[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <CANiq72kYBvx9Wb-jEGqfUrpbzy8SQvcbjTmAytHZ=2_qx7c1pA@mail.gmail.com>
Date: Sun, 3 Aug 2025 19:44:44 +0200
From: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To: Jinheng LI <ahengljh@...il.com>
Cc: ojeda@...nel.org, rust-for-linux@...r.kernel.org,
linux-kernel@...r.kernel.org, alex.gaynor@...il.com, gary@...yguo.net,
bjorn3_gh@...tonmail.com, lossin@...nel.org, a.hindborg@...nel.org,
aliceryhl@...gle.com, tmgross@...ch.edu
Subject: Re: [PATCH] rust: kernel: add missing safety comments
On Sun, Aug 3, 2025 at 7:10 PM Jinheng LI <ahengljh@...il.com> wrote:
>
> From 5cba005b59a032fc80f818b393b7e4c36a460710 Mon Sep 17 00:00:00 2001
> From: Jinheng Li <ahengljh@...il.com>
> Date: Mon, 4 Aug 2025 00:56:11 +0800
> Subject: [PATCH] rust: kernel: add missing safety comments
This is supposed to be used by e.g. Git `send-email` to craft the
email, rather than being sent in the body.
> Add safety documentation for unsafe functions that were missing proper
> SAFETY comments. This improves code maintainability and helps
> developers understand the safety requirements.
>
> - str.rs: Document safety requirements for as_str_unchecked()
> - list.rs: Document safety requirements for remove() method
>
> These functions had TODO markers for safety documentation that are
> now properly filled in with clear explanations of the invariants
> and caller responsibilities.
These paragraphs all sound as if we are documenting the safety
requirements of the outer function. However, `// SAFETY: ...` comments
are meant to explain how we satisfy the safety requirements of the
functions etc. used within the `unsafe` block that follows.
Also, to avoid confusion, we normally use the word "documentation" for
the `///` ones, i.e. things that are meant for users of APIs.
So I think the commit message is a bit confusing.
The contents are also a bit strange, e.g.:
> + // Since `CStr` is guaranteed to contain no interior null
> bytes (by its invariants),
> + // and we're excluding the trailing null byte via
> `as_bytes()`, the resulting slice
> + // is valid for `from_utf8_unchecked`.
`from_utf8_unchecked`'s requirements are just that "The bytes passed
in must be valid UTF-8.". Why does the NUL matter here?
Thanks!
Cheers,
Miguel
Powered by blists - more mailing lists