From: Danilo Krummrich <dakr@kernel.org>
To: Alice Ryhl <aliceryhl@google.com>
Cc: "Tamir Duberstein" <tamird@gmail.com>,
"Benno Lossin" <benno.lossin@proton.me>,
"Miguel Ojeda" <ojeda@kernel.org>,
"Alex Gaynor" <alex.gaynor@gmail.com>,
"Boqun Feng" <boqun.feng@gmail.com>,
"Gary Guo" <gary@garyguo.net>,
"Björn Roy Baron" <bjorn3_gh@protonmail.com>,
"Andreas Hindborg" <a.hindborg@kernel.org>,
"Trevor Gross" <tmgross@umich.edu>,
rust-for-linux@vger.kernel.org, linux-kernel@vger.kernel.org
Subject: Re: [PATCH] rust: alloc: use `spare_capacity_mut` to reduce unsafe
Date: Tue, 18 Mar 2025 12:53:04 +0100 [thread overview]
Message-ID: <Z9leoGrF5pQeZ3tH@pollux> (raw)
In-Reply-To: <Z9k7cwE5UNOIyoXR@google.com>
On Tue, Mar 18, 2025 at 09:22:59AM +0000, Alice Ryhl wrote:
> On Mon, Mar 17, 2025 at 01:55:18PM -0400, Tamir Duberstein wrote:
> > > >
> > > > fn dec_len(&mut self, count: usize) -> &mut [T] {
> > > > self.len = self.len.saturating_sub(count);
> > > >
> > > > // Potentially broken, since maybe `count > self.len`, hence need an
> > > > // additional check.
> > > > unsafe { slice::from_raw_parts_mut(self.as_mut_ptr().add(self.len), count) }
> > > > }
> > >
> > > Ah sorry, in my mental model the function returned `()`. Do we need the
> > > return value?
> >
> > The return value is the whole genesis of `dec_len`, we want to return
> > something to let the caller know they need to drop or copy the memory.
>
> Hold on .. it returns &mut [T]. You're usually not allowed to take
> ownership of or drop values behind a mutable reference.
I think it should be fine. dec_len(), by returning this slice, indicates to the
caller what's left behind in case no action is taken.
Subsequent operations are unsafe anyways and can easily justify their validity
by saying that they only take over, what otherwise would have been left behind.
Do I miss anything?
prev parent reply other threads:[~2025-03-18 11:53 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-03-17 11:42 [PATCH] rust: alloc: use `spare_capacity_mut` to reduce unsafe Tamir Duberstein
2025-03-17 11:50 ` Alice Ryhl
2025-03-17 14:34 ` Benno Lossin
2025-03-17 14:39 ` Tamir Duberstein
2025-03-17 17:09 ` Danilo Krummrich
2025-03-17 17:22 ` Benno Lossin
2025-03-17 17:30 ` Danilo Krummrich
2025-03-17 17:41 ` Benno Lossin
2025-03-17 17:55 ` Tamir Duberstein
2025-03-18 9:22 ` Alice Ryhl
2025-03-18 11:53 ` Danilo Krummrich [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=Z9leoGrF5pQeZ3tH@pollux \
--to=dakr@kernel.org \
--cc=a.hindborg@kernel.org \
--cc=alex.gaynor@gmail.com \
--cc=aliceryhl@google.com \
--cc=benno.lossin@proton.me \
--cc=bjorn3_gh@protonmail.com \
--cc=boqun.feng@gmail.com \
--cc=gary@garyguo.net \
--cc=linux-kernel@vger.kernel.org \
--cc=ojeda@kernel.org \
--cc=rust-for-linux@vger.kernel.org \
--cc=tamird@gmail.com \
--cc=tmgross@umich.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox