lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <CANiq72=Vd=Rwi6Mr2vgEZHz+iZ=-cYHxEXvsgJnpA2uqd2tUtg@mail.gmail.com>
Date: Thu, 8 Jan 2026 11:46:30 +0100
From: Miguel Ojeda <miguel.ojeda.sandonis@...il.com>
To: pengfuyuan <pengfuyuan@...inos.cn>
Cc: Greg Kroah-Hartman <gregkh@...uxfoundation.org>, "Rafael J . Wysocki" <rafael@...nel.org>, 
	Danilo Krummrich <dakr@...nel.org>, Miguel Ojeda <ojeda@...nel.org>, Boqun Feng <boqun.feng@...il.com>, 
	Gary Guo <gary@...yguo.net>, Björn Roy Baron <bjorn3_gh@...tonmail.com>, 
	Benno Lossin <lossin@...nel.org>, Andreas Hindborg <a.hindborg@...nel.org>, 
	Alice Ryhl <aliceryhl@...gle.com>, Trevor Gross <tmgross@...ch.edu>, rust-for-linux@...r.kernel.org, 
	linux-kernel@...r.kernel.org
Subject: Re: [PATCH] rust: device: add platdata accessors

On Thu, Jan 8, 2026 at 9:56 AM pengfuyuan <pengfuyuan@...inos.cn> wrote:
>
> +    /// # Type Safety
> +    ///
> +    /// This function does not perform runtime type checking. The caller must ensure that the
> +    /// platform data structure actually matches the type `T` for the specific platform device.
> +    /// Incorrect type usage will result in undefined behavior.

I didn't check the code, but I noticed this header -- why "Type Safety"?

The standard header we use for this is "Safety", i.e. we don't specify
"kinds of safety" (as soon as you break one "kind" you could in
principle break everything, so it is either unsafe or not).

Also, we generally try to be concise in these, e.g. the
precondition/paragraph could perhaps be reworded like:

    /// The type `T` must match the type of ...

It is always the case that there is UB if the preconditions of a
"Safety" section are not upheld, so there is no need to remark that
either.

> +        // - The caller must ensure that the platform data structure matches type `T`.

I would expect this wording in a "Safety" section, not in a `//
SAFETY:` comment.

i.e. the safety precondition is there, but in this comment you need to
justify why the caller has ensured it, not that they "must" do it.
Does that make sense?

Instead, you can say e.g. "The caller ensures" or similar (we use
several ways of saying it, which eventually we could normalize). You
may even see sometimes an explicit "// SAFETY: By the safety
precondition, ...", but for this kind "The caller promises" or similar
is already understood like that.

Thanks!

Cheers,
Miguel

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ