Re: [PATCH v2] docs: rust: extend abstraction and binding documentation

rust-for-linux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: Valentin Obst <kernel@valentinobst.de>
To: dirk.behme@de.bosch.com
Cc: kernel@valentinobst.de, ojeda@kernel.org,
	rust-for-linux@vger.kernel.org, tmgross@umich.edu
Subject: Re: [PATCH v2] docs: rust: extend abstraction and binding documentation
Date: Sun, 11 Feb 2024 08:54:13 +0100	[thread overview]
Message-ID: <20240211075413.3874-1-kernel@valentinobst.de> (raw)
In-Reply-To: <20240209070548.3693410-1-dirk.behme@de.bosch.com>

> +.. code-block::
> +
> +	                                                rust/bindings/
> +                                                       (rust/helpers.c)
> +
> +                                                          include/ -----+ <-+
> +                                                                        |   |
> +         drivers/              rust/kernel/              +----------+ <-+   |
> +           fs/                                           | bindgen  |       |
> +          .../            +-------------------+          +----------+ --+   |
> +                          |    Abstractions   |                         |   |
> +       +---------+        | +------+ +------+ |          +----------+   |   |
> +       | my_foo  | -----> | | foo  | | bar  | | -------> | Bindings | <-+   |
> +       | driver  |  Safe  | | sub- | | sub- | |  Unsafe  |          |       |
> +       +---------+        | |system| |system| |          | bindings | <-----+
> +            |             | +------+ +------+ |          |  crate   |       |
> +            |             |   kernel crate    |          +----------+       |
> +            |             +-------------------+                             |
> +            |                                                               |
> +            +------------------# FORBIDDEN #--------------------------------+
> +
> +The main idea is to encapsulate all unsafe handling in carefully reviewed
> +and documented abstractions. These are then considered to be sound. With this model
> +it is ensured that users of the abstractions ("my_foo driver") can't do anything
> +unsound if
> +
> +#. the abstractions are sound
> +#. they don't use ``unsafe()``

I'd like to follow up on some of the things that Miguel mentioned in his
earlier message:

- To make it clearer what is meant by "unsafe handling": One could say
  "... encapsulate all direct interaction with the kernel's C APIs ...".
  This requires using unsafe Rust, but also leaves the door open for
  drivers to use unsafe Rust, e.g., for performance optimizations or to
  call unsafe abstractions.
- To avoid saying that "... [abstractions] are considered to be sound
  [after review] ...": One could say "The goal must be that users of
  these abstractions cannot introduce undefined behavior as long as:
  1. The abstractions are correct, & 2. they uphold the preconditions
  of all unsafe operations that they perform."

> +
> +Bindings
> +~~~~~~~~
> +
> +By including a C header from ``include/`` into ``rust/bindings/bindings_helper.h``
> +the ``bindgen`` tool will auto-generate the bindings for the included subsystem.
> +See the ``*_generated.rs`` output files in the ``rust/bindings/`` directory.
> +
> +For parts of the C header ``bindgen`` doesn't auto generate, e.g. C ``inline``
> +functions or macros, there is the option to add a small wrapper function
> +to ``rust/helpers.c`` to make it available for the Rust side as well.
> +
> +Abstractions
> +~~~~~~~~~~~~
> +
> +Abstractions are the layer between the bindings and the in-kernel users. For example
> +the drivers or file systems written in Rust. They are located in ``rust/kernel/``
> +and their role is to encapsulate the unsafe access to the bindings into a safe API
> +that they expose to their users.

I'd think one should keep the "as-safe-as-possible" aspect here, as
there will always be cases where it is not possible to provide safe
abstractions.

Another aspect about these APIs that I don't see mentioned here is that
they should be "ergonomic", in the sense that they turn "C-ish"
interfaces into something that allows you to write "idiomatic" Rust
code. Basic examples would be to turn resource acquisition and release
into constructors and destructors or integer error codes into Results,
and so on. I'm not entirely sure to which extend this is covered by the
safety aspect (they have a non-zero overlap), but perhaps it is
something that could be mentioned here.

	- Best Valentin

> +

     prev parent reply	other threads:[~2024-02-11  7:54 UTC|newest]

Thread overview: 3+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2024-02-09  7:05 [PATCH v2] docs: rust: extend abstraction and binding documentation Dirk Behme
2024-02-10  7:37 ` Trevor Gross
2024-02-11  7:54 ` Valentin Obst [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20240211075413.3874-1-kernel@valentinobst.de \
    --to=kernel@valentinobst.de \
    --cc=dirk.behme@de.bosch.com \
    --cc=ojeda@kernel.org \
    --cc=rust-for-linux@vger.kernel.org \
    --cc=tmgross@umich.edu \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).