Re: [PATCH v4 2/3] rust: pci: impl TryFrom<&Device> for &pci::Device

[Benno Lossin <benno.lossin@proton.me>]

On Wed Apr 2, 2025 at 11:06 AM CEST, Danilo Krummrich wrote:
> On Wed, Apr 02, 2025 at 12:05:56AM +0000, Benno Lossin wrote:
>> On Tue Apr 1, 2025 at 3:51 PM CEST, Danilo Krummrich wrote:
>> > On Mon, Mar 24, 2025 at 06:32:53PM +0000, Benno Lossin wrote:
>> >> On Mon Mar 24, 2025 at 7:13 PM CET, Danilo Krummrich wrote:
>> >> > On Mon, Mar 24, 2025 at 05:36:45PM +0000, Benno Lossin wrote:
>> >> >> On Mon Mar 24, 2025 at 5:49 PM CET, Danilo Krummrich wrote:
>> >> >> > On Mon, Mar 24, 2025 at 04:39:25PM +0000, Benno Lossin wrote:
>> >> >> >> On Sun Mar 23, 2025 at 11:10 PM CET, Danilo Krummrich wrote:
>> >> >> >> > On Sat, Mar 22, 2025 at 11:10:57AM +0100, Danilo Krummrich wrote:
>> >> >> >> >> On Fri, Mar 21, 2025 at 08:25:07PM -0700, Greg KH wrote:
>> >> >> >> >> > Along these lines, if you can convince me that this is something that we
>> >> >> >> >> > really should be doing, in that we should always be checking every time
>> >> >> >> >> > someone would want to call to_pci_dev(), that the return value is
>> >> >> >> >> > checked, then why don't we also do this in C if it's going to be
>> >> >> >> >> > something to assure people it is going to be correct?  I don't want to
>> >> >> >> >> > see the rust and C sides get "out of sync" here for things that can be
>> >> >> >> >> > kept in sync, as that reduces the mental load of all of us as we travers
>> >> >> >> >> > across the boundry for the next 20+ years.
>> >> >> >> >> 
>> >> >> >> >> I think in this case it is good when the C and Rust side get a bit
>> >> >> >> >> "out of sync":
>> >> >> >> >
>> >> >> >> > A bit more clarification on this:
>> >> >> >> >
>> >> >> >> > What I want to say with this is, since we can cover a lot of the common cases
>> >> >> >> > through abstractions and the type system, we're left with the not so common
>> >> >> >> > ones, where the "upcasts" are not made in the context of common and well
>> >> >> >> > established patterns, but, for instance, depend on the semantics of the driver;
>> >> >> >> > those should not be unsafe IMHO.
>> >> >> >> 
>> >> >> >> I don't think that we should use `TryFrom` for stuff that should only be
>> >> >> >> used seldomly. A function that we can document properly is a much better
>> >> >> >> fit, since we can point users to the "correct" API.
>> >> >> >
>> >> >> > Most of the cases where drivers would do this conversion should be covered by
>> >> >> > the abstraction to already provide that actual bus specific device, rather than
>> >> >> > a generic one or some priv pointer, etc.
>> >> >> >
>> >> >> > So, the point is that the APIs we design won't leave drivers with a reason to
>> >> >> > make this conversion in the first place. For the cases where they have to
>> >> >> > (which should be rare), it's the right thing to do. There is not an alternative
>> >> >> > API to point to.
>> >> >> 
>> >> >> Yes, but for such a case, I wouldn't want to use `TryFrom`, since that
>> >> >> trait to me is a sign of a canonical way to convert a value.
>> >> >
>> >> > Well, it is the canonical way to convert, it's just that by the design of other
>> >> > abstractions drivers should very rarely get in the situation of needing it in
>> >> > the first place.
>> >> 
>> >> I'd still prefer it though, since one can spot a
>> >> 
>> >>     let dev = CustomDevice::checked_from(dev)?
>> >> 
>> >> much better in review than the `try_from` conversion. It also prevents
>> >> one from giving it to a generic interface expecting the `TryFrom` trait.
>> >
>> > (I plan to rebase this on my series introducing the Bound device context [1].)
>> >
>> > I thought about this for a while and I still think TryFrom is fine here.
>> 
>> What reasoning do you have?
>
> The concern in terms of abuse is that one could try to randomly guess the
> "outer" device type (if any), which obiously indicates a fundamental design
> issue.
>
> But that's not specific to devices; it is a common anti-pattern in OOP to
> randomly guess the subclass type of an object instance.
>
> So, I don't think the situation here is really that special such that it needs
> an extra highlight.

I re-read the docs on `TryFrom` and I have some new thoughts:
`TryFrom<device::Device> for pci::Device` is indeed similar to
`TryFrom<i64> for i32`. If the `device::Device` is embedded in a
`pci::Device`, then the `Ok` value is obvious. If not, then the error is
also clear and the user should do something in that case. So in this
regard, it's pretty natural to use `TryFrom`.

Now my initial thoughts were more on the side of if people should avoid
it, then it shouldn't be named `try_from`. But IIUC, most of the time
they won't be able to call `try_from`, since they already have the
correct type to begin with.

Ultimately this is your call to make, if you think that it's unlikely
that people will use the `try_from` in the wrong places, then go for it.

>> > At some point I want to replace this implementation with a macro, since the code
>> > is pretty similar for bus specific devices. I think that's a bit cleaner with
>> > TryFrom compared to with a custom method, since we'd need the bus specific
>> > device to call the macro from the generic impl, i.e.
>> >
>> > 	impl<Ctx: DeviceContext> Device<Ctx>
>> >
>> > rather than a specific one, which we can't control. We can control it for
>> > TryFrom though.
>> 
>> We could have our own trait for that.
>
> I don't think we should have a trait specific for devices for this. If we really
> think the above anti-pattern deserves special attention, then we should have a
> generic trait (e.g. FromSuper<T>) instead.
>
> But I'm not sure that we really need to put special attention on that.

That's fair, but I think then it would lose the `Device` specific docs
about not using it if there are other options.

---
Cheers,
Benno