[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CAH5fLghN8L4cJsRuH-eqU4E5GaTJRUhw0cAStjHAj1RNJA-vhg@mail.gmail.com>
Date: Tue, 30 Jul 2024 19:50:01 +0200
From: Alice Ryhl <aliceryhl@...gle.com>
To: Benno Lossin <benno.lossin@...ton.me>
Cc: Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>,
Wedson Almeida Filho <wedsonaf@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>,
Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...sung.com>, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: implement ForeignOwnable for Pin<Box<T>>
On Tue, Jul 30, 2024 at 7:14 PM Benno Lossin <benno.lossin@...ton.me> wrote:
>
> On 30.07.24 15:06, Alice Ryhl wrote:
> > @@ -89,6 +90,32 @@ unsafe fn from_foreign(ptr: *const core::ffi::c_void) -> Self {
> > }
> > }
> >
> > +impl<T: 'static> ForeignOwnable for Pin<Box<T>> {
> > + type Borrowed<'a> = Pin<&'a T>;
> > +
> > + fn into_foreign(self) -> *const core::ffi::c_void {
> > + // SAFETY: We are still treating the box as pinned.
>
> I don't think that we have the guarantee that the pointee at the pointer
> that is returned by `into_foreign` is not moved.
That doesn't seem like the kind of thing we need a guarantee for.
Rather, unless we give anyone a guarantee that dereferencing it is
okay, it seems reasonable to assume that it won't be dereferenced.
Right now, it's just an opaque pointer, so C really shouldn't be
touching it. We already implement the trait for Arc which is also
pinned and also doesn't even point at a value of type T.
> AFAIU `ForeignOwnable` is used to store these pointers in C structures
> and never to actually access the value behind the returned pointer. So
> we could add the requirement to `into_foreign` (thus making it `unsafe`)
> that the pointer should not be dereferenced/used aside from `borrow` and
> `from_foreign`. Otherwise I don't see how the call below can be OK.
> What do you think?
Dereferencing the void pointer is unsafe in itself, so I don't see why
`into_foreign` has to be unsafe too.
Alice
Powered by blists - more mailing lists