| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ-ks9nHdPP+uO7fhedVYBKvifGgEMLcedoqUgNEcUDgfrenVQ@mail.gmail.com>
Date: Mon, 17 Mar 2025 11:01:13 -0400
From: Tamir Duberstein <tamird@...il.com>
To: Benno Lossin <benno.lossin@...ton.me>
Cc: Alice Ryhl <aliceryhl@...gle.com>, Danilo Krummrich <dakr@...nel.org>,
Andrew Ballance <andrewjballance@...il.com>, Miguel Ojeda <ojeda@...nel.org>,
Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>,
Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>,
Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>,
rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org
Subject: Re: [PATCH 1/2] rust: alloc: replace `Vec::set_len` with `inc_len`
On Mon, Mar 17, 2025 at 10:46 AM Benno Lossin <benno.lossin@...ton.me> wrote:
>
> On Mon Mar 17, 2025 at 12:25 PM CET, Tamir Duberstein wrote:
> > On Mon, Mar 17, 2025 at 6:48 AM Alice Ryhl <aliceryhl@...gle.com> wrote:
> >>
> >> On Mon, Mar 17, 2025 at 09:58:35AM +0000, Benno Lossin wrote:
> >> > On Sun Mar 16, 2025 at 11:32 PM CET, Tamir Duberstein wrote:
> >> > > Rename `set_len` to `inc_len` and simplify its safety contract.
> >> > > ---
> >> > > rust/kernel/alloc/kvec.rs | 19 +++++++++----------
> >> > > rust/kernel/str.rs | 2 +-
> >> > > rust/kernel/uaccess.rs | 2 +-
> >> > > 3 files changed, 11 insertions(+), 12 deletions(-)
> >> > >
> >> > > diff --git a/rust/kernel/alloc/kvec.rs b/rust/kernel/alloc/kvec.rs
> >> > > index ae9d072741ce..d43a1d609434 100644
> >> > > --- a/rust/kernel/alloc/kvec.rs
> >> > > +++ b/rust/kernel/alloc/kvec.rs
> >> > > @@ -183,17 +183,16 @@ pub fn len(&self) -> usize {
> >> > > self.len
> >> > > }
> >> > >
> >> > > - /// Forcefully sets `self.len` to `new_len`.
> >> > > + /// Increments `self.len` by `additional`.
> >> >
> >> > I would keep the "Forcefully".
> >
> > Why? Is it possible to set it any other way?
>
> Yeah when `truncate` and `resize` land. It conveys that this is a
> low-level operation.
It's also an unsafe function whose safety section mentions that the
memory must already be initialized. I don't think this word adds any
value.
>
> >> > > ///
> >> > > /// # Safety
> >> > > ///
> >> > > - /// - `new_len` must be less than or equal to [`Self::capacity`].
> >> > > - /// - If `new_len` is greater than `self.len`, all elements within the interval
> >> > > - /// [`self.len`,`new_len`) must be initialized.
> >> > > + /// - `self.len + additional` must be less than or equal to [`Self::capacity`].
> >> > > + /// - All elements within the interval [`self.len`,`self.len + additional`) must be initialized.
> >> > > #[inline]
> >> > > - pub unsafe fn set_len(&mut self, new_len: usize) {
> >> > > - debug_assert!(new_len <= self.capacity());
> >> > > - self.len = new_len;
> >> > > + pub unsafe fn inc_len(&mut self, additional: usize) {
> >> > > + debug_assert!(self.len() + additional <= self.capacity());
> >> >
> >> > What if this overflows? Do we always have overflow debugging on when
> >> > debug assertions are enabled? If yes, then this is fine.
> >>
> >> I don't think we do.
> >
> > Rearranged as
> >
> > debug_assert!(additional <= self.capacity() - self.len());
>
> LGTM
>
> > It should be impossible for this to underflow because capacity must be
> >>= len. Interestingly this isn't a documented invariant, but it is
> > relied upon by `spare_capacity_mut`.
>
> Oh yeah that should be an invariant. Feel free to open an issue or send
> a patch.
Will prepend a patch in this series.
Powered by blists - more mailing lists