Introduce the unsafe_define_aref_type macro #938
Conversation
|
My goal with this PR is twofold: To make it easier to define rust wrappers in a sound way and to make it a bit easier to allow generating the rust wrapper using an annotation in the C header file if we want that. |
There was a problem hiding this comment.
On one hand it may make it a bit less readable at first glance to new readers, but the macro looks straightforward enough, and one can always use the generated docs or an IDE to get the "expanded" version again.
to make it a bit easier to allow generating the rust wrapper using an annotation in the C header file if we want that.
That is an interesting suggestion, are you thinking about something like...
/*
* ...
* same context as task->real_cred.
*/
__rust_aref_type(...)
struct cred {
atomic_t usage;
...
};? I imagine they would all go into a private module, and then we would use a re-export in the right place of the kernel crate to place it, right? Or do you have something else in mind?
I like that it would make both C and Rust sides more integrated, though it depends on how much we end up needing to put in the (...) (the less, the better -- in particular, if we need to write Rust syntax like pub struct there, instead of e.g. just the get_cred, put_cred symbols, it may look a bit too invasive).
Pretty much.
I think we only need |
bjorn3
force-pushed
the
aref_macro
branch
2 times, most recently
from
bc7048a to
0e8f976
Compare
Yeah, that matches exactly what I was thinking: by automatically deducing the type, we could get I also wondered about linking the __rust_aref_type(Credential)
struct cred { ... };
__rust_aref_get(Credential)
static inline const struct cred *get_cred(const struct cred *cred) { ... };
__rust_aref_put(Credential)
static inline void put_cred(const struct cred *_cred) { ... }; |
|
LGTM, by the way, though let's see what others think about the macro approach. Also, maybe later on when |
|
I really like the idea of having a macro for this. One concern that I have with this implementation is that it introduces another pattern for us to "search" for when looking for missing safety annotations. Without this patch, I can search for "unsafe {" or "unsafe impl", but with this patch I have some ad-hoc name. Could we try to find a reasonable way to introduce either "unsafe {" or "unsafe impl" in the macro call sites so that we can continue to straightforwardly find the spots where |
|
Prefixing the macro name with
I can add an |
| /// pub struct Credential(cred); | ||
| /// get = get_cred; | ||
| /// put = put_cred; | ||
| /// } |
There was a problem hiding this comment.
maybe
inc = get_cred;
dec = put_cred;instead? For two reasons:
- the methods of
AlwaysRefCountedareinc_refanddec_ref, usingincanddecis more consistent getin Rust has a lightly different meaning, e.g.UnsafeCell::get
This macro generates a Rust wrapper for a C struct that is always reference counted and implements AlwaysRefCounted for it. Additionally it makes sure that UnsafeCell is used to avoid UB and adds relevant documentation. Signed-off-by: Björn Roy Baron <[email protected]>
|
Rebased and changed base branch from rust to rust-next, previous version is at 793aa0b. The only |
Signed-off-by: Björn Roy Baron <[email protected]>
ojeda
force-pushed
the
rust-next
branch
3 times, most recently
from
c9b5ce6 to
ce1c54f
Compare
ojeda
force-pushed
the
rust-next
branch
3 times, most recently
from
9ee7197 to
6ce162a
Compare
This macro generates a Rust wrapper for a C struct that is always reference counted and implements AlwaysRefCounted for it. Additionally it makes sure that UnsafeCell is used to avoid UB and adds relevant documentation.
Signed-off-by: Björn Roy Baron [email protected]