX to me. So personally, I like
what Alice suggested.
Hope these make sense.
Regards,
Boqun
> Cheers,
> Miguel
next prev parent reply other threads:[~2024-10-17 17:03 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2024-10-16 3:52 [PATCH net-next v3 0/8] rust: Add IO polling FUJITA Tomonori
2024-10-16 3:52 ` [PATCH net-next v3 1/8] rust: time: Add PartialEq/Eq/PartialOrd/Ord trait to Ktime FUJITA Tomonori
2024-10-16 8:22 ` Alice Ryhl
2024-10-16 3:52 ` [PATCH net-next v3 2/8] rust: time: Introduce Delta type FUJITA Tomonori
2024-10-16 8:23 ` Alice Ryhl
2024-10-17 11:15 ` FUJITA Tomonori
2024-10-17 10:17 ` Fiona Behrens
2024-10-17 11:24 ` FUJITA Tomonori
2024-10-18 13:49 ` Andrew Lunn
2024-10-18 14:31 ` Miguel Ojeda
2024-10-18 16:55 ` Andrew Lunn
2024-10-19 12:21 ` Miguel Ojeda
2024-10-19 12:41 ` Miguel Ojeda
2024-10-23 11:53 ` FUJITA Tomonori
2024-10-23 13:09 ` Miguel Ojeda
2024-10-19 18:41 ` Andrew Lunn
2024-10-20 13:05 ` Miguel Ojeda
2024-10-23 12:19 ` FUJITA Tomonori
2024-10-16 3:52 ` [PATCH net-next v3 3/8] rust: time: Change output of Ktime's sub operation to Delta FUJITA Tomonori
2024-10-16 8:25 ` Alice Ryhl
2024-10-16 19:47 ` Boqun Feng
2024-10-17 7:10 ` FUJITA Tomonori
2024-10-17 8:22 ` Alice Ryhl
2024-10-17 16:45 ` Miguel Ojeda
2024-10-23 1:58 ` FUJITA Tomonori
2024-10-16 20:03 ` Boqun Feng
2024-10-17 9:17 ` FUJITA Tomonori
2024-10-16 3:52 ` [PATCH net-next v3 4/8] rust: time: Implement addition of Ktime and Delta FUJITA Tomonori
2024-10-16 8:25 ` Alice Ryhl
2024-10-16 19:54 ` Boqun Feng
2024-10-17 9:31 ` FUJITA Tomonori
2024-10-17 9:33 ` Alice Ryhl
2024-10-17 16:33 ` Miguel Ojeda
2024-10-17 17:03 ` Boqun Feng [this message]
2024-10-17 18:10 ` Miguel Ojeda
2024-10-17 19:02 ` Boqun Feng
2024-10-17 18:58 ` Miguel Ojeda
2024-10-25 20:47 ` Boqun Feng
2024-10-23 6:51 ` FUJITA Tomonori
2024-10-23 10:59 ` Miguel Ojeda
2024-10-23 11:24 ` FUJITA Tomonori
2024-10-16 3:52 ` [PATCH net-next v3 5/8] rust: time: Add wrapper for fsleep function FUJITA Tomonori
2024-10-16 8:29 ` Alice Ryhl
2024-10-16 9:42 ` Miguel Ojeda
2024-10-24 0:22 ` FUJITA Tomonori
2024-10-24 17:26 ` Miguel Ojeda
2024-10-23 12:33 ` FUJITA Tomonori
2024-10-18 14:05 ` Andrew Lunn
2024-10-16 3:52 ` [PATCH net-next v3 6/8] MAINTAINERS: rust: Add TIMEKEEPING and TIMER abstractions FUJITA Tomonori
2024-10-16 3:52 ` [PATCH net-next v3 7/8] rust: Add read_poll_timeout functions FUJITA Tomonori
2024-10-16 8:37 ` Alice Ryhl
2024-10-18 14:16 ` FUJITA Tomonori
2024-10-16 8:45 ` Alice Ryhl
2024-10-16 8:52 ` Alice Ryhl
2024-10-16 11:05 ` Miguel Ojeda
2024-10-18 8:10 ` FUJITA Tomonori
2024-10-18 8:30 ` Alice Ryhl
2024-10-18 14:15 ` Andrew Lunn
2024-10-18 14:38 ` Miguel Ojeda
2024-10-18 14:21 ` Andrew Lunn
2024-10-16 3:52 ` [PATCH net-next v3 8/8] net: phy: qt2025: Wait until PHY becomes ready FUJITA Tomonori
2024-10-16 12:00 ` Alice Ryhl
2024-10-18 14:26 ` [PATCH net-next v3 0/8] rust: Add IO polling Andrew Lunn
2024-10-23 4:01 ` FUJITA Tomonori
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ZxFDWRIrgkuneX7_@boqun-archlinux \
--to=boqun.feng@gmail.com \
--cc=a.hindborg@samsung.com \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=andrew@lunn.ch \
--cc=anna-maria@linutronix.de \
--cc=arnd@arndb.de \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=frederic@kernel.org \
--cc=fujita.tomonori@gmail.com \
--cc=gary@garyguo.net \
--cc=hkallweit1@gmail.com \
--cc=jstultz@google.com \
--cc=linux-kernel@vger.kernel.org \
--cc=miguel.ojeda.sandonis@gmail.com \
--cc=netdev@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=sboyd@kernel.org \
--cc=tglx@linutronix.de \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.