From: Benno Lossin <benno.lossin@proton.me>
To: "Tamir Duberstein" <tamird@gmail.com>,
"Danilo Krummrich" <dakr@kernel.org>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Alice Ryhl" <aliceryhl@google.com>,
"Trevor Gross" <tmgross@umich.edu>
Cc: rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH v2] rust: alloc: use `spare_capacity_mut` to reduce unsafe
Date: Mon, 17 Mar 2025 17:42:37 +0000 [thread overview]
Message-ID: <D8IQ6GO56119.2JBP30MJWUK6Z@proton.me> (raw)
In-Reply-To: <20250317-vec-push-use-spare-v2-1-5dc6583f732c@gmail.com>
On Mon Mar 17, 2025 at 6:23 PM CET, Tamir Duberstein wrote:
> Use `spare_capacity_mut` in the implementation of `push` to reduce the
> use of `unsafe`. Both methods were added in commit 2aac4cd7dae3 ("rust:
> alloc: implement kernel `Vec` type").
>
> Reviewed-by: Alice Ryhl <aliceryhl@google.com>
> Signed-off-by: Tamir Duberstein <tamird@gmail.com>
One nit below, with or without that fixed:
Reviewed-by: Benno Lossin <benno.lossin@proton.me>
> ---
> Changes in v2:
> - Use `slice::get_unchecked_mut` to ensure we avoid a bounds check.
> (Benno Lossin)
> - Link to v1: https://lore.kernel.org/r/20250317-vec-push-use-spare-v1-1-7e025ef4ae14@gmail.com
> ---
> rust/kernel/alloc/kvec.rs | 11 ++---------
> 1 file changed, 2 insertions(+), 9 deletions(-)
>
> diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> index ae9d072741ce..b91b287e0d22 100644
> --- a/rust/kernel/alloc/kvec.rs
> +++ b/rust/kernel/alloc/kvec.rs
> @@ -285,15 +285,8 @@ pub fn spare_capacity_mut(&mut self) -> &mut [MaybeUninit<T>] {
> pub fn push(&mut self, v: T, flags: Flags) -> Result<(), AllocError> {
> self.reserve(1, flags)?;
>
> - // SAFETY:
> - // - `self.len` is smaller than `self.capacity` and hence, the resulting pointer is
> - // guaranteed to be part of the same allocated object.
> - // - `self.len` can not overflow `isize`.
> - let ptr = unsafe { self.as_mut_ptr().add(self.len) };
> -
> - // SAFETY:
> - // - `ptr` is properly aligned and valid for writes.
> - unsafe { core::ptr::write(ptr, v) };
> + // SAFETY: The call to `reserve` was successful so the spare capacity is at least 1.
> + unsafe { self.spare_capacity_mut().get_unchecked_mut(0) }.write(v);
IMO it's difficult to tell which operation is the `unsafe` one here, so
how about you factor the `spare_capacity_mut` call out.
---
Cheers,
Benno
>
> // SAFETY: We just initialised the first spare entry, so it is safe to increase the length
> // by 1. We also know that the new length is <= capacity because of the previous call to
>
> ---
> base-commit: cf25bc61f8aecad9b0c45fe32697e35ea4b13378
> change-id: 20250317-vec-push-use-spare-27484fd016a9
>
> Best regards,
next prev parent reply other threads:[~2025-03-17 17:42 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 17:23 [PATCH v2] rust: alloc: use `spare_capacity_mut` to reduce unsafe Tamir Duberstein
2025-03-17 17:42 ` Benno Lossin [this message]
2025-03-17 17:52 ` Tamir Duberstein
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=D8IQ6GO56119.2JBP30MJWUK6Z@proton.me \
--to=benno.lossin@proton.me \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=dakr@kernel.org \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox