| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <CAJ-ks9kXZDO-5utmQb2HLkxmxmQ-bg8jZ4FdvDatTj_79W2dMA@mail.gmail.com> Date: Mon, 17 Mar 2025 11:37:24 -0400 From: Tamir Duberstein <tamird@...il.com> To: Benno Lossin <benno.lossin@...ton.me> Cc: Danilo Krummrich <dakr@...nel.org>, Andrew Ballance <andrewjballance@...il.com>, Alice Ryhl <aliceryhl@...gle.com>, Miguel Ojeda <ojeda@...nel.org>, Alex Gaynor <alex.gaynor@...il.com>, Boqun Feng <boqun.feng@...il.com>, Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, Andreas Hindborg <a.hindborg@...nel.org>, Trevor Gross <tmgross@...ch.edu>, rust-for-linux@...r.kernel.org, linux-kernel@...r.kernel.org Subject: Re: [PATCH 2/2] rust: alloc: add `Vec::dec_len` On Mon, Mar 17, 2025 at 10:39 AM Benno Lossin <benno.lossin@...ton.me> wrote: > > On Mon Mar 17, 2025 at 12:34 PM CET, Tamir Duberstein wrote: > > On Mon, Mar 17, 2025 at 6:04 AM Benno Lossin <benno.lossin@...ton.me> wrote: > >> > >> On Sun Mar 16, 2025 at 11:32 PM CET, Tamir Duberstein wrote: > >> > Add `Vec::dec_len` that reduces the length of the receiver. This method > >> > is intended to be used from methods that remove elements from `Vec` such > >> > as `truncate`, `pop`, `remove`, and others. This method is intentionally > >> > not `pub`. > >> > >> I think it should be `pub`. Otherwise we're loosing functionality > >> compared to now. If one decides to give the raw pointer to some C API > >> that takes ownership of the pointer, then I want them to be able to call > >> `dec_len` manually. > > > > This is premature. It is trivial to make this function pub when the need arises. > > And it's trivial to do it now. If it's private now, someone will have to > change this in some random patch and it's annoying. It is my understanding that the kernel's policy is in general not to add API surface that doesn't have users. Rust-for-Linux of course often doesn't honor this by necessity, since many abstractions are needed before users (drivers) can be upstream. But in this case we can't even mention a specific use case - so as I mentioned on the previous reply, I am not comfortable putting my name on such an API. > >> > + /// > >> > + /// # Safety > >> > + /// > >> > + /// - `count` must be less than or equal to `self.len`. > >> > >> I also think that we should use saturating_sub instead and then not have > >> to worry about this. (It should still be documented in the function > >> though). That way this can also be a safe function. > > > > This doesn't seem better to me. I'd prefer to have more rather than > > fewer guardrails on such low-level operations. > > Your second sentence seems like an argument for making it safe? I think > it's a lot better as a safe function. The guardrail I was referring to is the requirement that the caller write a safety comment.
Powered by blists - more mailing lists