Re: [PATCH v6 4/4] rust: add abstraction for `struct page`

[Benno Lossin <benno.lossin@proton.me>]

On 19.04.24 19:23, Boqun Feng wrote:
> On Fri, Apr 19, 2024 at 08:36:11AM +0000, Benno Lossin wrote:
>> On 19.04.24 01:04, Boqun Feng wrote:
>>> On Thu, Apr 18, 2024 at 03:56:11PM -0700, Boqun Feng wrote:
>>>> On Thu, Apr 18, 2024 at 10:08:40PM +0000, Benno Lossin wrote:
>>>>> On 18.04.24 20:52, Boqun Feng wrote:
>>>>>> On Thu, Apr 18, 2024 at 08:59:20AM +0000, Alice Ryhl wrote:
>>>>>>> +    /// Runs a piece of code with a raw pointer to a slice of this page, with bounds checking.
>>>>>>> +    ///
>>>>>>> +    /// If `f` is called, then it will be called with a pointer that points at `off` bytes into the
>>>>>>> +    /// page, and the pointer will be valid for at least `len` bytes. The pointer is only valid on
>>>>>>> +    /// this task, as this method uses a local mapping.
>>>>>>> +    ///
>>>>>>> +    /// If `off` and `len` refers to a region outside of this page, then this method returns
>>>>>>> +    /// `EINVAL` and does not call `f`.
>>>>>>> +    ///
>>>>>>> +    /// # Using the raw pointer
>>>>>>> +    ///
>>>>>>> +    /// It is up to the caller to use the provided raw pointer correctly. The pointer is valid for
>>>>>>> +    /// `len` bytes and for the duration in which the closure is called. The pointer might only be
>>>>>>> +    /// mapped on the current thread, and when that is the case, dereferencing it on other threads
>>>>>>> +    /// is UB. Other than that, the usual rules for dereferencing a raw pointer apply: don't cause
>>>>>>> +    /// data races, the memory may be uninitialized, and so on.
>>>>>>> +    ///
>>>>>>> +    /// If multiple threads map the same page at the same time, then they may reference with
>>>>>>> +    /// different addresses. However, even if the addresses are different, the underlying memory is
>>>>>>> +    /// still the same for these purposes (e.g., it's still a data race if they both write to the
>>>>>>> +    /// same underlying byte at the same time).
>>>>>>> +    fn with_pointer_into_page<T>(
>>>>>>> +        &self,
>>>>>>> +        off: usize,
>>>>>>> +        len: usize,
>>>>>>> +        f: impl FnOnce(*mut u8) -> Result<T>,
>>>>>>
>>>>>> I wonder whether the way to go here is making this function signature:
>>>>>>
>>>>>>        fn with_slice_in_page<T> (
>>>>>>            &self,
>>>>>> 	       off: usize,
>>>>>> 	       len: usize,
>>>>>> 	       f: iml FnOnce(&UnsafeCell<[u8]>) -> Result<T>
>>>>>>        ) -> Result<T>
>>>>>>
>>>>>> , because in this way, it makes a bit more clear that what memory that
>>>>>> `f` can access, in other words, the users are less likely to use the
>>>>>> pointer in a wrong way.
>>>>>>
>>>>>> But that depends on whether `&UnsafeCell<[u8]>` is the correct
>>>>>> abstraction and the ecosystem around it: for example, I feel like these
>>>>>> two functions:
>>>>>>
>>>>>> 	    fn len(slice: &UnsafeCell<[u8]>) -> usize
>>>>>> 	    fn as_ptr(slice: &UnsafeCell<[u8]>) -> *mut u8
>>>>>>
>>>>>> should be trivially safe, but I might be wrong. Again this is just for
>>>>>> future discussion.
>>>>>
>>>>> I think the "better" type would be `&[UnsafeCell<u8>]`. Since there you
>>>>> can always access the length.
>>>>>
>>>>
>>>> Hmm.. here is the thing, having `&UnsafeCell<[u8]>` means having a `*mut
>>>> [u8]>`, and it should always be safe to get a "length" of `*mut [u8]`,
>>>> right? I haven't found any method doing that, but the length should be
>>>> just a part of fat pointer, so I think getting that is a defined
>>>> behavior. But maybe I'm missing something.
>>
>> There is `to_raw_parts` [1], but that is unstable. (Note that
>> `<[T] as Pointee>::Metadata = usize`, see [2])
>>
> 
> Oh, that's good to know, thank you! ;-)
>
>>> Hmm... but I guess one of the problems of this approach, is how to
>>> construct a `&UnsafeCell<[u8]>` from a pointer and length...
>>
>> We could use `from_raw_parts` [3]. But when making the slice the outer
>> type, we can use a stable function to convert a pointer and a length to
>> a slice [4].
>>
> 
> Yes, but there appears no way to get a pointer with larger provenance
> from a `&[UnsafeCell<u8>]`, right?

What do you mean by "larger provenance"?

>>>>> Another question would be if page allows for uninitialized bits, in that
>>>>> case, we would need `&[Opaque<u8>]`.
>>>>>
>>>>
>>>> Yes, or `&Opaque<[u8>]`.
>>
>> I don't think that putting the slice on the inside is what we want. Also
> 
> Hmm.. why? So in `&UnsafeCell<[u8]>` vs `&[UnsafeCell<u8>]` case, I
> think the former represent "a slice of u8 that can be modified in the
> same time" very well, and this is what a pointer-and-length pair usually
> represents in kernel, I think. But yes, the latter is OK to me as well,
> just hard to play the provenance game I guess?

Ultimately it again comes down to missing field projections :)

The type `&UnsafeCell<[u8]>` is less *useful*, since you cannot even get
the length of the slice. Also indexing into this type is not easily
possible. This is because the only way to get/change the inner value of
an `UnsafeCell` is via `get`.

Compare this with the slice type. It allows getting the length, indexing
into it (ie a form of field projections, if we consider slices as having
a variable amount of fields).

All those issues would be solved by (good) field projections.


Field projections also give a reason for why using `&[UnsafeCell<u8>]`
is not really different from `&UnsafeCell<[u8]>`: At any point in time
we ought to be able to project `&UnsafeCell<[u8]> -> &[UnsafeCell<u8>]`.

So it's fine to just use that from the get-go.

>> note that `Opaque<T>` requires that `T: Sized` and that is not the case
>> for `[u8]`.
> 
> Oh, you're right. In case of MaybeUninit, it requires `T: Sized`, so
> `Opaque<[u8]>` doesn't quite work.
> 
> Moving forward, maybe the first step is to see whether `&[Opaque<u8>]`
> and `&[UnsafeCell<u8>]` can have a good way to generate a pointer with
> proper provenance? Time to ping t-opsem maybe?

Good idea, do you want to do that, or should I do it?

-- 
Cheers,
Benno