[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-Id: <B0E3D539-2D29-4BB4-9CB7-98672F590A57@collabora.com>
Date: Fri, 19 Jul 2024 13:36:31 -0300
From: Daniel Almeida <daniel.almeida@...labora.com>
To: Benno Lossin <benno.lossin@...ton.me>
Cc: Jonathan Corbet <corbet@....net>,
Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>,
Wedson Almeida Filho <wedsonaf@...il.com>,
Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...sung.com>,
Alice Ryhl <aliceryhl@...gle.com>,
linux-doc@...r.kernel.org,
linux-kernel@...r.kernel.org,
rust-for-linux@...r.kernel.org
Subject: Re: [RFC PATCH 2/5] doc: rust: safety standard: add examples
Sorry, ended up replying to this using my personal email.
Sending it again.
—————
Hi Benno,
> On 17 Jul 2024, at 19:12, Benno Lossin <benno.lossin@...ton.me> wrote:
>
> Add examples of good and bad safety documentation.
>
> There aren't many examples at the moment, as I hope to add more during
> discussions, since coming up with examples on my own is very difficult.
>
> Signed-off-by: Benno Lossin <benno.lossin@...ton.me>
> ---
> .../rust/safety-standard/examples.rst | 70 +++++++++++++++++++
> Documentation/rust/safety-standard/index.rst | 23 ++++--
> 2 files changed, 86 insertions(+), 7 deletions(-)
> create mode 100644 Documentation/rust/safety-standard/examples.rst
>
> diff --git a/Documentation/rust/safety-standard/examples.rst b/Documentation/rust/safety-standard/examples.rst
> new file mode 100644
> index 000000000000..d66ef3f8954a
> --- /dev/null
> +++ b/Documentation/rust/safety-standard/examples.rst
> @@ -0,0 +1,70 @@
> +.. SPDX-License-Identifier: GPL-2.0
> +.. highlight:: rust
> +
> +Examples
> +========
> +
> +Unsound APIs
> +------------
> +
> +Simple Unsound Function
> +***********************
> +::
> +
> + struct Data {
> + a: usize,
> + }
> +
> + fn access_a(data: *mut Data) -> usize {
> + unsafe { (*data).a }
> + }
> +
> +One would normally call this function as follows, which does not trigger UB::
> +
> + fn main() {
> + let mut d = Data { a: 42 };
> + println!("{}", access_a(&mut d));
> + }
> +
> +However, a caller could also call it like this, which triggers UB using only safe code::
> +
> + fn main() {
> + println!("{}", access_a(core::ptr::null_mut()));
> + }
> +
> +And this would result in a dereference of a null pointer.
> +
> +
> +Sound ``unsafe`` Code
> +---------------------
> +
> +The Importance of the API Boundary
> +**********************************
> +
> +Is the following API sound?::
> +
> + fn foo(r: &mut u32) {
> + let ptr: *mut u32 = r;
> + let val;
> + unsafe {
> + val = *ptr;
> + *ptr = 0;
> + }
> + }
> +
> +It better be sound, but one could argue that it is unsound, since one could replace the ptr
> +initialization by ``ptr = core::ptr::null_mut()``::
> +
> + fn foo(r: &mut u32) {
> + let ptr: *mut u32 = core::ptr::null_mut();
> + let val;
> + unsafe {
> + val = *ptr;
> + *ptr = 0;
> + }
> + }
> +
> +But this modification is not allowed, since it goes beyond the API boundary of ``foo``. This way
> +any ``unsafe`` code that relies on surrounding safe code could be shown to be unsound. Instead one
> +should only consider safe code using the API, in this case, there is no way to make the code
> +incorrect, since a reference is always valid to dereference during its lifetime.
I find this paragraph a bit confusing. Maybe this can be clarified a bit further?
— Daniel
Powered by blists - more mailing lists